Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
Febelfin and its members believe that the timing for introducing these amendments is not ideal in view of the upcoming PSD2 review. The PSD2 implementation process has been a long and complex one, partly due to the uncertainties surrounding the regulatory perimeter and the resulting ever "moving" nature of our obligations. It should be avoided that ASPSPs have to implement the change and bear the implementation costs for a potentially very short application frame as one can assume that this will also be the subject of the formal review.
We consider it unacceptable that the exemption becomes mandatory but that the liability frame remains the same. In our view a mandatory exemption is not appropriate as it would not allow banks to apply risk-based approach, to carry out an adequate risk and fraud-management, nor to apply the appropriate protection level to their customers. In our view the liabilities and risks in the PSD2 are today not fairly balanced between ASPSP and PISP/AISP and the proposed amendments to Article 10 would worsen this unbalance as the liability would still sit with the ASPSPs. The entity that benefits from the advantages of SCA exemption should also have the burden of proof and manage the relationship with the customer in case of complaints. Moreover this amendment would not be at the appropriate place under CHAPTER III "exemptions from strong client authentication". In the case of an exemption, we assume that there is a right of choice.
In terms of fraud risk, we consider it important to balance the objectives of convenience and fraud prevention and security, which are also important objectives of PSD2. It should be taken into account that a mandatory exemption from the SCA and an extension of the validity period of the SCA to 180 days could indirectly increase fraud risk, as fraudsters could repeatedly gain unauthorised access during the long period of 180 days, which would allow them to obtain a lot of customer information more easily than today. Even though access to account information may at first sight be considered less risky than, for example, initiating a payment, it should not be forgotten that an increasing number of fraud cases are linked to fraudsters gaining access to detailed data and information about a customer (social engineering).
It should also be questioned and clarified whether the mandatory exemption impacts the contingency measures (fallback) for ASPSP establishing the access interface by means of a dedicated interface and who didn’t apply for a waiver. In our view there are sufficient arguments to justify that the fallback is out of scope: (1) Article 33 of the Regulation with RTS on SCA states that as part of a fallback facility, AISPs shall be allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment service provider (read the customer interface), until the dedicated interface is restored and returns to the legally defined level of reliability and performance. (2) Since the ASPSP is not obliged to apply the exemption in the direct relationship with its customers (optional), it is difficult to expect ASPSP’s to adapt their customer interface when it is used as a fallback. (3) It has never been the intention of the regulator to create a specific fallback interface for AISPs. The ASPSP is not obliged to create a secondary dedicated interface for fallback purposes.
Additionally, independent of the discussion on the fall back, this will lead to a different level playing field between ASPSPs that have chosen to provide a dedicated interface to give access to AISPs to their customers payment accounts and those ASPSPs which opened their Customer Interface to third parties. When an ASPSP does not offer a dedicated interface and opts to give AISPs access via the customer interface, the exemption will have to be applied on a mandatory basis (technically impossible to differentiate). This implies that the latter will have to comply with Article 10(a) and will no longer be able to invoke the optional exemption under Article 10 in its direct relationship with the customer.
We also think it would be necessary to clarify in the amended RTS that the existing 90-SCA grants given before the date of entry into force of the amended RTS remain valid until end of the 90-day period, so during the first three months after the effective date these 90 days grants will expire and upon such expiry the 180 days shall apply.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
Febelfin and its members believe it to be unclear if there is a sufficient impact assessment and what the substantial justification is for proposing this change. In the final report on the draft RTS on SCA and CSC EBA/RTS/2017/02, the EBA stated that the 90 days represented an appropriate balance. We lack a substantial analysis of why this is no longer the caseFebelfin and its members believe that the timing for introducing these amendments is not ideal in view of the upcoming PSD2 review. The PSD2 implementation process has been a long and complex one, partly due to the uncertainties surrounding the regulatory perimeter and the resulting ever "moving" nature of our obligations. It should be avoided that ASPSPs have to implement the change and bear the implementation costs for a potentially very short application frame as one can assume that this will also be the subject of the formal review.
We consider it unacceptable that the exemption becomes mandatory but that the liability frame remains the same. In our view a mandatory exemption is not appropriate as it would not allow banks to apply risk-based approach, to carry out an adequate risk and fraud-management, nor to apply the appropriate protection level to their customers. In our view the liabilities and risks in the PSD2 are today not fairly balanced between ASPSP and PISP/AISP and the proposed amendments to Article 10 would worsen this unbalance as the liability would still sit with the ASPSPs. The entity that benefits from the advantages of SCA exemption should also have the burden of proof and manage the relationship with the customer in case of complaints. Moreover this amendment would not be at the appropriate place under CHAPTER III "exemptions from strong client authentication". In the case of an exemption, we assume that there is a right of choice.
In terms of fraud risk, we consider it important to balance the objectives of convenience and fraud prevention and security, which are also important objectives of PSD2. It should be taken into account that a mandatory exemption from the SCA and an extension of the validity period of the SCA to 180 days could indirectly increase fraud risk, as fraudsters could repeatedly gain unauthorised access during the long period of 180 days, which would allow them to obtain a lot of customer information more easily than today. Even though access to account information may at first sight be considered less risky than, for example, initiating a payment, it should not be forgotten that an increasing number of fraud cases are linked to fraudsters gaining access to detailed data and information about a customer (social engineering).
It should also be questioned and clarified whether the mandatory exemption impacts the contingency measures (fallback) for ASPSP establishing the access interface by means of a dedicated interface and who didn’t apply for a waiver. In our view there are sufficient arguments to justify that the fallback is out of scope: (1) Article 33 of the Regulation with RTS on SCA states that as part of a fallback facility, AISPs shall be allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment service provider (read the customer interface), until the dedicated interface is restored and returns to the legally defined level of reliability and performance. (2) Since the ASPSP is not obliged to apply the exemption in the direct relationship with its customers (optional), it is difficult to expect ASPSP’s to adapt their customer interface when it is used as a fallback. (3) It has never been the intention of the regulator to create a specific fallback interface for AISPs. The ASPSP is not obliged to create a secondary dedicated interface for fallback purposes.
Additionally, independent of the discussion on the fall back, this will lead to a different level playing field between ASPSPs that have chosen to provide a dedicated interface to give access to AISPs to their customers payment accounts and those ASPSPs which opened their Customer Interface to third parties. When an ASPSP does not offer a dedicated interface and opts to give AISPs access via the customer interface, the exemption will have to be applied on a mandatory basis (technically impossible to differentiate). This implies that the latter will have to comply with Article 10(a) and will no longer be able to invoke the optional exemption under Article 10 in its direct relationship with the customer.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
In terms of the RTS amendments proposed, it is more important to re-consider the mandatory nature of the exemption than the number of days of the exemption, as developed above. In addition to the concerns raised above regarding security and fraud, we wonder if such an extension is in the interest of the customer as the extension to 180 days could have some other undesired effects. For instance when a customer doesn’t want to use the services of an AISP anymore. If he wouldn’t be able to reach the AISP to withdraw his consent, or the AISP doesn’t act on it, the AISP still will have access to the account data for the remaining of the 180 days-period. This increases issues on the third party’s access to payment account from the security and privacy perspectives.Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
It is important to note that the implementation period needs to consider that most of the implementation burden is on the ASPSP side and that according the RTS an ASPSP first has to provide the technical information 6 months before any change and should allow a test period of 3 months before the actual implementation. For such a change additional resources should be made available and this is part of a year planning. Budgets for the year 2022 are already closed and budgeting these changes for 2022 would be very difficult, therefore implementation in 2023 would be much preferrable.We also think it would be necessary to clarify in the amended RTS that the existing 90-SCA grants given before the date of entry into force of the amended RTS remain valid until end of the 90-day period, so during the first three months after the effective date these 90 days grants will expire and upon such expiry the 180 days shall apply.