Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
At the moment, the user does not have any means to stop a TPP to access their data but going directly to the TPP, which could be an inconvenience to the user, or waiting for the consent to expire. If the user could access the ASPSP site and check all the TPPs with active consent and select what TPPs to remove their existing consent, the user would have a much higher level of control over the consents given to different TPPs. This is an existing approach to other systems where an oAuth authentication and consent are implemented.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
The exemption period could be extended if the same user performs any other authentication action from the same TPP, for example, a payment initiation. Therefore, an active user who is performing regular payments which are requiring authentication may not require a new renewal for the AISP process.Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
The extension of the timeline for the renewal of the sca to 180 days is an improvement. But, we think it would be much more beneficial and convenient for the user to not have a fixed period or require an explicit renewal. We think the user should have easier access to manage the consents or remove the access to any TPP from the very same ASPSP site.At the moment, the user does not have any means to stop a TPP to access their data but going directly to the TPP, which could be an inconvenience to the user, or waiting for the consent to expire. If the user could access the ASPSP site and check all the TPPs with active consent and select what TPPs to remove their existing consent, the user would have a much higher level of control over the consents given to different TPPs. This is an existing approach to other systems where an oAuth authentication and consent are implemented.