Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2

Go back

Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?

While we generally understand the rationale behind the proposed man-datory exemption, it is worth noting that the proposed change will no longer allow the ASPSP to choose its risk appetite with regard to how often SCA is requested. The increase from 90 to 180 days between each SCA could increase the potential risk that the ASPSP is considered liable of. The EBA should therefore monitor the proposed exemption closely.

As such, if the ASPSP is currently requesting SCA more often than every 90 days, by design as a risk-mitigating factor, the ASPSP may want to con-sider revisiting whether the other risk-mitigating factors (such as the moni-toring mechanisms) currently in place should be tightened, e.g.,if it will lead to more fraud or data breaches.

According to the proposed article 10a (3): “payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthor-ised or fraudulent access to the payment account.”

However, the Consultation Paper does not give much guidance as to what could be “objectively justified and duly evidenced reasons” other than what is stated in section 32 of the CP. More guidance would be ap-preciated in order to ensure consistent application of the exemption.

We also stress, that we agree that the exemption for direct access by the costumer (article 10) should remain voluntary, as each ASPSP should be allowed to choose how to communicate with their customers.

Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?

No.

Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?

We believe that a development period of at least 9 months (including the 1 month notification period) is more prudent. The development of banks will differ - but it is critically important that enough time is allowed for changes to be properly implemented so as not to disturb ongoing business. This amendment to the RTS will also be a divergence between the UK rules and the EU rules and may result in significant development in banks that are currently using the same systems to allow access to UK TPP’s to UK accounts and allow access to EU TPP’s to EU accounts. Again, it is vital that sufficient time is allowed to prepare and test the systems.

WHAT TYPE OF INSTITUTION OR STAKEHOLDER DO YOU REPRESENT?

industry associations

Name of the organization

Finance Denmark