We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Transitioning to the new world: PSD1 to PSD2

21 December 2017

EBA issues opinion on transition to PSD2

The EBA's opinion (EBA/OP/2017/16) tackles various issues arising from the transition from PSD1 to PSD2.  It includes general comments on the applicability of EBA technical standards and guidelines, as well as discussing the status of Third Party Providers (TPPs) and the role of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) during transitional periods

EBA Guidelines and Technical Standards – when do they all apply?

The Opinion provides an update on the status of its various mandates under PSD2:

Expected date of application 

EBA Mandate


13 Jan 2018

  • RTS on passporting
  • Guidelines on authorisation and registration
  • Guidelines on the minimum amount of professional indemnity insurance

Q1 2018

  • Guidelines on incident reporting
  • Guidelines on complaints of alleged infringements
  • Guidelines on security measures for operational and security risks

Unknown: date to be made public at later stage

  • Guidelines on fraud reporting

Unknown: awaiting submission to Commission

  • RTS on home-host cooperation (expected to be submitted Q2 2018)

Unknown: submitted but awaiting adoption by Commission

  • RTS on EBA register
  • RTS on central contact points
  • RTS on SCA (expected H2 2019)


Only three of twelve EBA mandates will apply on 13 January 2018. Despite this, the EBA encourages both Competent Authorities and Payment Service Providers (PSPs) to comply with the most recent available draft versions of the guidelines which will not technically apply in the interim. For example:

  • PSPs should collect data on the basis of the final draft EBA Register RTS (but the requirement to report to the EBA will not start until a later date);
  • PSPs should prepare to comply with the version of the RTS on SCA which was adopted by the Commission on 27 November;
  • PSPs are not required to collect data set out in the draft fraud reporting guidelines, and should instead collect the data specified by their Competent Authority. This is because the requirement in Article 96(6) PSD2 is addressed to Member States rather than PSPs.


What can existing Third Party Providers (TPPs) do during the transitional period?

Firms which have been carrying on Account Information Services (AIS) or Payment Initiation Services (PIS) in the UK from before 12 January 2016 can continue to provide these services without authorisation until the RTS on SCA applies in 2019.

The EBA has clarified that these so-called 'live-market' firms' "will not benefit from the full set of rights" set out in PSD2. In practice, this means that they will have no right to access accounts held with Account Servicing PSPs (ASPSPs). Given the restrictive nature of what unauthorised 'live market firms' can actually do before the RTS on SCA applies, the EBA encourages all of these firms to apply for full authorisation as soon as possible. This echoes the FCA's comments in its final Approach Document.

 

How can account information be accessed during the transitional period?

Between 13 January 2018 and the date the RTS on SCA applies, TPPs will need to be able to access account information without being blocked using existing methods such as screen scraping.

During this time ASPSPs are not required to put in place a dedicated interface, but the EBA encourages them to comply with the RTS by adopting or building a consumer interface as early as possible. This will build consumer confidence, as well as facilitating compliance with other PSD2 requirements and the General Data Protection Regulation (GDPR).

Firms are likely to welcome the EBA's guidance on these areas as they work towards the implementation date.

Loading data