The TPP community is increasingly pushing for a delay to the regulatory deadline of 14th September 2019 by which date:
- Banks must provide “a dedicated interface” (APIs) for TPPs to get data or initiate payments, which use eIDAS certificates to identify TPPs, and unless exempted, provide a “Fall back mechanism” for business continuity purposes, in the case that an API fails.
- TPPs must stop screen scraping to get data or initiate payments and use the new APIs.
- New rules around Strong Customer Authentication (SCA) come into effect for making payments (including cards) or accessing account information.
While the banks are stating that they are on time, Tink – a TPP based in Sweden has published a report stating that they believe “the banks’ PSD2 APIs are far from ready”, while FDATA and the European TPP Association also produced a list of warnings in their document “The unintended consequences of PSD2”.
The main concerns of the TPPs revolve around:
- Whether or not there are sufficient “Qualified eIDAS certificates” available in the market.
- The difficulty of working with the new SCA processes that will be introduced in some countries. Some countries, already have it.
- The quality of the APIs that will be provided.
- The uncertainty from all parties about what the Fall Back mechanism actually is.
- The general need for a transition period to allow migration from the old process to new processes which affect hundreds of TPPs, thousands of banks and millions of end users.
TPPs also point to a heavily caveated ‘additional time’ provision for the implementation of SCA, which was granted by the European Banking Authority in an opinion given on 21st June.
On the 10th of July the EBA, the European Commission and various TPP and Bank stakeholders met to discuss concerns. During this meeting the EBA and EC were clear that delaying the application of the regulatory deadline was not an option, however, they highlighted the importance of clear communication and proposed the creation of a Task Force to look at specific issues. Furthermore, the EBA said that further guidance would be provided on the Fall-back “in due course”.
The process of interpreting the legal texts and turning them into operational requirements and then real IT infrastructure has been insanely complicated with a multitude of “regulatory technical standards” (which are regulatory but not technical and not standards!); legal opinions on some of these RTS’s, further clarifications in the EBA’s “Interactive Single Rulebook Q&A tool” and more clarifications arising from the EBA’s API Working Group.
Given the still moving target, the industry will require more than a year of ongoing adjustments until we get to the version of APIs that the market expects. This does not mean that PSD2 needs to be delayed, but all parties and regulators will need to show a certain amount of flexibility and understanding after September 14th.
Open Banking Exchange Europe is providing considerable resources to help the industry understand some of the basic issues around implementing PSD2 Access to Account. We provide a regulatory directory for ASPSPs to check TPP licenses, as well as ongoing publications and guidance on topics from understanding eIDAS certificates, to electronic signatures. Public resources are available here.