Six months ago, I published a state of play article on PSD2 Access to Account (XS2A), which itself followed previous articles from 2016 (here and here).
I thought it was now time for a general update, and along with a bit of background on the Open Banking Europe initiative, which we are running.
Regulatory Activity since January 2017
The big focus at the beginning of the year was the content of the EBA’s Regulatory Technical Standards (RTS) for Strong Customer Authentication and Common and Secure Communication. We had a consultation version in August 2016, and a “final Draft” version was delivered in February 2017 to the European Commission. This created a flurry of letters and position papers, from both sides of the market complaining about bias – proving that the EBA had succeeded in its self-declared mission of “making everybody equally unhappy”.
The Commission did not accept this version but wrote back to the EBA with their opinion on what they should have contained, and so we have a May 17th version. The debate continues, and we await the version that will be handed to Parliament any day now. If and when this passes, through Parliament, after a three month consultation period, we will then have a compliance date for Access to Account in Q3 2018.
Much of the attention is now on whether banks (ASPSPs) will have to provide a fallback mechanism and whether there is any way to win an exemption from providing such fallback if they deliver a sufficiently good API.
Other EBA RTS for PSD2
I should also mention that the EBA have 9 different mandates for Guidelines and RTS relevant to PSD2. One of them, which was awaited with anticipation was the RTS on the “EBA Register”, which was hoped to be a complete TPP register, which has always been seen as a critical component of providing XS2A services. The EBA were probably aware of some high expectations, because in their introduction, they made it clear that this register would not be machine-readable, would not contain all the parties (no credit institutions) and would not take liability. Most parties are now looking elsewhere for their central directory.
The Euro Retail Payment Board (ERPB)
The ERPB, is a stakeholder body made up of bodies representing consumers, merchants, banks, other financial players and regulators. It has no legislative power, but meets every six months to review, assess, raise requirements problems, and generally give everyone a voice in Europe’s payments business. Link. They highlighted various stakeholder concerns around interoperability and fragmentation in their 28th of November. Their PIS Working Group, then reported back in June with 9 recommendations, including building a directory and requiring that the eIDAS certificates were standardised for PSD2. The group was asked to continue its work, and a second report is expected at the end of November.
eIDAS Certificate Standardisation for PSD2
The RTS require that eIDAS certificates are used for identification, but until now there has been no standard for how the required data will fit in them. ETSI, the European Telecoms and Standards Institute, through the E-Signatures and Infrastructure forum have created a work program that was signed off at the ETSI plenary on 11th October.
- Official confirmation of the ETSI New Work Item for PSD2 Certificates is here
- Timeline for delivery of the new PSD2 Certificates standards document is here
- Details of the background discussions we had with ETSI for the ratification of PSD2 standards request is here.
Over this time various players and groups had been getting together to try and solve the perceived problems of PSD2. I gave a listing in my previous article:
The Open Forum for Open Banking continues its work to foster dialogue.
At least five communities are working on API standards for PSD2. The Berlin Group (EU), STET (French), Open Banking (UK), the Polish and the Slovakian community are all working on standards for APIs, with the Berlin Group’s work has just gone into a consultation phase which runs until 17th November. At least some of these groups are talking to each other, and the ERPB has started tracking their work through an API subgroup.
The UK Open Banking is worth an article in itself, but for those who want to more about how this fits (or doesn’t fit!) with PSD2 should read James Whittle’s article here.
The Open Banking Exchange Initiative
Amid growing concern that important topics were not being addressed many financial institutions asked whether PRETA (a wholly-owned subsidiary of EBA CLEARING) could step into the space.
EBA CLEARING and PRETA have a track record of delivering country neutral, practical solutions that work, especially in the face of new regulatory requirements. As the developers of MyBank we have experience of community APIs based around a central directory, and we have been following the PSD2 for several years. So far, twenty banks from 15 different countries have joined the call, although this number is growing. A service provider program has also just been launched. Without identity, there is no interface and no access, and Open Banking Europe is concentrating on these aspects. Given that there is a general acceptance that a directory is needed, PRETA, through the Open Banking Europe initiative will provide that directory. Before that can happen, the regulatory data needed has to be cleaned up, and we have started the job of going country by country to understand the gaps of what is needed, and what is there today.