Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
We note the derogation to the ASPSP application of the new mandatory SCA exemption detailed in Paragraph 3 of the new Art.10a related to suspected instances of unauthorised or fraudulent access to the payment account. Our members’ experiences suggest that ASPSPs apply varying degrees of rigour to the process of establishing objectively justified and duly evidenced reasons that trigger SCA. Additionally, different national competent authorities (NCAs) in the Union appear to have adopted diverging approaches to the task of reviewing the application of SCA by ASPSPs for objectively justified and duly evidenced reasons. Therefore, we encourage the EBA to work with NCAs in the Union to ensure that the derogation to the new mandatory SCA exemption is (i) Applied in a consistent and non-discriminatory manner by ASPSPs and (ii) Supported by documented ASPSP rationale that is requested and reviewed by national regulators on a regular basis.
We note that the text of the proposed Art.10a limits the scope of the mandatory SCA exemption to payment account accesses through an AISP. The text of Art.10 in the current RTS (CDR 2018/389) did not limit the use of the SCA exemption to a specific authorized third-party provider type (AISP or PISP). There are legitimate payment account information access Use Cases that form part of current PISP customer journeys; these are also impacted by the inconsistent application of the SCA exemption by ASPSPs across the Union. For example, the PISP customer is required to review payment account information and select an account to be debited in the ASPSP domain. Such account information access requests should also benefit from the scope of the mandatory SCA exemption introduced in the proposed Art10a of an amended RTS. Therefore, we encourage the EBA to replace the explicit references to AISPs in Art.10a with references to “payment account access online through an authorized payment service provider”.
EMA members that offer TPP services have experienced significant customer churn rates associated with the current re-application of SCA every 90 days; some members have reported up to 50% of the customer base abandoning their AISP service at that time. It is obvious that such customer churn rates can render AISP service delivery models commercially non-viable. As a result, the attainment of a stated PSD2 objective (enabling the delivery of innovative new services to users in the Union) is now under risk.
We note the EBA rationale underpinning the proposed extension of the time between consecutive SCAs to 180 days as detailed in Par.40-47 of the Consultation Paper. We support the stated EBA objective of striking a balance between the viable delivery of innovative AISP services to PSUs and consumer protection. Ideally the renewal timeframe should be removed altogether, as the impact on the customer experience is still significant, and will continue to cause churn regardless of the time period chosen. However we acknowledge the constraints of PSD2 and that any such changes to this requirement would need to be addressed at Level 1.
In this context, our perception is that the core, relevant Level 1 legal text that defines the criterion for SCA exemptions is PSD2 Art. 98(3)(a). This legal text requires that SCA exemptions shall be based on “the level of risk involved in the service provided”. Our assessment is that there is a Low level of risk involved with the provision of the AISP services that access the limited items in the new RTS Art. 10a (1). As a reminder, these items comprise just account balance and recent payment transaction data; they exclude any sensitive payment data. Our members are not aware of any instances of realized consumer harm associated with the misuse/compromise of AISP services that leverage this limited account information under the current SCA exemption framework. Therefore, we encourage the EBA to consider a longer, fixed time between the required re-application of SCA across all payment account information access request channels. A fixed time of 365 days between required, consecutive SCAs would afford more time to AISPs to (a) Establish a sustainable customer base, (b) Build up customer loyalty through unobstructed service delivery and (c) Educate their customers on the mechanics of completion of a fresh SCA when required. The proposed, fixed 12-month period between consecutive SCAs also maintains a balance between the PSD2 objectives of allowing the delivery of innovative financial services and of consumer protection.
Building on our assessment of the risks associated with the account information services that access the account data detailed Art.10 of the RTS, we encourage the EBA to align the scope of payment transaction data that can be accessed with the fixed time between required consecutive SCAs. As the latter is extended, we would propose that the payment transaction history that can be accessed (by PSUs, AISPs) under the SCA exemption conditions detailed in Art.10/10a of the amended RTS is also extended to match it. This arrangement would simplify the changes to account access interface logic and streamline account information workflow management for AISPs and for ASPSPs.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
The EMA supports the EBA objective of removing excessive friction and uncertainty in the delivery of account information services through the introduction of a mandatory SCA exemption to apply in all instances of payment account information access through an AISP. EMA members offering TPP services have experienced significant transaction abandonment rates because of (i) the inconsistent/excessive application of SCA by ASPSPs across the EU and (ii) poorly designed SCA workflows deployed by EU ASPSPs. These have impacted AISP customer experience and endanger the commercial viability of AIS services in the Union.We note the derogation to the ASPSP application of the new mandatory SCA exemption detailed in Paragraph 3 of the new Art.10a related to suspected instances of unauthorised or fraudulent access to the payment account. Our members’ experiences suggest that ASPSPs apply varying degrees of rigour to the process of establishing objectively justified and duly evidenced reasons that trigger SCA. Additionally, different national competent authorities (NCAs) in the Union appear to have adopted diverging approaches to the task of reviewing the application of SCA by ASPSPs for objectively justified and duly evidenced reasons. Therefore, we encourage the EBA to work with NCAs in the Union to ensure that the derogation to the new mandatory SCA exemption is (i) Applied in a consistent and non-discriminatory manner by ASPSPs and (ii) Supported by documented ASPSP rationale that is requested and reviewed by national regulators on a regular basis.
We note that the text of the proposed Art.10a limits the scope of the mandatory SCA exemption to payment account accesses through an AISP. The text of Art.10 in the current RTS (CDR 2018/389) did not limit the use of the SCA exemption to a specific authorized third-party provider type (AISP or PISP). There are legitimate payment account information access Use Cases that form part of current PISP customer journeys; these are also impacted by the inconsistent application of the SCA exemption by ASPSPs across the Union. For example, the PISP customer is required to review payment account information and select an account to be debited in the ASPSP domain. Such account information access requests should also benefit from the scope of the mandatory SCA exemption introduced in the proposed Art10a of an amended RTS. Therefore, we encourage the EBA to replace the explicit references to AISPs in Art.10a with references to “payment account access online through an authorized payment service provider”.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
We support the effort of the EBA to extend the time between the requested re-application of SCA for all attempted account information access requests (through an AISP, in direct PSU access scenarios). However, we encourage the EBA to consider a longer fixed time between the required re-application of SCA to at least the maximum possible time permissible within the context of the law. We consider a fixed time of 365 days would be a suitable time frame, given the low risk of fraud risk associated with AIS services. This would allow AISPs to establish a customer base and build up customer loyalty before the first SCA is required. This would also maintain a balance between the PSD2 objectives of allowing the delivery of innovative financial services and of consumer protection.EMA members that offer TPP services have experienced significant customer churn rates associated with the current re-application of SCA every 90 days; some members have reported up to 50% of the customer base abandoning their AISP service at that time. It is obvious that such customer churn rates can render AISP service delivery models commercially non-viable. As a result, the attainment of a stated PSD2 objective (enabling the delivery of innovative new services to users in the Union) is now under risk.
We note the EBA rationale underpinning the proposed extension of the time between consecutive SCAs to 180 days as detailed in Par.40-47 of the Consultation Paper. We support the stated EBA objective of striking a balance between the viable delivery of innovative AISP services to PSUs and consumer protection. Ideally the renewal timeframe should be removed altogether, as the impact on the customer experience is still significant, and will continue to cause churn regardless of the time period chosen. However we acknowledge the constraints of PSD2 and that any such changes to this requirement would need to be addressed at Level 1.
In this context, our perception is that the core, relevant Level 1 legal text that defines the criterion for SCA exemptions is PSD2 Art. 98(3)(a). This legal text requires that SCA exemptions shall be based on “the level of risk involved in the service provided”. Our assessment is that there is a Low level of risk involved with the provision of the AISP services that access the limited items in the new RTS Art. 10a (1). As a reminder, these items comprise just account balance and recent payment transaction data; they exclude any sensitive payment data. Our members are not aware of any instances of realized consumer harm associated with the misuse/compromise of AISP services that leverage this limited account information under the current SCA exemption framework. Therefore, we encourage the EBA to consider a longer, fixed time between the required re-application of SCA across all payment account information access request channels. A fixed time of 365 days between required, consecutive SCAs would afford more time to AISPs to (a) Establish a sustainable customer base, (b) Build up customer loyalty through unobstructed service delivery and (c) Educate their customers on the mechanics of completion of a fresh SCA when required. The proposed, fixed 12-month period between consecutive SCAs also maintains a balance between the PSD2 objectives of allowing the delivery of innovative financial services and of consumer protection.
Building on our assessment of the risks associated with the account information services that access the account data detailed Art.10 of the RTS, we encourage the EBA to align the scope of payment transaction data that can be accessed with the fixed time between required consecutive SCAs. As the latter is extended, we would propose that the payment transaction history that can be accessed (by PSUs, AISPs) under the SCA exemption conditions detailed in Art.10/10a of the amended RTS is also extended to match it. This arrangement would simplify the changes to account access interface logic and streamline account information workflow management for AISPs and for ASPSPs.