Things have gone a little quiet on PSD2, so it’s probably a good time to review the state of play.
Back to the beginning (briefly)
The European Banking Authority was mandated by the European Commission to draw up the standards around the implementation of PSD2. The work officially started on January 13th 2016, though preparatory work was done in advance.
The focus in the market throughout 2016 was on the Regulatory Technical Standards (RTS) on Strong Authentication & Secure Communication, but the EBA has actually been charged with creating 6 sets of Regulatory Technical Standards, 5 sets of Guidelines and a Register.
Why was the focus on just one set of RTSs?
One practical reason was that the EBA decided to take a rolling approach to the development of the RTSs. This meant that since the RTSs on Strong Authentication & Secure Communication was one of the first they started, it was also one of the first they finished.
More importantly, these RTSs were expected to provide an understanding of the nuts and bolts of how PSD2 might be implemented, especially for the new Third Party Providers – the Account Information Service Providers (AISPs) and the Payment Initiation Service Providers (PISPs) – who are of particular interest to those operating in the Fintech space.
Have the RTSs on Strong Authentication & Secure Communication been finalised?
Yes. The EBA produced its final draft and submitted it to the European Commission for approval on February 23rd this year. This was over a month past their own deadline for completion because of the huge level of feedback they had received – and had to process – on the Consultation Paper.
Why was there such a big response?
While there were over 330 feedback points raised, a couple of particular issues were viewed as serious concerns by those operating across payments.
The first was on the authentication limit for remote payments. The Consultation Paper had suggested that the limit for remote payments would be €10, before two-factor authentication would be required. This would create issues for one-click checkout and build what was considered to be unnecessary friction into the online shopping experience. The final draft raised this to limit to €30.
The second issue was on risk-based authentication. The card networks have invested heavily on identifying potential fraud using transaction analysis. The Consultation Paper had proposed that this analysis could only be supplementary to two-factor authentication, but could not substitute it. The final draft agreed an 18month review period in which risk analysis will be allowed to substitute two-factor authentication. A related exemption to two-factor authentication will also apply to ‘unattended terminals’ such as those found in car-parks and cinemas.
Feedback aside, what do the RTSs actually mandate?
The curious thing, in my opinion, is that these Regulatory Technical Standards are very light on anything approaching ‘Technical’ or ‘Standard’. In fact, one of the few standards mandated in the Consultation Paper – ISO27001 – was removed in the final draft to ensure ‘technological neutrality’. The document might more appropriately be called ‘Regulatory Principles on Strong Authentication & Secure Communication’.
Regardless, some mandates did make it in. Fundamental to the Strong Authentication RTSs are the requirement for Two Factor Authentication (TFA), except:
For contactless payments of less than €50
- For remote payments of less than €30
- Where appropriate transaction risk analysis has been undertaken
Periodic TFA is still required even if all individual transactions qualify for exemption. The regulations include more ifs, ands and buts but that’s essentially the gist.
The interesting part of the Secure Communication piece (beside the security aspects!) is what it will mean for how the AISPs and PISPs will access customer accounts. Early in the consultation process some banks were promoting the idea of a central body that would manage and operate the rules around access. The advantage of this approach for the new Third Party Providers would have been a single set of APIs to integrate to give them access all customer accounts in all banks (in theory at least). The fintechs were nervous of this approach, believing that the banks might under-resource this central body to an extent that it might be slow and suffer regular technical problems, thus rendering their service unattractive to customers.
As a result, the EBA decided in their Final Draft that individual banks should each provide a dedicated communication interface for Third Party Providers, which must provide the same speed of access and reliability that is offered directly to their own customers. This addresses the concerns identified above, but it does means that every bank will now expose their own set of APIs, so Third Party Providers will have a lot of integrating to do to provide their services. More worryingly for existing TPPs, the Final Draft sprung a surprise on them: that screen-scraping (or Direct Access as TPPs call it) will be banned. This has caused much concern among Fintechs as it will render their existing processes and technologies illegal, leaving them with no choice but to face the challenge of integrating with banks’ APIs.
What about the other 5 RTSs, 5 Guidelines and the Register that the EBA are mandated to prepare?
They are all proceeding. Some are quite specific such as the RTS on Central Contact Points (the final draft of which has now gone to public consultation), but another interesting one for fintechs is the Guidelines on Authorisation and Registration of AISPs and PISPs. The Consultation Paper was released in November 2016 and is currently in the feedback process.
The guidelines give companies who are planning to become TPPs a good idea of the process they will have to go through. There are no major surprises – the draft requirements for AISPs focus on:
– Security, governance, access to data and business continuity etc
– The company, its directors and owners etc
– A business plan
Given that they will have the power to move user’s funds, PISPs will also have to cover issues around money laundering, fraud and measures to safeguard users’ funds.
The consultation period ran until February of this year, and the EBA are currently processing the feedback – so we should hear more soon.