The hunt has begun. The European Banking Authority (EBA) has released an opinion on supervisory actions to ensure the removal of obstacles to account access under PSD2.
They urged the European national financial authorities to take supervisory measures to ensure the bank’s APIs are indeed compliant with PSD2 and the RTS by 30 April. In other words, if the banks have not managed to remove the so-called obstacles by 30 April, they will be subject to serious supervisory actions; namely fines!
It is not just monetary repercussions that banks will have to look out for — it is also about proactively taking an integral part in shaping the new financial landscape, not just as a mere participant, but as an actor, mover, and shaker.
For those who do not dare to go through 11-page tech-heavy documentation by the EBA outlining these obstacles, I have summarized them into three main pointers in a layperson’s language. But before we go, let us recap some of the PSD2 terminologies.
RTS: Regulatory Technical Standards are a set of detailed compliance criteria set for all parties that cover areas such as data security, legal accountability, and other processes.
SCA: Strong Customer Authentication as defined by EBA Regulatory Technical Standards is authentication based on the use of two or more elements categorized as knowledge, possession, and inherence.
PIS & PISP: A Payment Initiation Services Provider provides an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
AIS & PISP: An Account Information Service provides account information services as an online service to provide consolidated information on one or more payment accounts held by a payment service user with one or more payment service provider(s).
TPP: Third-Party Providers are organizations or natural persons that use APIs developed to Standards to access customer’s accounts, to provide account information services, and/or to initiate payments. (Source: UK Open Banking)
Obstacle 1: Banks should support all authentication methods — especially “decoupled” for a smoother user-journey at the point of sale.
Currently, there are three approaches for customer authentication, namely 1) re-direction, 2) de-coupled, 3) embedded, and 4) combinations of these. All these methods should be made available and supported by the banks by April 30, 2021.
Decoupled means the user is directed to the banks’ app for identification. Once they are there, they can authenticate with whatever means the banking app provides. This includes authentication factors such as biometrics (e.g., fingerprints) via the banks’ app. Embedded means the TPPs (such as Neonomics) and the bank exchanges authentication data allowing the TPP to handle everything, including using biometrics.
Biometrics are not transmittable credentials. Thus, if banks have implemented biometric authentications, they should support secure transmission, for example by using a signed proof that the biometric validation has been performed successfully.
Many market players, including Neonomics, have seen mandatory redirection as a major obstacle as it only works in a web browser or mobile apps-based environment, limiting our ability to design new ways in which customers can initiate payments.
As banks are now strongly urged to enable decoupled SCA flows, the open banking payment game is about to change for the better.
Obstacle 2: Single SCA instead of two for payments
When it comes to the PIS (payment initiation service), the banks should support a single SCA for a single payment initiation on the basis that PISP (payment initiation service provider) successfully transmits all the necessary information, such as the account number and IBAN number.
As of today, in most cases, the end-user must authenticate twice to carry out a single payment, one for consenting the bank data access and another for initiating a payment on behalf of them. Banks should remove this obstacle unless they have substantial security arguments. Banks that continue to require a separate SCA for “log-in” when the end-user directly initiates a payment with the bank, will not be able to stand a sufficient ground to justify two SCAs.
Obstacle 3: 90-day reauthentication
Currently, the user must carry out SCA with the bank every 90-day, or more frequently. The 90-day requirement was argued to be an obstacle by the market participants. The EBA concludes the 90-day re-authentication requirement to be an appropriate balance between the competing objectives of PSD2 of ensuring consumer-friendliness and ease of use whilst increasing the security. So, it seems the 90-day rule will stick after all — then what can be an obstacle? The challenge is that most banks are not ready to support ongoing 90-day access without SCA. While banks may choose to delegate/outsource SCA to TPPs on their behalf, they are not obliged to do so under PSD2; however, EBA reiterates that the requirements set out in the EBA guidelines on outsourcing arrangements apply for this, and thus banks should be ready to support ongoing 90-day access by delegating SCA to the TPPs.
The 14th September 2019 deadline is more than a year ago now, and one might suspect whether this new deadline will indeed be met with real consequences. This time, however, a few European national financial authorities have already started moving the needle, including the Danish FSA.
So, if you have considered navigating the new opportunities arising out of PSD2 and open banking, this year might just be the right time for you. Feel free to give a shoutout to our sales team to learn more about what Neonomics offers!
Written by Yujin Jo, Product Marketing Manager
