Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
Barclays’ support is subject to the proposal remaining as outlined in the consultation, in particular with regards to the proposed safeguards and conditions, including:
- Barclays supports the EBA’s recognition of the importance of SCA as a security feature, and the recommendation to maintain safeguards to ensure the safety of the customer’s data, notably that ‘the exemption would only apply where SCA was applied for the first access to the account information through the AISP, and is renewed periodically’. Barclays agrees that SCA should continue to be applied by the ASPSP the first time a customer accesses the information online with each AISP, and that this SCA should be renewed periodically.
- Barclays supports the EBA’s recognition that there will be instances (e.g. fraud prevention) where ASPSPs may need discretion to apply SCA, outside of the mandatory exemption. As the EBA highlights, under the PSD2, the ASPSP is responsible for performing SCA and bears the liability resulting from unauthorised or fraudulent access or transactions if it fails to protect the security of the user’s data. Barclays agrees that ASPSPs should therefore continue to be able to apply SCA when there is ‘objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access’.
However, should this change to the timeline come into effect, we believe it should be accompanied by explicit guidance provided by the EBA, to ensure that the risk of unintended consequences is fully mitigated:
- The extension of the timeline for the renewal of SCA from 90-days to 180-days would provide the opportunity for prolonged data access by the AISPs. Barclays would encourage the EBA to consider what safeguarding is in place to ensure that AISPs adhere to the principles of data minimisation, and only request the data that they require for their customer proposition. For example, a number of AISP use cases would suggest that data is only required once, for a specific decision (e.g. to perform a one-off credit affordability assessment as part of a lending decision). For this type of use case, AISPs should not actively continue accessing the customer data for the full 180-days (unless they have a clear reason for doing this, and have explicit consent from the customer).
The EBA should be aware that the length of an access token (which is provided to the AISP, to enable them to access the data for a certain number of days without SCA) is hard-coded into the token upon issuance to the AISP. Therefore, there will be a hard switchover to the new token length of 180 days. This will mean that there will be a transition period (of approx. 90 days) whereby both tokens (90-day renewal and 180-day renewal) are being used, depending on which date the token was issued (i.e. prior to, or after, the switchover to the new 180-day tokens). There is no viable alternative to this, and therefore we would encourage the EBA to explicitly address this point, to drive consistency across the market.
Barclays supports the EBA’s proposal that ‘ASPSPs shall make available to AISPs the changes made to the technical specifications of their interfaces required in order to comply with the amending RTS with at least one month ahead of their implementation’.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
In principle, Barclays supports the EBA’s proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP, and the proposed amendments to Article 10 exemption. This will help to encourage harmonisation across Europe in terms of application of the exemption, and therefore drive consistency in implementation and customer experience of financial data sharing.Barclays’ support is subject to the proposal remaining as outlined in the consultation, in particular with regards to the proposed safeguards and conditions, including:
- Barclays supports the EBA’s recognition of the importance of SCA as a security feature, and the recommendation to maintain safeguards to ensure the safety of the customer’s data, notably that ‘the exemption would only apply where SCA was applied for the first access to the account information through the AISP, and is renewed periodically’. Barclays agrees that SCA should continue to be applied by the ASPSP the first time a customer accesses the information online with each AISP, and that this SCA should be renewed periodically.
- Barclays supports the EBA’s recognition that there will be instances (e.g. fraud prevention) where ASPSPs may need discretion to apply SCA, outside of the mandatory exemption. As the EBA highlights, under the PSD2, the ASPSP is responsible for performing SCA and bears the liability resulting from unauthorised or fraudulent access or transactions if it fails to protect the security of the user’s data. Barclays agrees that ASPSPs should therefore continue to be able to apply SCA when there is ‘objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access’.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
In principle, Barclays supports the EBA’s proposal to extend the timeline for the renewal of SCA to 180-days.However, should this change to the timeline come into effect, we believe it should be accompanied by explicit guidance provided by the EBA, to ensure that the risk of unintended consequences is fully mitigated:
- The extension of the timeline for the renewal of SCA from 90-days to 180-days would provide the opportunity for prolonged data access by the AISPs. Barclays would encourage the EBA to consider what safeguarding is in place to ensure that AISPs adhere to the principles of data minimisation, and only request the data that they require for their customer proposition. For example, a number of AISP use cases would suggest that data is only required once, for a specific decision (e.g. to perform a one-off credit affordability assessment as part of a lending decision). For this type of use case, AISPs should not actively continue accessing the customer data for the full 180-days (unless they have a clear reason for doing this, and have explicit consent from the customer).
Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
Barclays would encourage the EBA to extend the implementation timeline to 9-months, to facilitate a smooth transition, and allow for industry collaboration regarding the proposed design specifications. This will provide sufficient time for industry to design, build and test the implementation, particularly given the additional complexity for providers that are active in both the EU and UK markets, given the different approaches being proposed by the EBA and FCA, which may require existing technical implementations to be adapted to support the distinct requirements across both markets.The EBA should be aware that the length of an access token (which is provided to the AISP, to enable them to access the data for a certain number of days without SCA) is hard-coded into the token upon issuance to the AISP. Therefore, there will be a hard switchover to the new token length of 180 days. This will mean that there will be a transition period (of approx. 90 days) whereby both tokens (90-day renewal and 180-day renewal) are being used, depending on which date the token was issued (i.e. prior to, or after, the switchover to the new 180-day tokens). There is no viable alternative to this, and therefore we would encourage the EBA to explicitly address this point, to drive consistency across the market.
Barclays supports the EBA’s proposal that ‘ASPSPs shall make available to AISPs the changes made to the technical specifications of their interfaces required in order to comply with the amending RTS with at least one month ahead of their implementation’.