On 13 June 2018 the European Banking Authority (EBA) published an Opinion and draft Guidelines[1] on the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication.
We are supportive of the views contained in the EBA Opinion and encourage firms and API initiatives to consider these views.
If the final version of the Guidelines is the same as the published draft, and subject to our own consultation process, we would expect to comply with the Guidelines.
The RTS set out how third-party providers of account information and payment initiation services (TPPs) and account servicing payment service providers (ASPSPs) should interact and communicate securely to enable TPPs to provide their services to customers with the customer’s consent.
The draft Guidelines clarify how we should approach exempting ASPSPs from a requirement to build a contingency access mechanism. Firms can avoid having to build the contingency mechanism if we are satisfied that they meet the criteria for exemption in Article 33(6) of the RTS.
Next steps
We plan to consult on changes to our guidance and rules to reflect the RTS, Opinion and draft Guidelines during the summer. This consultation will set out the proposed process and level of information we require from firms to make our exemption assessment.
We expect to be able to make assessments from early 2019. As the RTS will apply from 14 September 2019, we will aim to respond to firms’ exemption requests promptly.
Before our consultation, ASPSPs and TPPs should be aware that:
- We encourage ASPSPs to provide dedicated access to TPPs using secure application programming interfaces (APIs). Where standardised APIs, such as those developed by the Open Banking Implementation Entity, align with Payment Services Directive (PSD2) requirements, we encourage providers to use these as a basis for providing secure access to payment accounts.
- Where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS. For example, from 14 September 2019 all ASPSPs will need to comply with obligations set out in RTS Articles 30 (general obligations for access interfaces), 34 (certificates), 35 (security of communication session) and 36 (data exchanges) and wider RTS requirements.
- All ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019. However, we would encourage ASPSPs seeking exemption not to wait until this date to make these available. Stress testing will also need to be carried out by the ASPSP.
- The RTS does not allow us to grant a partial exemption. We will provide opportunities for ASPSPs to engage with us before submission of the exemption request. We also encourage timely requests for exemption as we will need time to make an exemption assessment.
ASPSPs and TPPs should also note that the Guidelines and Opinion set out:
- That some ASPSPs will only be able to demonstrate that their interface is available to be widely used, rather than show it is widely in use.
- That the use of redirection by an ASPSP is not automatically an obstacle; nor is there a requirement in PSD2 or the RTS for an ASPSP to provide more than one method of access.
- That ASPSPs must avoid imposing unnecessary requirements (such as additional consent checks) when designing and implementing their dedicated interfaces.
- That we would not be able to exempt ASPSPs whose implementation creates obstacles to the provision of account information and payment initiation services. This could include where an interface creates delays and friction in the customer journey.