It's just around the corner - Further steps along the journey to developing a compliant dedicated interface

On 4 December the EBA published its Final Report on the Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS on SCA & CSC – that is the requirement to build an alternative access route using the customer interface if the dedicated interface fails to perform adequately.

The EBA originally consulted in June 2018 and received significant feedback on the consultation both from TPPs and ASPSPs – the Final Report includes 172 responses to the consultation. In the light of the feedback some significant changes have been made. Although some may be viewed as being helpful in providing certainty to ASPSPs, there is a shift towards more TPP involvement in the exemption process. However, the shift towards TPP involvement probably does not go as far as the TPPs may have wanted.

Key changes include:

  • Timing and the meaning of "widely used" – it is now seems clear that in order to gain the exemption an ASPSP must be able to show data from their live production interface rather than just the test facility. As national competent authorities will need ASPSPs to submit requests for the exemption well in advance of the September 2019 deadline, the production interface may need to be live as early as April 2019. Although timescales will be chosen by the national competent authority this change will present a challenge for many ASPSPs who want to obtain an exemption.
  • Key performance indicators – the EBA have made it very clear that the KPIs must be compared against the best performing customer interface. They have also set out the minimum KPIs in more detail making it clear that the measures are on a daily basis and adding an additional KPI relating to the error response rate.
  • Test facility – the EBA have confirmed that the testing facility should only contain dummy data and should not include any "live" customer data. It should allow TPPs to test their ability to rely on all the authentication procedures provided by the ASPSP. Where an ASPSP is developing its authentication processes to meet SCA requirements by 14 September 2019, although that functionality may not be fully ready for testing by March 2019, the testing facilities should enable TPPs to test the planned SCA scenarios.
  • Obstacles – although the EBA has not accepted all of the TPPs arguments around obstacles and re-iterates that redirection is not necessarily an obstacle it makes it clear that ASPSPs should ensure that their dedicated interface supports all the methods for authentication that the ASPSP provides to its own PSUs. This may require ASPSPs to provide more than one authentication method, in order to ensure for example that biometrics can be used. As part of their application ASPSPs will have to set out their authentication procedures and explain why the methods are not obstacles and do not give rise to unnecessary delay or friction, or include superfluous steps or discouraging language.
  • eIDAS certificates – the EBA recognises that there is ambiguity in the RTS as to which type of certificate can be used, and at whose choice. Further clarity on these questions is promised "at a later stage", which will not help those trying to design their processes now. The EBA also implies that after September 2019, ASPSPs will not be able to check the authorisation status of a TPP on national registers but should rely on the eIDAS certificate. To our knowledge, however, eIDAS certificates will not be able to show authorisation status other than as at the date of issue, which creates an obvious problem for this suggested approach!

With implementation projects now at an advanced stage ASPSPs will need to assess the impact on their project plans as soon as possible. The FCA has indicated that they will issue a statement on the Final Report and they will obviously need to amend their draft Approach Document and draft application forms to reflect the final guidelines. So watch this space…..

Share Back to main blog
Loading data