EC extends PSD2 RTS payment standards deadline
29 November 2017
The European Commission (EC) has given European banks and PSPs an extra 18 months to adopt new security measures and provisions for customer data exchange outlined in the Regulatory Technical Standards (RTS) of the second EU Payment Services Directive (PSD2).
The European Union’s PSD2 regulation covering payment service providers (PSPs) comes into effect on 13 January 2018. It is designed to encourage innovative financial technology (FinTech) newcomers, competition from non-bank players and to increase choice and efficiency in the European payments marketplace via open banking and data stipulations that rely upon shared, protected application programming interfaces (APIs).
Two of the most controversial measures in PSD2 are in regard to more stringent security measures for payment transactions and the abolition of so-called ‘screen-scraping’. These will now only be considered actionable 18 months after the relevant RTS rules are published in the Official Journal of the EU, scheduled for September 2019, giving banks more time to comply with the most difficult aspects of the regulation.
The EC statement says that “payment market players need this transition period to upgrade their security systems so they meet the RTS requirements”. Its adds that this “means the PSD2 provisions on strong customer authentication (SCA) and on secure communication, which are directly specified in the RTS, will not apply immediately.”
Confirmation of the RTS changes will have to wait three months, however, as the European Parliament and Council – the national countries in the EU, as opposed to the EC executive – will now have to scrutinise and approve the RTS before it is placed on the statute book, alongside the rest of PSD2.
The revised PSD2 RTS rules mean that in most cases the provision of a password or plastic card details alone will no longer be sufficient to make a payment in Europe. In lots of transactions a one-time password (OTP) code, similar to ‘Verified by Visa’, that is only valid for a given transaction will be needed in combination with two independent secure elements. This could be a physical item, such as a mobile phone, in conjunction with a password or a biometric feature, such as a fingerprint.
This three-factor authentication (3FA) approach is necessary before making a payment, but there are exceptions for low-value amounts on contactless cards, for instance, and on transport or parking fees. PSPs, especially large banks, may be able to negotiate exemptions too if they can demonstrate they have effective risk procedures and similar anti-fraud measures in place already.
Many banks are using the compliance-driven necessity to connect to new instant payment (IP) schemes in Europe, under the SCT Inst scheme, to simultaneously overhaul their technology and fraud systems where possible, in readiness for PSD2 and the open banking and data era that it presages.
Screen scraping banned
The EC statement this week also adjudicates on the long-running arguments and lobbying between the European Fintech Alliance (EFA) and the European Banking Authority (EBA), which wanted to ban screen scrapping. It appears to have got its way, subject to European Parliamentary approval.
Depending on your point of view screen scrapping can be described as stealing internal data (the bank argument –Ed) or legitimately gathering business intelligence and customer data to launch competitive products (FinTechs’ opinion –Ed).
In reality, the customer owns their own personal data. This is what the EC wants to see, but the banks and established PSPs argue there must be appropriate access controls, IT security and data protection.
Revised rules & APIs
The revised PSD RTS rules from the EC specify the obligations of banks for the provision of third-party account information tools, and make it clear that screen scraping of account data from bank websites will not be allowed. Instead banks will have to provide new APIs to anyone that wants to access them and compete for customers based upon their data. This structure mirrors the UK Open Banking initiative in many ways, and a similar body to the Open Banking Implementation Entity (OBIE) set up under its auspices can be expected Europe-wide.
Indeed, in its statement the EC is already promoting the set-up of a market group consisting of representatives from banks, payment initiation and account information service providers and payment service users to ensure fair play. The group will review the quality of bank interfaces for customer data sharing and ensure open APIs are on offer.
PSPs and banks that fail to pass muster will have to provide a ‘fall-back’ option for third-parties to gain unrestricted rights to bank account data, as mandated in PSD2. The EFA and FinTech start-up lobbying groups will no doubt welcome this compromise, provided it is enforced.
PSPs will have to define transparent key performance indicators (KPIs) and service level targets for the dedicated communication interfaces and to ensure fair API access. According to the EC, “these should be at least as stringent as those set for the online payment and banking platforms used by the customers”.
The EC says all communication interfaces, whether dedicated or not, will be subject to a 3 month ‘prototype’ test and another 3 month ‘live’ test under market conditions, which may help to allay enforcement fears.