The European Banking Authority (EBA) has clarified what ASPSPs will need to demonstrate to avoid having to provide a fallback mechanism through which third parties can access payment account information to service their customers.
The EBA's final guidelines (116-page / 1.13MB PDF) expand on rules set out in the EU's second Payment Services Directive (PSD2) and accompany regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’.
PSD2, which took effect earlier this year, provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts, like current accounts, and statement details, as well as other account information, held by banks and other ASPSPs where customers consent to such access. The detailed requirements on third party access are contained in the 'strong customer authentication' standards.
The standards were written into EU law in March, but the majority of the provisions will not apply until 14 September 2019. ASPSPs must either enable third party access to the data through the customer's normal online banking websites, or alternatively develop a new 'dedicated interface' (API) for that purpose.
A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected, including that ASPSPs provide a fallback option to ensure AISPs and PISPs can exercise their access rights where the normal interface they use is down or underperforming. However, ASPSPs do not have to provide a fallback if they benefit from an exemption.
ASPSPs can benefit from an exemption if their dedicated interface fulfils a number of conditions, including that it "offers at all times the same level of availability and performance, including support, as the interfaces made available to the payment service user for directly accessing its payment account online".
Other conditions on exemption include that the dedicated interface meets stipulated standards on design and testing, and that ASPSPs can show it has been "widely used for at least three months by payment service providers to offer account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments". Any problems related to the dedicated interface must also have been resolved "without undue delay".
In June, the EBA consulted on draft guidance that provided further detail on what ASPSPs must do to satisfy the criteria for exemption.
The EBA has now finalised the guidance, clarifying the information that ASPSPs must share with regulators to support their case for an exemption.
According to the EBA, ASPSPs must provide regulators with "a summary of the results of the testing", as well as a copy of "the feedback received" from the third parties that participated in the testing and "the issues identified and a description of how these issues have been addressed".
The final guidance has also explained what ASPSPs must evidence to prove their dedicated interface has been widely used for at least three months by third parties.
"In assessing whether an ASPSP fulfils the ‘wide usage' condition, CAs (competent authorities) should take into account not only the number of TPPs (third party providers) that have used the ASPSP's production interface but also additional factors, including how much the interface has been used by TPPs, the steps that the ASPSP has taken to achieve ‘wide usage', the feedback received by the ASPSP from the TPPs that have participated in the testing and how any issues identified have been resolved," the EBA said in a statement.
The EBA said the three-month period for demonstrating 'wide usage' can "run concurrently with the testing" phase for the interfaces.
ASPSPs must publish data on the availability and performance of their interfaces. According to the EBA, the data should be published "in a way that enables TPPs and PSUs (payment service users) to compare the daily availability and performance of the dedicated interface with the availability and performance of each of the interfaces made available by the ASPSP to its own PSUs".
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "If an ASPSP is not well advanced in preparing for this, with live APIs in the market, perhaps as a UK Open Banking user, then the chance of it hitting the application deadline to benefit from this exemption from the point that the new rules first apply in September 2019 date is slim."
"The rules continue the journey of regulators in this space getting into the guts of the technology that powers the industry, looking at how that works and the performance KPIs that it must meet," he said.
According to Financial Conduct Authority (FCA) figures, there are more than 1,000 ASPSPs that currently operate in the UK. The FCA has given those businesses until 14 June 2019 to apply for an exemption from the fallback mechanism obligation.