We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Screen-scraping – an end to uncertainty? European Commission reveals final position on PSD2 strong customer authentication RTS.

29 November 2017

Press Contact

Rachael Warren

Senior Public Relations Adviser
+44 20 7296 2780

"The many months that it has taken to reach this point are testament to how difficult it has been for the EBA and the Commission to try to balance the competing interests of the banks (preoccupied with the security of their customers' data) and the third party payment service providers (TPPs) (looking to protect the viability of their business models)." Jon Chertkow, Partner in Hogan Lovells' Payments Team said. 

Key Points on TPP Access

Although much of the RTS has remained unchanged, the amendments contained in the final position will have substantive effects on both banks (and other ASPSPs) and TPPs. The highlights are:

  • Traditional screen-scraping (where the TPP impersonates the customer) is definitely banned.
  • Screen-scraping+ (where the TPPs are able to identify themselves to the banks as acting as a TPP) is permitted.
  • The banks are able to offer a dedicated interface of their own choice but this has conditions.
  • Where the bank has put in place a dedicated interface it must provide screen-scraping+ as a contingency mechanism. Where 5 consecutive TPP access requests are not responded to within 30 seconds the contingency mechanism will have to be activated.
  • The competent authorities (the FCA in the UK) can exempt the banks that have opted for a dedicated interface from the obligation to set up a contingency mechanism where that bank's interface meets specific conditions.
  • The national authorities can revoke the above exemption where the conditions are not met for more than two consecutive calendar weeks, in which case banks must implement the contingency mechanism (screen-scraping+) within two months.
  • Where banks have put in place a dedicated interface, it must ensure that this interface does not create obstacles to the provision of payment initiation and account information services.

Screen-Scraping + and Contingency Mechanisms

The Commission has developed a compromise solution allowing TPPs to use the interfaces made available to the customer (screen-scraping+) as part of a contingency mechanism if the banks' dedicated interfaces do not perform as required. The Commission has inserted restrictions on TPPs making use of a contingency mechanism. For example, TPPs must ensure that they do not access, store or process data for purposes other than the provision of the service as requested by the customer and TPPs must log the data that are accessed and provide log files to their competent authority.

National regulators, after consulting the EBA to ensure consistency, can exempt banks from the obligation to set up a contingency mechanism where the dedicated interface meets strict conditions. However, the national regulators will revoke this exemption where these conditions are not met for more than two consecutive calendar weeks. Banks must then establish, at the latest within two months, a compliant contingency mechanism.

In reality, all banks that have put in place a dedicated interface, whether they are subject to the exemption or not, will need to have a contingency measure in place. Those within the exemption will just benefit from a longer period before the contingency measure comes into play. A two month wait for TPPs before they can use a contingency mechanism may severely threaten the viability of their business models.

The competent authorities are also now obligated to ensure "that the provision of payment initiation services and account information services is not prevented or disrupted". However, it is not clear how, for example in the UK, the FCA could ensure this and how this will work in practice.

John Salmon, partner in Hogan Lovells' FinTech Team, said:

"I think that the banks will welcome the ability to choose their own dedicated interface which will enable them to implement the API infrastructure of Open Banking. It also seems a good result from the banks perspective of not having to provide a contingency where the FCA has agreed to exempt them from doing so. However, from a practical perspective they are likely to be concerned about having to provide the contingency within 2 months of a problem occurring. From a TPP perspective there is likely to be concerns in relation to the 2 month period."

Obstacles

Under the Commission's final text, banks that have put in place a dedicated interface will be subject to strict requirements to ensure they are functioning properly and do not unfairly restrict TPP access. Technical specification for a bank’s dedicated interface must be made available at least six months before the RTS takes effect (or before the interface launch date if later) to TPPs who have applied for authorisation and a testing facility must be available six months before the interface launch date. Banks must also ensure that their dedicated interfaces do not create obstacles to the provision of payment initiation and account information services. In particular, the RTS specifies that such obstacles “may include, among others”:

  • preventing TPPs using customers’ security credentials;
  • imposing redirection to the ASPSP’s authentication or other functions;
  • requiring additional authorisations and registrations beyond those required by PSD2; and
  • requiring additional checks of the consent given by PSUs.

It is unclear from the drafting how this provision will be interpreted. The Commission clearly states that as a starting point a bank's dedicated interface must not create obstacles, and then provides a non-exhaustive list of examples. However the position is not clear. If banks' dedicated interfaces feature one of the examples above it will immediately be considered as an obstacle?  

John Salmon said:

"While it has been understood that the banks should not provide obstacles to the proper function of the TPPs and that the proviso for the dedicated interface makes sense, the purpose of the examples used is very unclear."

Further amendments worth noting

On the other key points raised by the EBA in its June 2017 response to the Commission's earlier proposed amendments to the RTS:

  • The audit of security measures can be carried out by an auditor with expertise in IT security and payments and operationally independent within or from the payment service provider;
  • The creation or amendment of the Trusted Beneficiaries list must take place through the payer’s bank. This supports the view that a TPP does not have the ability/right to create or amend that list; and
  • There is a new exemption from SCA for payers that are not consumers. Competent authorities must be satisfied that the payment methods guarantee at least equivalent levels of security to those provided for by PSD2.

The EU Council and Parliament now have 3 months to object to the RTS (unless they have both informed the Commission of their intention not to raise objections). If neither institution objects, the RTS will be published in the Official Journal of the EU and will enter into force on the following day. It will apply 18 months after that date, so this is likely to be September 2019 at the earliest.

Contacts

 
Loading data