The EBA’s Regulatory Technical Standards Provide the “How” to PSD2’s “What”
February 2017 saw the release of the long-awaited draft regulatory technical standards (RTS) for strong customer authentication (SCA) from the European Banking Authority (EBA). The RTS defines the technical framework for the implementation of PSD2 with primary focus on SCA, and common and secure connection (CSC). In short, we could say that PSD2 covers the “what” aspect of the regulation whereas the RTS defines the “how” this is to be done.
Function over form? European Commission amendments to RTS for SCA
In June, the commission suggested several amendments to the RTS that addressed concerns around the auditing of transaction risk analysis and the addition of a new exemption from SCA for certain corporate payment processes. The amendments also proposed direct access for the EBA to fraud reports from PSPs in addition to aggregated data provided by competent authorities (national financial regulators). Finally, as an additional safeguard for third-party payment service providers (TPPs), the revisions clarified that should the unavailability or inadequate performance of the dedicated communication interface occur, banks would be expected to offer secure communication through user-facing interfaces as a contingency measure.
The final text of the RTS was confirmed on November 27 and submitted to the European Parliament for deliberation before being published in the official journal of the European Union. Scrutiny will begin in earnest in February 2018 and could last between three to six months. With PSD2 on its way in January, the European Commission has confirmed the deadline for compliance to the RTS will actually start in September 2019.
The ratification process up to this point has consisted of a fine balancing act between functional and non-functional requirements, with all parties trying to find a compromise position on the RTS. Depending on which side of the aisle you sit, be it incumbent (banks), TPPs or merchants, there are inevitably good and not-so-good things in the RTS. However, this notion of non-functional requirements (NFRs) is well established in software development and forms the backbone of common standards around which the final RTS rests.
Finding common ground on non-functional requirements
Non-functional requirements of a payments system typically include system performance, availability and security. For a banking application, a major non-functional requirement is availability of the application 24/7 with zero down time. Hardening systems, adding in redundancy, resilience and, above all, added security are all NFRs on which the commission and EBA have been striving to seek common ground.
The security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition.” The RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services. In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The commission says it made some “limited substantive amendments” to the draft RTS submitted by the EBA. This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.”
PSD2: A quick recap
Looking back at the original brief of PSD2 which set out the framework for the RTS, it is important to remember the main tenets of the directive.
The implementation of PSD2 is intended to make it easier, faster and less expensive for consumers to pay for goods and services by promoting innovation (especially by third-party providers), enhancing payments security and standardizing payment systems across Europe. PSD2 uses three mechanisms to achieve this:
- First, it expands the regulatory purview of the European Union to include new kinds of providers, such as payments initiation and account information services.
- Second, it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers.
- Third, and the most disruptive, it requires European banks to open their payments infrastructure and customer data to third-party providers of financial services.
This last mechanism has arguably been the most contentious and the amendments from the commission go some way to easing the burden on corporate players at the very least with regard to direct access. TPPs will be granted consented access to customer information through the banks’ infrastructure to deliver new value-added services.
Ensuring European payment mechanisms are fit for purpose
To enable bank account access (often referred to as payments initiation and account information services, or XS2A for short), banks are required to offer a communication interface for TPP requests. This TPP interface should have the same functionality and deliver the same level of support as for customers transacting directly with their bank. The EBA has suggested the use of ISO 20022 as a potential candidate for the interface format, but the RTS does not provide any prescriptive guidance on how exactly XS2A is to be implemented.
Thankfully, individual country regulators have been issuing implementation and compliant handling guidelines for a few weeks now, so the need to “interpret” the new regulations has been lessened somewhat. Regardless of the adoption challenges ahead, PSD2 and the RTS in particular, are sorely needed to ensure the European payment mechanisms are fit for purpose for the coming decade.
Related Blog Posts
Open Banking and the Evolution of Digital Payments
The introduction of Open Banking is without doubt one of the most significant changes the European banking sector has seen in recent years. Many banks in the US, Australia and Asia are paying close attention to what’s happening in the UK and other European countries with a view toward implementing similar systems in the future.
What's Next for SWIFT gpi and Cross-Border Real-Time Payments?
Recently, I wrote about the potential benefits of SWIFT gpi for banks. Like any technology, the rate of change is accelerating, making it critical that banks keep pace with the market and with their competition. In 2018, as domestic real-time payments schemes reach near-ubiquity thanks to a combination of regulatory and customer demand drivers, we have seen an accelerated parallel trajectory for cross-border real-time gross settlement (RTGS) payments.
The Mexican Fintech Revolution – ¿Qué onda in Open Banking?
Mexico has joined an elite group of nations, being amongst the first to pass open banking regulations. Specifically designed to open up its financial services and technology sector, the so-called ‘Fintech Law’ appears to have taken notes from PSD2, UK Open Banking, Singapore’s ‘organic’ approach, and others – and balances these against Mexico’s unique context and aims.
ACI’s Lu Zurawski, one of the industry's foremost open payments experts, and Sonia Gomez, a Latin America payments authority, discuss this balancing act; including the drivers, the regulation and the potential benefits.
Turning Impetus into Action: Real-Time Payments in ASEAN
Financial institutions across ASEAN member states are increasing investment in payments, with 64% planning to increase investment over the next 18-24 months, compared to 56% in the broader Asia region and 53% globally. With investment in ASEAN outpacing the global average, the “2018 ASEAN Payments Insight Survey” shines a light on the key drivers for increased payments investment and the expected benefits.
ACI Watford runs first Coding for Girls Camp in Europe
The ACI Watford Office recently teamed up with local West Herts College to run its first Coding for Girls Camp in the UK. The free, one-day event was designed to introduce girls from year (grade) 7-9 to the world of technology, offering a crash course in computer programming; including HTML, CSS and Java. I spoke to Melissa McKendry, VP of retail banking implementation services and Watford Site Leader at ACI, to find out more.
Mid-Year Payments Reflections… And What 2018 Has Left Up Its Sleeve
It has been a while since I had a chance to collect my thoughts, nee, reflections. My all-time favorite movie reminds us all that “Life moves pretty fast. If you don't stop and look around once in a while, you could miss it.” And with this advice in mind, I want to share my thoughts on the ‘Big 3’ of 2018 so far… and prep us all on what to look for as the calendar churns through its last six pages.
Time is Money: A Millennial View of UK Faster Payments’ 10th Anniversary
As a millennial, I’ve often been the butt of jokes of those a little bit older than I am (whether colleagues or my own family). One of the clichés perpetuated is that we are constantly glued to our smartphones: In a way that’s correct, but misses an important point. As a young millennial professional, the most important thing to me is TIME. And that’s the reason my phone plays a crucial role in my life – much to the annoyance of my girlfriend and family. It means I can do things on the move, which in turn makes my life a whole lot easier.
Taking Payments and Fintech for Granted? (A Lyrical Edition)
Based on a very quick search of the Googles, there are 128,014 songs that contain the lyrics “take for granted”— from the likes of Mary J. Blige, Social Distortion, Madness and Frank Sinatra as well as countless other great (and not-so-great) crooners. And that would make for a sizable Spotify playlist… and I do love my Spotify playlists (I’ve been on a Wham! kick lately).
Instant + Open Payments = A Winning Combination
I recently joined a panel discussion at EBAday 2018, alongside representatives from across the payments ecosystem, and the clear consensus was that real-time payments will be the new normal. This was evidenced by some of the interactive polls carried out.
A Rocky Mountain High on Payments Innovation
We were so high last week; in fact, we were a figurative mile high… in sunny Denver for our annual ACI Exchange user conference. And among the myriad highs during the week was our own ‘Un-conference,’ which generated major buzz that sparked an enormous appetite for some tasty innovation. Some of the ideas generated included the following: