EBA publishes an opinion and a consultation paper on the implementation of the RTS on strong customer authentication and common and secure communication under PSD2

By Adrian Calvo, Isabel Rodriguez, Trystan Tether, Lupe Sampedro, Scott McInnes, Paul Hermant, Jose Luis Lorente Howell, Shane Barber, Cathie Rosalie-Joly, Michael Juenemann, Pauline Kuipers, Stefano Febbi, Hans Svensson, Kristiina Lehvila, Gabor Helembai, Alexander Shepherd, Ivan Sagal, Slawomir Szepietowski, Annette Prinz Nielsen,


The European Banking Authority (EBA) today published two important documents on PSD2: an opinion on the implementation of the RTS on strong customer authentication (SCA) and Common Secure Communication (CSC) and a Public Consultation on the exemption for Account Servicing Payment Service Providers (ASPSP) to provide a "fallback" solution to Third Party Providers (TPPs) (deadline to submit comments: 13 August 2018).

The EBA also announced that it will extend its Single Rulebook Q&A tool to PSD2 so as to allow anyone to ask questions, and get answers within 2 to 4 months.
Opinion on the implementation of the RTS on SCA and CSC

The purpose of the EBA Opinion is to provide clarity on certain aspects relating to the implementation of the RTS on SCA and CSC.

In relation to the SCA mandate, the Opinion includes important clarifications on the views of the EBA in relation the execution of SCA and the application of different exemptions by the PSPs involved in a payment transaction, as well as the role of wallet providers (we presume this reference also covers mobile phone manufacturers such as Apple and Samsung) in the provision of SCA. In this sense, the Opinion includes a table specifying which exemptions are available to PSPs, depending on the payment instrument used for the execution of the transaction (credit transfers versus card-based payments). 

In relation to CSC or, in other words, TPPs getting access to payment accounts, the Opinion includes important clarifications in relation to consent, the scope of data sharing, requirements for dedicated interfaces (typically referred to as Application Programming Interfaces or APIs). For example, the Opinion states that the ASPSP should not check the consent of the payment service user (PSU) who has contracted with a TPP. 

The Opinion is addressed to Competent Authorities. However, the EBA indicates that, although it is not legally binding, it should "prove useful" also for PSPs, payment schemes, technical service providers and other industry initiatives. 
Consultation Paper on draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) RTS on SCA & CSC (otherwise referred to as "the fallback").

The Consultation Paper focuses on the four conditions to be met by an ASPSP when it wishes to provide access via a dedicated interface to benefit from an exemption from the obligation to have a fallback option in place.

This Consultation provides clarity to the market and to Competent Authorities on the information to be considered for each of the four conditions in order to determine whether a request for the exemption meets the conditions in Article 33(6) of the RTS. In particular, the requirements proposed in this Consultation paper provide clarity in respect of the service level, availability and performance of the interface made available by the ASPSP , the publication of the performance indicators, the stress testing to be carried out, obstacles to accessing payment accounts, the design and testing of the interfaces to the satisfaction of TPPs, the wide usage of the interface, the resolution of problems, and the consultation by Competent Authorities with the EBA.

Comments to these consultations can be sent to the EBA until 13 August 2018. The final Guidelines will be published after this consultation period.

Both documents published by the EBA today are available here.