The European Banking Authority (EBA) has published its final proposal regarding changes to the revised Payment Service Directive’s (PSD2) re-authentication rules that many believed created an imbalance in regard to account access.
Following a public consultation that attracted more than 1,200 responses, the EBA has opted to change some of the requirements in its draft regulatory technical standards (RTS).
As part of the changes, the EBA has announced that the strong customer authentication (SCA) exemption period has been extended from 90 to 180 days.
The changes also introduce a new mandatory exemption to SCA that will require account providers not to apply SCA when customers use an account information service provider (AISP) to access their payment account information, provided certain conditions are met.
The amendment aims to reduce friction for customers using such services and to mitigate the impact that the frequent application of SCA and the inconsistent application of the current exemption have on AISPs’ services.
“Making the SCA exemption mandatory and extending the timeline for renewal are changes that are very welcomed by the fintech community,” said Jens Olsson, a Stockholm-based fintech consultant.
SCA in its core has had very positive effects but has also brought some unintentional issues to the consumer and third-party providers since the implementation of the RTS, he continued. “It's great to see the EBA proposal to resolve the identified issues and lower the unnecessary friction that SCA can entail for cases that don't motivate SCA.”
Not far enough
In spite of the changes being a positive for the fintech industry, there is a feeling that they could have gone further.
“An even more dynamic and data-driven SCA exemption model in the future could further elevate the consumer journey, while being risk proportionate,” Olsson suggested.
According to Ralf Ohlhausen, chair of the European Third-Party Providers Association (ETPPA): “This proposal is a very positive step forward towards better implementations of PSD2, in particular by making this exemption mandatory. Extending it from 90 to 180 days is helpful, but does not resolve the AISPs’ problem of having to onboard their customers again and again.”
These changes will give some relief, he said. “However, it looks like we will have to wait for PSD3 to clarify explicitly what should have gone without saying, namely that customers can use AISPs even when they are asleep and without losing that service every half year.”
Further changes to adopt for the fast technology development and changes in consumer demand are needed, agreed Olsson. "Such changes could be better addressed in the light of the PSD2 review. This could be a more dynamic decision on SCA supported by an improved data model to increase consumer protection as well as reduce friction."
It is a real pity that the EBA did not adopt any of the ETPPA’s suggestions, said Ohlhausen, adding that Article 97 of PSD2 clearly states that SCA only applies when the customer is online, either directly with their bank or through an AISP app.
The EBA has tried to strike an even balance between the wants of the AISPs and the banks throughout the process, with the regulator’s payments chief, Dirk Haubrich, appearing annoyed that third-party providers (TPPs) had not been more pleased when the banking watchdog confirmed that it was set to change the rules.
“Some TPPs seem to be of the view that just because their wishlist isn’t being filled, something must be very wrong. However, there isn’t anything wrong at the EBA and we do what we can within the legal constraints,” Haubrich told a conference in November 2021, warning that such a response may end up meaning that the EBA chooses to put the new standards on ice.
“It has a particular aim of making life easier for TPPs. And if the TPPs complain about how this is not good enough, then we may actually come to the conclusion that we are not going to amend the RTS,” he said.
Despite this warning, TPP players are still concerned.
While you were asleep
“It remains a mystery how it can be interpreted to apply when the customer is not online,” said Ohlhausen.
An AISP accessing on the customer’s behalf, for example overnight, is and must be authorised and authenticated in a different way, using their eIDAS certificate and an access token, he continued. “We cannot wake up the customer to get their fingerprint in addition. For many customers, it is the whole point of using an AISP that they do not have to check all their accounts themselves all the time.
“Best practice across all industries for this type of service is to require explicit consent to opt-in and facilitate an easy opt-out,” he suggested, pointing out that requiring a re-consent every 90 or 180 days is an unnecessary hurdle, not justified by any evidence and not required for any other service in the world, adding that requiring an SCA on top, which was dropped in the UK, makes that even worse.
“Imagine your energy, water or telecoms service or any of your direct debits would expire every 180 days if you don’t reconfirm your consent," Ohlhausen complained.
After the proposal is accepted by the European Commission, the European Parliament and European Council are entitled to a one-month "non-objection period".
Then, 20 days after entering the EU’s Official Journal, which encompasses legally binding acts in the trading bloc, the changed RTS will enter into force.
Banks will have five months to make available the documentation with the changes and allow TPPs to test them in the testing facility and a total of seven months to implement those changes in the production environment, which could mean that AISPs begin to see the benefits of the changes in early 2023.