With the revised ‘Payment Services Directive’ (PSD2) due to enter into force on 13 January 2018, the European Commission has still to publish the final regulatory technical standards (RTSs) on Strong Customer Authentication and common and secure communication, on which there are currently several differences of opinion.
On 23 February 2017, the European Banking Authority (EBA) published draft RTSs in line with the mandate conferred upon it by the PSD2 Directive. This draft was hailed as a “reasonable compromise” by the industry (see EUROPE 11733), but slammed by consumers who felt that it provided too many exemptions to strong customer authentication (see EUROPE 11732).
On top of the differences between industry and consumers came a more recent disagreement between the EBA and the Commission on the ‘common and secure communication’ plank.
At the centre of this stand-off lies the Commission’s proposal - set out in a letter to the president of the EBA on 24 May of this year - to amend the draft RTSs to authorise the practice of ‘screen scraping’, when the communication interface between banks and third-party payment service providers is not available for more than 30 seconds or does not comply with the obligations applicable to interfaces.
This practice, which consists of giving third parties access to the bank account of a consumer purchasing a product online and making a payment to it, is highly controversial as it gives full access to personal data such as the savings account, insurance policies and loans taken out by the client, without any possibility of the bank asking the client for clear consent.
In its initial draft, the EBA proposed that third parties continue to have access to the client’s bank account on behalf of the client, but through a separate interface created by banks, known as an ‘Application Programming Interface’ and providing access only to the information necessary for the service provided – a practice already used by certain major Internet players, such as Amazon, Google and Facebook, and which has the support of both the industry and consumers.
On 29 June, the EBA reply to the Commission by publishing an opinion in which it explained why it would not agree to this amendment, arguing that it would have a considerable negative impact on the balance recently struck in the draft RTSs. It proposed an alternative aiming to reinforce the requirements set out in the RTSs to make interfaces more efficient, with, for instance, a requirement for banks to define benchmarks and a functional examination of interfaces 18 months after the application of the RTS to ensure that access and information-sharing are working properly.
The European Consumer Organisation (BEUC), which categorically rejects the Commission's preferred option, considers that the best solution would be a standardised European communication interface that would promote competition between banks and payment to third parties whilst guaranteeing the protection of consumers’ personal data, Farid Aliyev of the BEUC told EUROPE.
Although the Commission will have the last word over the EBA, it still has to put the RTSs to the European Parliament and Council for approval, which they must do within three months.
A number of organisations, such as the European Banking Federation and BEUC, arranged a hearing at the European Parliament on 11 July, for one last attempt to convince the Commission of the need to get rid of the practice of screen scraping. However, according to several European sources, the Commission replied (verbally) that it was maintaining its position. The stakeholders then turned their attention to the MEPs, urging them to adopt the RTSs proposed by the EBA in its initial draft.
Although no date has been set for the final publication of the RTSs, a number of commentators have already raised concerns over the timetable and spoken of a possible delay in the entry into force of the PSD2 directive. (Original version in French by Marion Fontana)