Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
Taking into account the experience as a Technical Provider supporting more than 250 Italian ASPSPs through the implementation of the multi-operator dedicated PSD2 interface called “CBI Globe”, CBI is in the view that the major issue that the RTS proposed amendment aims to address is the ASPSPs that decided not to apply the proposed SCA exemption, forcing the PSU to perform SCA on every single access. Such implementation was defined undesirable by some market players and by the EBA itself. In the EBA Opinion on Obstacles (§31), the issue was already addressed, encouraging the National Competent Authorities (NCAs), to encourage all their ASPSPs to make use of the Article 10 exemption, with the aim to minimize friction in the customer journey and to avoid potential obstacles. It follows that the main goal of the RTS proposed amendment is the introduction of a mandatory SCA exemption in case the PSU is accessing the limited payment account information through an AISP.
Since, as specified above, the majority of ASPSPs connected through CBI dedicated interface solution (“CBI Globe”) grants the PSU the benefit of SCA exemption, as provided by the Article 10 RTS, CBI is of the view that the major goal of the Article 10 amendment is already addressed by the ASPSPs integrated with CBI Globe solution. However, considering the major benefit of the SCA exemption on the user experience, CBI is on the view that the implementation could be useful to improve the user experience on solutions that are currently not supporting the 90 days re-authentication of the PSU, in the context of the optional SCA exemption provided by Article 10 RTS.
In 2020, CBI launched the product “CBI Globe – Active Functionality”, assuming the role of a Technical Provider actively supporting Financial Institution (both TPPs, and ASPSPs acting as TPPs) to take the role of AISPs and PISPs, besides the aforementioned role in the implementation of the major Italian dedicated PSD2 compliance interface. Based on the acquired experience, CBI has identified that two frequent use cases for account information services that may be affected by the amendment. These use cases are:
• Account aggregation: the possibility for the PSU to connect all his bank account and cards on a single application; and
• Credit Scoring: the usage of AIS data to evaluate the credit scoring of a PSU, with the aim to offer the subscription of financial product tailored on the acquired data.
Both use cases require the PSU to perform the SCA for renewing the authorization for the account access every 90 days, as provided by the Article 10 RTS. Both use cases would benefit from an extension in the timeline for the renewal of the SCA.
Technically, the majority of dedicated interface implementations translate the Article 10 SCA Exemption requirements in the instrument of the “recurring consent”, an object created after SCA that can store the information on the authorizations granted by the PSU and used in the services request to technically retrieve the account data. Based on CBI experience, this leads to the evidence that, in the aforementioned use cases, the AISP has to use two different types of consents for storing the authorizations granted by the PSU: one to access all the transaction data that may be out of scope of the SCA exemption, exceeding the limit of the last 90 days provided by Article 10, and one more to access the data that are in scope of SCA exemption (i.e. “recurring consent”).
The analysis of the maximum historic depth in the proprietary channels of the ASPSPs connected through CBI dedicated PSD2 interface (“CBI Globe”) shows that 12 months of transactions is usually made available to the PSU in the context of proprietary channels and, thus, via a dedicated interface. Furthermore, based on CBI experience as AISPs Technical Provider, 12 months for the historic view of the transaction list are to be considered are to be considered an optimal timeframe for both account aggregation and credit scoring.
Based on the comments expressed above, CBI is of the view that the amendment of Article 10 RTS should consider three different parameters:
• The timeframe between SCA applications, that the proposed amendment would increase from 90 days to 180 days.
• The historic depth for the first PSU access to account data, in the context of Article 10 SCA exemption, that the proposed amendment leaves unmodified (90 days).
• The historic depth for the following PSU accesses to account data, in the context of Article 10 SCA exemption, the proposed amendment leaves unmodified (90 days).
In particular, considering that 12 months have proved as an optimal timeframe for accessing historic data in the context of the most frequent AIS use cases, and that the following access after the first are finalized to retrieve the new transactions data, having already stored the historic transaction list, CBI has found that the best values for the parameter listed above may be the following:
• The historic depth for the first PSU access to account data, in the context of Article 10 SCA exemption, should be increased to 365 days, with the aim to grant the PSU access to historic transaction data without the need for the AISP to use a dedicated technical instrument and, thus, can benefit of a simplified implementation.
• The historic depth for the following PSU accesses to account data, could remain unmodified or could either be reduced, since the AISP have already retrieved all the data on the previous 365 days transaction list with the first access.
• The timeframe between SCA application should therefore be increased to 365 days, in order to maintain the harmonization with the value of historic depth for the first PSU access to account data: this is important to give the PSU the possibility to access, via an AISP, to 356 days of transactions within a 365-days timeframe.
In conclusion, our proposal for the prescription introduced by the new Article 10a can be summarized as follows:
• The transaction history that can be retrieved with the first access after the SCA is increased to the payment transactions executed in the last 365 days.
• The transaction history that can be retrieved with the following requests is not modified, therefore, the following accesses will grant access to the transactions executed in the last 90 days.
Therefore, we do believe that the timeline for SCA renewal should be increased from 90-days to 365-days, considering it the best trade-off between the need to put some time limitations in order to mitigate the risk of fraud and unwanted access to information and the aim of supporting a frictionless user experience for the PSU, considering the most frequent use cases currently implemented by the AISPs.
However, based on the experience of CBI in implementing the exemption provided by the current Article 10 of the RTS, we believe that the implementation of the proposed mandatory exemption may need a longer implementation period for ASPSPs that do not currently support such optional exemption.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
We welcome the opportunity to express our view on the important topics proposed by this consultation.Taking into account the experience as a Technical Provider supporting more than 250 Italian ASPSPs through the implementation of the multi-operator dedicated PSD2 interface called “CBI Globe”, CBI is in the view that the major issue that the RTS proposed amendment aims to address is the ASPSPs that decided not to apply the proposed SCA exemption, forcing the PSU to perform SCA on every single access. Such implementation was defined undesirable by some market players and by the EBA itself. In the EBA Opinion on Obstacles (§31), the issue was already addressed, encouraging the National Competent Authorities (NCAs), to encourage all their ASPSPs to make use of the Article 10 exemption, with the aim to minimize friction in the customer journey and to avoid potential obstacles. It follows that the main goal of the RTS proposed amendment is the introduction of a mandatory SCA exemption in case the PSU is accessing the limited payment account information through an AISP.
Since, as specified above, the majority of ASPSPs connected through CBI dedicated interface solution (“CBI Globe”) grants the PSU the benefit of SCA exemption, as provided by the Article 10 RTS, CBI is of the view that the major goal of the Article 10 amendment is already addressed by the ASPSPs integrated with CBI Globe solution. However, considering the major benefit of the SCA exemption on the user experience, CBI is on the view that the implementation could be useful to improve the user experience on solutions that are currently not supporting the 90 days re-authentication of the PSU, in the context of the optional SCA exemption provided by Article 10 RTS.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
Regarding the timeline for the renewal of the SCA proposed for the public consultation, CBI has performed an analysis of the most frequent use cases enabled by the PSD2. The analysis has shown that some different time constraints in this context may be considered to stimulate a significant improvement on user experience for the PSU accessing payment account data through an AISP.In 2020, CBI launched the product “CBI Globe – Active Functionality”, assuming the role of a Technical Provider actively supporting Financial Institution (both TPPs, and ASPSPs acting as TPPs) to take the role of AISPs and PISPs, besides the aforementioned role in the implementation of the major Italian dedicated PSD2 compliance interface. Based on the acquired experience, CBI has identified that two frequent use cases for account information services that may be affected by the amendment. These use cases are:
• Account aggregation: the possibility for the PSU to connect all his bank account and cards on a single application; and
• Credit Scoring: the usage of AIS data to evaluate the credit scoring of a PSU, with the aim to offer the subscription of financial product tailored on the acquired data.
Both use cases require the PSU to perform the SCA for renewing the authorization for the account access every 90 days, as provided by the Article 10 RTS. Both use cases would benefit from an extension in the timeline for the renewal of the SCA.
Technically, the majority of dedicated interface implementations translate the Article 10 SCA Exemption requirements in the instrument of the “recurring consent”, an object created after SCA that can store the information on the authorizations granted by the PSU and used in the services request to technically retrieve the account data. Based on CBI experience, this leads to the evidence that, in the aforementioned use cases, the AISP has to use two different types of consents for storing the authorizations granted by the PSU: one to access all the transaction data that may be out of scope of the SCA exemption, exceeding the limit of the last 90 days provided by Article 10, and one more to access the data that are in scope of SCA exemption (i.e. “recurring consent”).
The analysis of the maximum historic depth in the proprietary channels of the ASPSPs connected through CBI dedicated PSD2 interface (“CBI Globe”) shows that 12 months of transactions is usually made available to the PSU in the context of proprietary channels and, thus, via a dedicated interface. Furthermore, based on CBI experience as AISPs Technical Provider, 12 months for the historic view of the transaction list are to be considered are to be considered an optimal timeframe for both account aggregation and credit scoring.
Based on the comments expressed above, CBI is of the view that the amendment of Article 10 RTS should consider three different parameters:
• The timeframe between SCA applications, that the proposed amendment would increase from 90 days to 180 days.
• The historic depth for the first PSU access to account data, in the context of Article 10 SCA exemption, that the proposed amendment leaves unmodified (90 days).
• The historic depth for the following PSU accesses to account data, in the context of Article 10 SCA exemption, the proposed amendment leaves unmodified (90 days).
In particular, considering that 12 months have proved as an optimal timeframe for accessing historic data in the context of the most frequent AIS use cases, and that the following access after the first are finalized to retrieve the new transactions data, having already stored the historic transaction list, CBI has found that the best values for the parameter listed above may be the following:
• The historic depth for the first PSU access to account data, in the context of Article 10 SCA exemption, should be increased to 365 days, with the aim to grant the PSU access to historic transaction data without the need for the AISP to use a dedicated technical instrument and, thus, can benefit of a simplified implementation.
• The historic depth for the following PSU accesses to account data, could remain unmodified or could either be reduced, since the AISP have already retrieved all the data on the previous 365 days transaction list with the first access.
• The timeframe between SCA application should therefore be increased to 365 days, in order to maintain the harmonization with the value of historic depth for the first PSU access to account data: this is important to give the PSU the possibility to access, via an AISP, to 356 days of transactions within a 365-days timeframe.
In conclusion, our proposal for the prescription introduced by the new Article 10a can be summarized as follows:
• The transaction history that can be retrieved with the first access after the SCA is increased to the payment transactions executed in the last 365 days.
• The transaction history that can be retrieved with the following requests is not modified, therefore, the following accesses will grant access to the transactions executed in the last 90 days.
Therefore, we do believe that the timeline for SCA renewal should be increased from 90-days to 365-days, considering it the best trade-off between the need to put some time limitations in order to mitigate the risk of fraud and unwanted access to information and the aim of supporting a frictionless user experience for the PSU, considering the most frequent use cases currently implemented by the AISPs.
Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
Considering the impact for the implementation on the dedicated interface “CBI Globe”, run by CBI, supporting more than 250 Financial Institutions with the goal to meet the technical and functional requirements imposed by the PSD2, we agree with the proposed implementation timeline and with the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented.However, based on the experience of CBI in implementing the exemption provided by the current Article 10 of the RTS, we believe that the implementation of the proposed mandatory exemption may need a longer implementation period for ASPSPs that do not currently support such optional exemption.