SCA RTS Commission Response - Balancing PSD2's competing objectives

PSD2 is full of competing objectives - enhancing security and customer convenience, increasing competition, achieving technological neutrality, facilitating innovation, creating an integrated payments market - and the SCA RTS requires difficult trade-offs to be made between them. The recent Commission response appears to prioritise customer convenience over competition, innovation and the creation of an integrated market in payment services.

The much leaked Commission amendments to the final draft RTS on secure customer authentication have now been sent to the EBA.

As expected, the changes focus on the exemptions to SCA and the question of access to customer data which is where much of the lobbying since publication of the draft RTS has been directed.

In addition to a raft of clarifications and "improvements" to the drafting there are four substantive changes that the Commission wishes to make to the RTS:

  1. The audit required in relation to the transaction risk analysis exemption in Article 16 should be performed by "statutory auditors";
  2. A new exemption to SCA has been introduced for corporate payments when they use dedicated payment processes and protocols that competent authorities are satisfied achieve the same level of security for payments required under PSD2 (new Article 17);
  3. When using the exemptions to SCA, PSPs should report the outcome of their monitoring and the methodology for calculation of fraud rates to both national competent authorities and the EBA; and
  4. In the event that the dedicated interface provided by ASPSPs is unavailable for more than 30 seconds or its performance is inadequate, AISPs and PISPs should be allowed to access information using the customer interface (Article 33).

In addition to the above, it should also be noted that the exemptions for contactless payments and low value transactions now require PSPs to comply with 3 conditions instead of 2 (a monetary limit on single transactions, a cumulative limit and a limit based on the number of consecutive transactions). The EBA is likely to suggest further clarification on this point to avoid penalising firms that are not able to calculate cumulative payment totals.

It is questionable whether some of the changes – of which the 30 second downtime limit is the most obvious example - will be workable in practice, both for firms to implement and for competent authorities to supervise (not to mention whether the EBA has the requisite authority in some cases). Taken together, they represent serious challenges in terms of development requirements, cost and feasibility and a potentially significant barrier to entry for new AISPs and PISPs who will be faced with increased reporting and audit requirements. We are also likely to see fewer ASPSPs outside of the CMA 9 opting to invest in a dedicated interface as a result of the requirement to provide access through the customer channel, which we expect will significantly reduce the possibility of a standardised interface being developed for use across the EU.

Next steps

The EBA has 6 weeks in which to respond to the Commission's proposals but they are expected to have their opinion finalised by 20 June and re-submitted by the end of the month. The Commission will then either adopt the RTS with any further amendments it deems necessary or reject it.

Back to main blog
Loading data