German MEP: EBA PSD2 guidance shifts power ‘significantly towards banks’

Markus Ferber, a Member of the European Parliament (MEP) who sits on the Committee on Economic and Monetary Affairs, has written a letter to the European Banking Authority (EBA) on its implementation of the revised payments services directive (PSD2). Mr Ferber says EU parliamentarians have taken a strong interest in ensuring the ‘letter and spirit’ of PSD2 be reflected in the actual conduct of regulators and banks. Mr Ferber notes that for quite some time he has had doubts on whether guidance from the EBA would be “indeed capable of opening the market for payment services beyond traditional providers such as banks”.

Much of Mr Ferber’s criticism centres around the so called ‘fall-back option’ which Third Party Providers (TPPs) can rely on if a bank’s dedicated interfaces are unavailable for more than 30 seconds, or if they did not meet general operational requirements. Such a fall-back mechanism will consist of opening up the ASPSP’s user-facing interface as a secure communication channel for payment initiation and account information services. Mr Ferber believes that “the European Banking Authority adopted certain pieces of level 3 guidance that now moves away from that balanced approach and shifts the balance of power significantly towards banks”.

In particular, Mr Ferber deals with the issue of ‘redirection’ for the so-called fall-back option. Such redirection would mean taking a customer out of a third party app and into his/her banking service to authenticate a transaction. The EBA has written that “redirection is not, in itself, an obstacle” but only becomes unacceptable if it is implemented “in a manner that creates delay or friction”. Mr Ferber says he strongly disagrees with the EBA’s view as he considers redirection itself as causing friction which “might cause the client to abort the payment procedure”. Summing up on this point, Mr Ferber writes “not being able to provide a seamless end-to-end customer experience constitutes a severe competitive disadvantage for Third Party Providers compared to traditional players”.

Mr Ferber goes on to outline two other areas of concern — fraud prevention and white-listing of trusted beneficiaries — where he sees banks as being allowed to maintain control over customers’ data for dubious reasons.

Mr Ferber summarises that “while each of these points on its own might not look like a significant impediment, the sum of all these provisions and similar attempts in the original draft guidelines lead me to conclude the EBA is attempting to change a directive and a delegated regulation that turned out not to be to its liking through the backdoor”. He reminds that “it is not the EBA’s role to reverse the decisions made by the Union legislator”.

EBA interim chairperson Jo Swyngedouw issued a response six weeks later. He commented that the final version of the PSD2 regulatory technical standards that were published in the Official Journal of the EU in March 2018 contained “a number of components that were unclear and therefore at risk of being interpreted very differently across the 28 EU Member States, thus undermining the objective of PSD2 of bringing about a single EU payments market”. He referred to the practical challenge of completing assessments for potentially up to 6,000 different ASPSPs within only six months.

Mr Swyngedouw noted “difficult trade-offs between what are at times competing objectives of the Directive, such as enhancing competition, facilitating innovation, enhancing customer convenience, increasing security, bringing about a single EU payments marketing, and doing all this in a way that is business model and technology neutral”.

In conclusion Mr Swyngedouw added that “balance and neutrality is very important to the EBA”. He is heartened by the fact that around 200 Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) have thus far been authorised. In a new development, Mr Swyngedouw reveals that the EBA is setting up a working group on APIs under PSD2, which is to consist of an equal number of TPPs and ASPSPs.

This back-and-forth between the European Parliament and the umbrella banking regulator highlight the continued uncertainty around PSD2 standards before their full implementation this September and suggests banks which do not have APIs and other PSD2 enablers in place may continue to lobby for delays in meeting open banking requirements.