PSD2 RTS Published: The Results of a Balancing Act

On 23 February 2017, the European Banking Authority (EBA) published their final report on the draft regulatory technical standards (RTS) on strong customer authentication and common and secure communication. The report takes on board the results of the market consultation that the EBA held between August and October 2016. Within the limits set by the PSD2, the authority has produced an improved version of the RTS that takes into account a number of market concerns. But the report is also the result of a balancing act: providing more guidance and clarity on the implementation of PSD2, while not restricting market innovation too much and not prescribing any technology to be used. How did the EBA deal with the main market concerns?

Scope and technologically neutral requirements

Notwithstanding its title, the RTS document is not technical neither does it contain standards. What it does aim to achieve is to provide more detail on the directive’s requirements. However, the RTS remain neutral on the technology and standards to be used for the implementation of the PSD2. While it is understandable from a regulator’s perspective not to dictate any particular solutions and let the market deal with the implementation, this approach does raise the risk of market fragmentation. If each bank creates its own communication interface and security solution, this would create a significant barrier for market entry of the new account information and payment initiation providers defined in the PSD2. There are several initiatives that aim to fill in the blanks regarding standardisation, but it remains to be seen if and how the market will arrive at common standards in a timeframe of less than two years (the RTS will apply 18 months after their adoption, so in November 2018 at the earliest).

Exemptions from strong customer authentication (SCA)

The set of exemptions that relieve PSPs of applying SCA for low-risk transactions has been extended. For instance, the low-value exemption for remote payments has been increased to EUR 30 (from EUR 10). Notably, a new exemption for the application of SCA has been added to the RTS, which allows PSPs to implement risk-based authentication if they can meet certain (challenging) fraud levels. PSPs that can show such low fraud rates will gain a competitive advantage in the market, as they can offer the best user experience for their customers (“click and pay”).

Despite the broader set of exemptions to apply SCA, in particular merchants with higher ticket value transactions (e.g. travel and consumer goods) will be confronted with step-up authentication procedures such as 3D Secure. Consumers have been reluctant to accept these procedures and this imposes a risk of lower conversion. On the other hand, customers may get used to the new practice over time, and it may add to their feeling of trust.

Access to payment accounts

Under the PSD2, banks are required to offer third party providers access to the payment account, under the condition of customer consent. The RTS now specify that if a bank offers such a communication interface (API) to third party providers (TPPs), the latter are no longer allowed to perform their current practice of “screen scraping” but have to use the interface provided. This will end a long-standing dispute between the banking industry and third parties considering the risk of screen scraping and unauthorized access to e-banking portals. In return, the banks are required to provide TPPs with a communication interface that has the same service-level as provided to their own clients.

Next steps

The draft RTS has to be approved by the EU regulating bodies, and changes may still occur over the coming months. But with the RTS now nearly final, the industry should get ready to implement solutions quickly – 2018 is around the corner.

About Ron van Wezel:

Ron van Wezel is a senior analyst for Aite Group’s Retail Banking & Payments practice. His research covers market and regulatory trends in the payments space, with a focus on Europe. He recently published on risk management in merchant acquiring, digital wallets, open banking, and European regulation. Mr. van Wezel is a renowned expert in payments and digital banking. Prior to joining Aite Group, he worked in senior roles for large financial institutions such as Deutsche Bank and ABN Amro.

About Aite Group:

Aite Group has expertise in banking, payments, wealth management, capital markets, and insurance. Aite Groups analysts deliver comprehensive, actionable advice to key market participants in financial services. Headquartered in Boston, Aite Group works with its clients as a partner, advisor, and catalyst, challenging their basic assumptions and ensuring they remain at the forefront of industry trends.