Status Of EBAs 11 PSD2 Work-Streams - Yikes! Still so much to do !

PSD2 takes effect in Jan 2018 – in less than 4 months time and the EBA still has a lot of work to complete. Whilst the controversy around the RTS on Strong Customer Authentication & Secure Communications (SCA & SC) is well documented, the EBA has a total of 11 work streams to complete. This article provides an update on the current status of each.

Just as a recap, PSD2 text, referred to as Level 1 text, mandated the EBA to develop more detailed, or level 2 text, in 11 specific areas.

EBA has followed as standard process: A consultation stage during which industry stakeholders are invited to provide feedback on a draft version of the text. Based on this feedback, the EBA then publishes a final draft of the text which is submitted to the EU council and parliament for scrutiny before being adopted by the European Commission (EC) which is normally done by way of publication in the Journal of the European Union.

As of today, the EBA has submitted a total of 6 to the EC, of which only 3 have so far been formally adopted and 3 are yet to be adopted. The latter includes the RTS on SCA & SC. The remaining 5 are all still under development with 2 still at the public consultation stage. Details of these groups are set out below.

Group 1 – Final & Adopted By European Commission

#1 – GL on PI Authorisation

• This sets out guidelines for information to be provided for authorisation or registration by existing and new payment institutions (PI) including those seeking to provide Payment Initiation Services (PIS) or Account Information Services (AIS).
• Because PSD2 requires additional information to be provided, existing as well as new applicants will in effect need to gain re-authorisation / re-registration.
• EBA published its Final Guidelines on 11 July 2017 and these will apply from 13 January 2018.
• Here is the relevant EBA page.

#2 – GL on PI Insurance For PSPs

• One of the new licence requirements is that all firms must have appropriate professional indemnity insurance or a comparable guarantee.
• These EBA guidelines set out the criteria (in the form of a formula) that Competent Authorities should use to stipulate what the minimum monetary amount of PI insurance should be.
• The EBA published its Final Guidelines on 7 July 2017 and these will apply from 13 January 2018.
• Here is the relevant EBA page.

#3 – GL on Incident Reporting

• These guidelines define & determine when a major security incident must be notified to the Competent Authority. It also provides a template that payment service providers should use for notification & sets out reports which must be sent during the incident.
• The EBA published its Final Guidelines on 27 July 2017 and these will apply from 13 January 2018.
• Here is the relevant EBA page.

Group 2 – Final Draft Published By EBA But Yet To Be Adopted By European Commission 

#4 – RTS on Strong Customer Authentication & Secure Communications

• This is the most controversial and publicly debated RTS. Whilst the Final RTS was published by the EBA on 23 Feb 2017, in a controversial move, the European Commission disagreed with parts of it and announced its intention to amend the text. On the 29 June 2017, the EBA subsequently published a response to the EC in which it voiced “its disagreement with three of the four concrete amendments” the EC proposed. There has been little movement since and as it stands, the EC have yet to formally adopt the Final text or publish any revised text. The situation is of particular concern because, as opposed to most of the RTS/GLs, this RTS will not apply for another 18 months after adoption by the EC.
• The RTS is made up of two elements. The first set are RTS on Strong Customer Authentication which is a two factor authentication method and procedure required for most electronic transactions above €30. The controversy here has been on exemptions and in particular the use of transaction risk analysis (otherwise known as risk based authentication) as an alternative. This now features in the final RTS and the topic appears settled.
• The second set deals with the so called interfaces that banks will be required to develop and support to allow PIS and AIS to access accounts. In particular, the debate continues around whether screen scraping should be permitted in addition to or as an alternative to APIs. Whilst well-functioning APIs are preferred by all, the fintech community are, for many reasons, concerned that (in the short term) this may not be achieved and wish therefore that screen scraping is permitted as a alternative. The EBAs final text banned screen scraping, yet the EC sought ways to reintroduce it. As it stands the situation is unclear and the topic is not settled. A more detailed analysis of the debate is provided in my previous blog as well as a discussion of the consequences of the delay from a Brexit point in this blog here).
• Here is the relevant EBA page.

#5 & 6 – RTS on Passporting Notification & RTS on Supervision

• This RTS provides the framework for cooperation, and for the exchange of information, between Competent Authorities of the home and of the host Member State.
• The EBA actually published its Final RTS back in 14 Dec 2016. However, these have yet to be formally adopted by the European Commission. Once adopted they will apply 12 days later (i.e. immediately).
• Here is the relevant EBA page.

Group 3 – Still Under Development But Public Consultation Closed

#7 – GL on Complaints Procedures

• These guidelines set out the process for how payment service users (i.e. consumers) submit complaints to their Competent Authority with regard to PSPs’ alleged infringements of the PSD2.
• Although the EBA closed its public consultation on 16 May 2017, it has still not yet published its final GL. These are however required to apply from 13 Jan 2018.
• Here is the relevant EBA page.

#8 – GL on Operational & Security Measures

• This GL deals with the requirements in relation to the monitoring, detection and reporting of security incidents and risks.
• The EBA closed its public consultation on 7 Aug 2017 but has still not yet published a final GL on the topic. These are however required to apply from 13 Jan 2018.
• Here is the relevant EBA page.

#9 – RTS/ITSs on EBA Register

• This is another sticky subject matter. The RTS sets out how the EBA intends to develop, operate and maintain an electronic central register of PSPs and the information t be contained in it and Competent Authorities of each Member State will be required to supply.
• There are several issues here including the fact that some CA do not hold electronic files and so would find it hard to notify the EBA in an efficient and timely manner especially given the level of detail they will be required to submit the central register.
• Another issue is who has access to the register and how access should be achieved to obtain updated information. Following the spirit of PSD2, some stakeholders suggested an API be developed to facilitate this. The EBA has so far decided against this in favour of a manual approach – a more cost effective approach of developing and maintaining the register, yet most likely more expensive and less efficient for those seeking to access the register. The debate continues.
• We await the outcome of the public consultation which the EBA recently closed on 18 Sept 2017. The RTS/ITS are required to apply from 13 Jan 2018.
• Here is the relevant EBA page.

Group 4 – Still Under Development With Public Consultation Still Open

#10 – RTS on Central Contact Points

• This RTS clarifies the circumstances in which the appointment of a central contact point is appropriate and the functions of those central contact points.
• This RTS applies to situations where PIs choose to operate in other EU territories through agents under the ‘right of establishment’. Accordingly, in some of these cases, the host Member State can require the PI in question, whose head office is situated in another Member State, to set up a ‘central contact point’ in their territory. The objective is to ‘ensure adequate communication and information reporting on compliance’ and to ‘facilitate supervision by competent authorities.’ The RTS specifies exactly when a central point of contact is required.
• The EBA is about to close (has just closed) its public consultation on 29 Sept 2017. The RTS is required to apply 12 days after adoption by the EC.
• Here is the relevant EBA page.

#11 – GL on Fraud Reporting

• This GL clarifies requirements for fraud reporting by PIs to CA. In particular it specifies what fraud related statistical data needs t be monitors and reported.
• The EBA is still running its public consultation until 3 Nov 2017 giving it presumably little time to publish the final RTS GL which is set apply on 13 January 2018 (i.e. immediately).
• Here is the relevant EBA page.