PSD2: UK Regulator Warns Banks on Third-Party Interface Deadline
The British Financial Conduct Authority (FCA) has opened a month-long consultation period for consumer financial institutions on the PSD2 regulatory technical standards (RTS).
The consultation is open to banks, credit card companies and other licensed institutions. Such companies which choose to build dedicated third party access APIs must gain approval from the FCA.
The FCA consultation mentions a potential exemption for third party interface requirements which may be available from September 2019, with applications expected by June 14th.
The FCA promises to respond to exemption requests within a month. In the event of a refusal, the card issuer will be given two months to implement a contingency mechanism.
For exemptions to be allowed an interface must have been available for testing for a half a year and have been extensively used by existing third party providers (TPPs).
The UK’s nine biggest banks were instructed last year to work together on implementing Opening Banking standards but collaboration has seen delays and setbacks. Fintechs have led criticism of the big banks for providing low quality APIs and generally “slow rolling” the PSD2 standards implementation.
The FCA consultation also touches on payment authentication, saying that it desires user journeys whereby “customer credentials never have to be provided to anyone other than the customer’s bank or PSP [payment service provider].
This follows guidance from the European Banking Authority (EBA) in June that offering “redirection” to authentication with your bank when using TPP services is allowed if users are not de facto blocked from using TPP services. Banks choosing this “redirect” option do, however, have to provide an explanation to the regulator why this is not an obstacle to TPPs.
The EBA added that the authentication mechanism used when dealing directly with your bank (e.g. fingerprint in banking app) should also be feasible when authenticating using redirection from a TPP.
These latest moves by UK and European regulators leave banks in the position of ultimate responsibility for authenticating their customers’ activities with TPPs and will thus open banks to criticism from customers and fintechs that their authentication journeys are the weak link in the open banking ecosystem.