SCA Renewal Reforms Not Far Enough, But PSD3 Offers Glimmer Of Hope

November 16, 2021
Back
Although third-party providers have welcomed changes to strong customer authentication (SCA) rules regarding 90-day renewals, some have questioned whether the banking watchdog is doing enough to prevent harming businesses. PSD3 could help address these issues and more.

Although third-party providers have welcomed changes to strong customer authentication (SCA) rules regarding 90-day renewals, some have questioned whether the banking watchdog is doing enough to prevent harming businesses. PSD3 could help address these issues and more.

Following months hinting at changes to the SCA rules regarding 90-day renewal, the European Banking Authority (EBA) finally took action in October, launching a public consultation on the topic with plans to increase the renewal period and a new mandatory exemption.

“The move is in the right direction and long-awaited,” said Jens Olsson, payments strategy expert at Trustly.

The current regulation has led to undesirable outcomes for fintechs providing services in the account information space, as well as payment providers using account information for payment initiation purposes, he said.

“The extension of the timeline will allow for a better consumer journey without unnecessary risk of fraudulent access or fraudulent transactions to follow,” he said, stating that the extension will ultimately benefit all market participants, not just fintechs.

As far as the EBA can go

This move by the EBA followed a concession previously that the 90-day account renewal rule had hindered customer retention for account information service providers (AISPs).

To address the impact of these issues on AISPs’ services, the EBA is proposing to introduce a new mandatory exemption from SCA for the specific use case when the access is done through an AISP that is subject to certain safeguards and conditions, to ensure the safety of the customers’ data.

To ensure a level playing field among all payment service providers, the EBA is also proposing to extend the 90-day timeline in Article 10 of the regulatory technical standards (RTS) for the renewal of SCA to the same 180-day period for the renewal of SCA when the account data is accessed through an AISP.

Despite welcoming the changes, burdens will remain for SCA renewal, according to Olsson, albeit a little further down the road.

“Taking the burden into account, it should be appropriate to have the SCA renewal extended for longer than the suggestion of 180 days,” he said, suggesting that an appropriate solution, given what the EBA is in a legal position to make to address the issue, would be to extend the SCA renewal to one year.

In its consultation announcement, the EBA stated that it was going as far as legally authorised to do, suggesting that bigger changes must come from Brussels instead.

"It is clear that the EBA and the Commission want to do what they can to help out TPPs and help their services run smoothly,” said Andrea De Matteis, founder of De Matteis Law. “However, the EBA cannot go beyond what is allowed in the PSD2 regulation."

Yet others are not so sure this is the case.

"If it has been possible in the UK then surely it is legally possible for the EBA to do as well,” pointed out Scott McInnes, a partner at Bird & Bird.

McInnes pointed out, however, that there are lots of risks that the EBA has to look at. “Ultimately, they need to find a compromise between safety and security on the one hand, and consumer convenience on the other.”

There is the risk of access to data, yet also the need to ensure that open banking is a success, he said. “As the EBA stated on multiple occasions, they want everybody in the ecosystem to be equally unhappy with the standards that they set."

It is for reasons like this that a lengthier SCA renewal appears unlikely to be coming anytime soon.

“It is always hard to strike a balance between security and the awareness by end-users that they can trust the service and the end-user experience,” said Fabien Ignaccolo, chief executive of Okay, a Norway-headquartered SCA processor.

For this reason, regulators believe that there must be some friction, he conceded.

"The core services of TPPs [third-party providers] only work when the experience is frictionless, and with the current rules, there is a risk that TPPs businesses' can fail,” conceded De Matteis. “However, agreements between TPPs and financial institutions could also help solve this problem."

PSD3

The PSD2 review is due to begin in the coming months, and there is already hope that it could evolve into a PSD3 and amend some of the setbacks that PSD2 unintentionally spurred.

“There already are discussions about PSD3,” pointed out Ignaccolo. “What we would like as part of a PSD3 is to have PISPs and AISPs be able to run their own authentication that could be trusted by the ASPSPs [i.e., the banks].”

This way they could create much better user experiences, he suggested.

“In the PSD2 review, there will be further room to fix the issue with other measures than extending the timeline for SCA renewal and an opportunity to completely remove the burden of SCA renewal for fintechs and consumers,” said Olsson.

Possible solutions, for example, could include an account access opt-out or that the fintech would request renewed permission to access the accounts without the consumer needing to undergo the steps of an SCA, he suggested.

As of now, the timelines for the PSD2 review are uncertain. In the EU’s Retail Payments Strategy, published last year, the European Commission said that it would begin in 2021.

However, sources have told VIXIO that they now believe early 2022 is more likely.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.