On 11 March 2019, the European Banking Authority (EBA) published clarifications to the first set of issues that had been raised and discussed by participants of its Working Group (WG) on Application Programming Interfaces (APIs) under the revised Payment Services Directive (PSD2), which met for the first time on 21 February 2019. The document is available here.
The first group of issues on which the EBA has given clarifications relates to (1) the practical aspects regarding the reliability of testing platforms, (2) the alignment of functionalities and data requirements between API schemes, and (3) the identification for Qualified Trust Service Providers (QTSPs) issuing PSD2 eIDAS certificates.
1. The issues around testing of APIs by ASPSPs have been much anticipated, considering the 14 March deadline for beginning the requisite six-month testing period. Without approval for these interfaces from their regulator, ASPSPs will be obliged to provide a fall-back option for TPPs looking to access the customers’ payments accounts.
- The EBA encouraged ASPSPs "to use automatic testing programs wherever possible and make documentation available in a machine-readable format. This is likely to minimise the support that ASPSPs may otherwise be required to provide to each TPP using the testing facility. Enabling a degree of automaticity may also enhance the participation rate of TPPs, facilitate better testing results and help ASPSPs achieve “wide usage” of their production interface, which may in turn be beneficial for the purpose of the exemption process".
- The EBA also suggested that "ASPSPs may find it to be in their own interest to ensure that the functionalities and scenarios available for testing are as close as possible to the functionalities that will subsequently be offered in the production interface."
- The EBA also indicated that "if the testing facility does not function well, this will impact on the assessment of the ASPSP’s application for an exemption."
2. As regards the various API initiatives (e.g. Berlin Group, UK Open Banking, Polish API, Slovak API), the EBA indicated that "API initiatives may also wish to consider surveying the ASPSPs implementing their respective specifications, software, and/or implementation tools and compare and publish the functionalities supported by these ASPSPs. This should further enhance transparency for all market participants and TPPs in particular, regarding the functionalities available through each API and any divergences between ASPSPs using that API."
3. As regards the eIDAS certificates required under the RTS for the purpose of identification of TPPs by ASPSPs, the EBA has approached the QTSPs listed on the EC's website to ask them whether or not they issue or intend issuing eIDAS certificates for PSD2 purposes, and has published the list of those who do.
In the weeks and months to come, the EBA will add clarifications to a number of additional issues raised by the WG.
Background on the EBA Working Group on APIs
In January this year, the EBA established a WG on APIs under PSD2, consisting of 30 representatives from Account Servicing Payment Service Providers (ASPSPs), Third Party Providers (TPPs), API initiatives, and other representatives from standardisation bodies technical service providers and payment service users.
The aim of the group is to identify issues and challenges that market participants face during the testing and use of API interfaces and to propose solutions on how the identified issues could be addressed solutions that the EBA and national authorities will then consider. The resultant discussions will help inform the approaches taken by the EBA and national authorities in respect of the supervision of applicable requirements and will contribute to a harmonised approach across the 28 EU Member States.