The EBA’s Regulatory Technical Standards Provide the “How” to PSD2’s “What”
February 2017 saw the release of the long-awaited draft regulatory technical standards (RTS) for strong customer authentication (SCA) from the European Banking Authority (EBA). The RTS defines the technical framework for the implementation of PSD2 with primary focus on SCA, and common and secure connection (CSC). In short, we could say that PSD2 covers the “what” aspect of the regulation whereas the RTS defines the “how” this is to be done.
Function over form? European Commission amendments to RTS for SCA
In June, the commission suggested several amendments to the RTS that addressed concerns around the auditing of transaction risk analysis and the addition of a new exemption from SCA for certain corporate payment processes. The amendments also proposed direct access for the EBA to fraud reports from PSPs in addition to aggregated data provided by competent authorities (national financial regulators). Finally, as an additional safeguard for third-party payment service providers (TPPs), the revisions clarified that should the unavailability or inadequate performance of the dedicated communication interface occur, banks would be expected to offer secure communication through user-facing interfaces as a contingency measure.
The final text of the RTS was confirmed on November 27 and submitted to the European Parliament for deliberation before being published in the official journal of the European Union. Scrutiny will begin in earnest in February 2018 and could last between three to six months. With PSD2 on its way in January, the European Commission has confirmed the deadline for compliance to the RTS will actually start in September 2019.
The ratification process up to this point has consisted of a fine balancing act between functional and non-functional requirements, with all parties trying to find a compromise position on the RTS. Depending on which side of the aisle you sit, be it incumbent (banks), TPPs or merchants, there are inevitably good and not-so-good things in the RTS. However, this notion of non-functional requirements (NFRs) is well established in software development and forms the backbone of common standards around which the final RTS rests.
Finding common ground on non-functional requirements
Non-functional requirements of a payments system typically include system performance, availability and security. For a banking application, a major non-functional requirement is availability of the application 24/7 with zero down time. Hardening systems, adding in redundancy, resilience and, above all, added security are all NFRs on which the commission and EBA have been striving to seek common ground.
The security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition.” The RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services. In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The commission says it made some “limited substantive amendments” to the draft RTS submitted by the EBA. This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.”
PSD2: A quick recap
Looking back at the original brief of PSD2 which set out the framework for the RTS, it is important to remember the main tenets of the directive.
The implementation of PSD2 is intended to make it easier, faster and less expensive for consumers to pay for goods and services by promoting innovation (especially by third-party providers), enhancing payments security and standardizing payment systems across Europe. PSD2 uses three mechanisms to achieve this:
- First, it expands the regulatory purview of the European Union to include new kinds of providers, such as payments initiation and account information services.
- Second, it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers.
- Third, and the most disruptive, it requires European banks to open their payments infrastructure and customer data to third-party providers of financial services.
This last mechanism has arguably been the most contentious and the amendments from the commission go some way to easing the burden on corporate players at the very least with regard to direct access. TPPs will be granted consented access to customer information through the banks’ infrastructure to deliver new value-added services.
Ensuring European payment mechanisms are fit for purpose
To enable bank account access (often referred to as payments initiation and account information services, or XS2A for short), banks are required to offer a communication interface for TPP requests. This TPP interface should have the same functionality and deliver the same level of support as for customers transacting directly with their bank. The EBA has suggested the use of ISO 20022 as a potential candidate for the interface format, but the RTS does not provide any prescriptive guidance on how exactly XS2A is to be implemented.
Thankfully, individual country regulators have been issuing implementation and compliant handling guidelines for a few weeks now, so the need to “interpret” the new regulations has been lessened somewhat. Regardless of the adoption challenges ahead, PSD2 and the RTS in particular, are sorely needed to ensure the European payment mechanisms are fit for purpose for the coming decade.
Related Blog Posts
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Four Questions to Drive Your Retail Banking Payments Strategy in 2019
I keep hearing that it’s “an exciting time to be in payments,” and I certainly agree that there is a lot of noise. However, when I look below the surface, I’d argue that the interesting activity is not with the payment itself, but with all the related events and steps in the value chain.
What Can the Re-Regulation of Other Industries Tell Us About Open Banking One Year On?
UK Open Banking just reached its first birthday milestone (on January 13 to be precise) and given my own commentary – including in the ACI blog – on this topic, the first anniversary of Open Banking in the UK certainly won’t pass without a debrief on the progress that’s been made and what challenges lie ahead.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
To Regulate Or Not To Regulate – Is That Thy Question?
Debates are healthy, and as someone who spent a little time during my college years dabbling around the edges of the speech and debate team, I can tell you it’s something that I personally relish. A chance to really talk through the pros and cons of an argument and lay out the bare facts… and then be judged based not only on those facts, but on the presentation and power of persuasion—sign me up!
Request for Pay – What Does It Mean For Financial Institutions?
What do banks – one with $60B+ in assets, one a mid-size regional bank, and one, a small innovative credit union – have in common with payment networks and the ‘Big 4’ consulting firms? They were all part of the first ACI #PaymentsForBreakfast event in North America! The theme was real-time payments, but the focus was more specifically on Request for Pay.
Why Open Banking Might Need to Rely on a Magic Illusion of 24x7 Availability
The adage “the more things change, the more they stay the same” appears to ring true when applied to the early phases of the evolution of open banking (or open payments). Especially when you contrast it with the early days of ATM withdrawals; particularly those made in the dead of night so you could pay cash for your after-party greasy feast.
Sibos Preview: The Five Trends Transforming Real-Time Payments
Real-time is now a reality, with more than 30 schemes live around the world. And real-time is in the spotlight as banks and financial service providers make their way to Sydney for Sibos 2018. What better time to look ahead at the key trends that are going to shape the ongoing development of real-time payments.