PSD2: Time to Seal the Deal on the RTS

  • Howard Berg, MD at Gemalto UK

  • 01.12.2017 11:00 am
  • undisclosed

For many involved in the European banking sector, PSD2 (Payment Services Directive 2) and the RTS (Regulatory Technical Standards) have loomed large for some time. And the same probably holds true for the wider eCommerce industry. PSD2 came into force in January 2016 and should be transposed into the national legislation of EU member states within two years of that date. In parallel, EBA (European Banking Authority) was empowered by European Commission to deliver the RTS that will translate PSD2 into technical requirements. By early 2019, banks, Fintechs and businesses using payments data should be adhering to these rules.

With ambitious goals that impact an array of stakeholders, PSD2 undoubtedly represents a major milestone for the rapidly evolving digital banking and eCommerce markets. Specifically, the directive seeks to establish a more competitive environment based on open banking principles, and create a level playing field for Fintechs. Furthermore, it aims to ensure consistently robust protection of customer data, while improving end user experience.

To meet these objectives, banks will be required to create APIs (Application Programming Interfaces) that allow AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) swift and secure access to customer accounts. New rules for SCA (Strong Customer Authentication) and TRA (Transaction Risk Analysis) will meet the need for enhanced security and a smoother digital journey.

However, whilst most stakeholders are fully behind the goals of PSD2, progress towards adoption of a final draft of the RTS has been slow. What’s more, despite a fast-approaching deadline, it still appears to be stuck in first gear. Consequently, there is a real danger that the proposed date for implementation will be missed. For all those with an interest in the future of the digital banking and payments ecosystem, that is a genuine cause for concern.

The latest delay stems from a proposal by the European Commission in May to amend the EBA’s ‘final’ RTS draft. In fact, the Commission provided a full draft of its own. A month later, the EBA responded via a letter back to the Commission, making clear that the changes were not well received. Having put forward a series of counter proposals, the EBA declared its work done. The ball is therefore well and truly in the court of the Commission, who must make the final decision on the text of the RTS. It will then be submitted to the European Parliament and EU Council for scrutiny, before the standards are adopted as a delegated Act in the Official Journal of the EU. The RTS will apply 18 months after publication in the EU Journal.  

This new obstacle to adoption of the RTS should not really come as a surprise. After all, PSD2 and the RTS are trying to balance a number of conflicting objectives, and establish common rules for stakeholders with diverging priorities. With each successive draft, it is inevitable that banks, Fintechs and merchants will lobby vigorously to protect their own interests. In this respect, the latest push-back by the EBA is merely another round in an on-going fight. However, the concerns raised highlight some of the fundamental divisions that still exist between key players.

The EBA’s letter pinpoints four main concerns. Two are particularly contentious: ‘web-scraping’ and control on SCA. Of these, the former is almost certainly the toughest nut to crack. To date, web-scraping has been widely employed by AISPs and PISPs as a means of accessing bank accounts; effectively it allows them to impersonate the customer by using his bank credentials. For the EBA, this has always been at odds with the commitment of PSD2 and the RTS to principles such as SCA. The authority’s original draft of the RTS therefore mandated all banks to provide an Open API as a secure means of exchange with AISPs and PISPs.

In response, Fintechs have raised a series of objections. They argue that most of their current technologies are based on web-scraping. Furthermore, web-scraping is mature and safe: no security breaches have so far been associated with it. The European Commission’s reaction was to reintroduce web-scraping as a fall-back method, and strengthen SLA (Service Level Agreement) standards for ASPSP Open APIs. For its part, the EBA’s letter reiterates its view that web-scraping is incompatible with the basic principles of the RTS. In early September the authority won further backing in the form of a public letter from the FIDO (Fast IDentity Online) Alliance, which advocated a complete ban on web-scraping, albeit preceded by a limited transition period. 

The second major bone of contention between the Commission and the EBA concerns the implementation of SCA. In this case, objections to the EBA’s draft are led by merchants and their PSPs (Payment Service Providers), who fear that the EBA proposals will lead to an increase in shopping cart abandonment. Specifically, they question the plan to give ASPSPs’ (Account Service Payment Service Providers) exclusive control of SCA and TRA, arguing that merchants have additional customer information that can facilitate more accurate assessments. Their case is summarized in yet another letter to the European Commission, this time from the eCommerce Association. Notably, this includes an assertion that TRA should be handled by merchants as well as PSPs or ASPSPs. SCA exemptions (i.e. low risk transactions) should be based on the merchants’ own TRA, free from the ultimate control of the banks. Furthermore, merchants are also seeking to review low risk exemption thresholds. Once again, it is easy to understand their concerns. But equally difficult to see how they can be reconciled with the strict ASPSP liability principles established in PSD2 and reflected in the content of the RTS proposed by the EBA.

Although these and other remaining differences are clearly significant, it is crucial that all concerned consider the bigger picture too. In particular, they must recognize the serious consequences of missing the prescribed deadlines for PSD2 and the RTS. Digitalization may have already transformed the banking and retail environments, but there are still numerous opportunities for further growth and innovation - not to mention a rich array of new services for customers. At the same time, cyber-crime poses an ever more serious threat to both the integrity of customer data and end user confidence. PSD2 and the RTS are critical in terms of addressing these issues and facilitating the transition to truly open banking in Europe. The overriding priority must therefore be to draw this long-running saga to a swift conclusion, and allow enterprises and consumers alike the freedom to realize the potential benefits offered by another new era in digital banking and payments.  

Other Blogs