Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
We therefore agree with the EBA proposed amendment to make the exemption of article 10 of the RTS mandatory when payment accounts are accessed through an AISP.
We nevertheless support the EBA cautious approach to extend the exemption to 180 days as a temporary measure pending the revision of PSD2: We indeed believe that the exemption granted to AISPs should be amended further and be in direct connection with the contract that binds them with their PSUs. We would therefore propose to replace the requirement to re-authenticate at regular intervals through SCA by a re-authorization process (i.e, re-confirmation of the initial contractual arrangements), as proposed by the Financial Conduct Authority in its latest consultation back in January 2021. The re-authorization will allow consumers to actively re-engage directly with their AISP and confirm their wish to continue receiving aggregation services, even in case they do not actively request the information. The timing within which such re-authorization could either be 90 days, as proposed by the FCA, or 180 days in line with EBA’s current proposal. Alternatively, we would propose to draw a parallel with Direct Debits (SDD), in a way that SCA would be required to create the initial mandate and to confirm the PSU consent for the AISP to aggregate his or her accounts. As for SDDs, PSUs would then exercise their opt-out right when they no longer wish to receive aggregation services from their AISP.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
When conceiving the RTS on SCA and secure communication, we believe the EBA was right in considering that exemptions to SCA requirement should be of a voluntary nature: ASPSPs bear indeed the ultimate responsibility of safeguarding their clients’ accounts and protecting them from unauthorized access or fraudulent transactions. In the specific case of account information services, the PSD2 and the RTS ensure that access to payment account data is secured by specific processes that protect the integrity of these data: AISPs are indeed supervised entities that, through contractual arrangements, access their clients’ payment accounts to provide aggregated data on a regular basis.We therefore agree with the EBA proposed amendment to make the exemption of article 10 of the RTS mandatory when payment accounts are accessed through an AISP.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
Given the secured framework within which access to payment accounts by AISPs is done, we believe the exemption could have been extended to 1 year instead of 180 days.We nevertheless support the EBA cautious approach to extend the exemption to 180 days as a temporary measure pending the revision of PSD2: We indeed believe that the exemption granted to AISPs should be amended further and be in direct connection with the contract that binds them with their PSUs. We would therefore propose to replace the requirement to re-authenticate at regular intervals through SCA by a re-authorization process (i.e, re-confirmation of the initial contractual arrangements), as proposed by the Financial Conduct Authority in its latest consultation back in January 2021. The re-authorization will allow consumers to actively re-engage directly with their AISP and confirm their wish to continue receiving aggregation services, even in case they do not actively request the information. The timing within which such re-authorization could either be 90 days, as proposed by the FCA, or 180 days in line with EBA’s current proposal. Alternatively, we would propose to draw a parallel with Direct Debits (SDD), in a way that SCA would be required to create the initial mandate and to confirm the PSU consent for the AISP to aggregate his or her accounts. As for SDDs, PSUs would then exercise their opt-out right when they no longer wish to receive aggregation services from their AISP.