Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
In the consultancy paper 3 options have been considered to change art 10. Out of all 3 options the proposed option is the option that will put a lot of effort, burden and costs on the bankside, while there are no benefits related to this solution for banks. As ING Bank we have invested hugely in the past 5 years to develop and set an organizational structure so that AISPs can access accounts in an easy and secure manner, at no return on investment possibilities and continuous running costs under the regulations. With the proposed changes we feel that the level playing field between ASPSPs and PSD2 licences third party providers will be worsened.
Furthermore, the proposed change will lead to technical changes that will need to be implemented, these changes will have impact on screens that are presented to users who either use our online web channel or mobile based channels (including different operating systems such as Android and iOS). Since ING is present in 16 European countries, these changes are substantial. Regulatory changes such as changing the 90 days to 180 days also means that our change management capacity will need to focus on this, and have less capacity to work on new innovative products.
On the technical standards on strong customer authentication to access payment accounts ING’s position is that it is a must have for ASPSP to validate and authenticate users when they use AIS related services for the first time and as part of re-authentication. From a security point of view this contributes to security and fraud mitigation. We therefore are of the opinion that it is important to keep the strong customer authentication as part of the proposed change as a must have to create a safe and secure environment for our customers. We believe that 180 days is the maximum timeline to which art. 10 should be extended to be able to prevent fraud and ensure security.
Our question: How does ING need to interpret the legal implementation timelines as they are proposed in the consultation paper and the draft amendment of RTS article 10 in the context of necessary technical implementation at ING?
The background of this question is that in ING’s operational processes and technical implementation of the current art. 10 we administrate that the PSU does not have to re-authenticate for a duration of 90 days via a mandate (grant). As the user sees this 90 days in the consent customer journey and approves, we cannot change this in our administration.
ING is following the OAUTH 2 industry standard for our security, in this process on the technical side we create a set of access and refresh tokens that are shared with the AISP. The access token has a time to life of 5 minutes and the refresh token has a time to life of 90 days. In line with OAUTH2 with this refresh token an AISP can get a new access token when it expires. The time to life of a refresh token can also not be changed after it is shared with an AISP, and will therefore expire after the 90 days.
With respect to the effective date, we interpret the timelines as such that the 180 days can only be made applicable as of the effective date of art. 10 (6 months after the entry into force). Grants and OAUTH 2 tokens that have been provided before that date are 90 days maximum, so during the first three months after the effective date these 90 days grants will expire, upon such expiry the 180 days shall apply. We would like to receive guidance on whether this interpretation is correct and how to deal with the transition period from a technical perspective.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
We think this mandatory exemption will help to create a harmonized experience for PSUs and AISPs in the market. Hence, ING bank has implemented the art. 10 exemption for Account Information Services. A harmonized and coherent approach to this issue will allow all market participants to plan future-proof implementations, which is even more critical in the case of international, cross-border solutions.Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
The intention of PSD2 and the RTS on SCA&CSC is in our opinion an enabler for a level playing field, to stimulate innovation and it sets technical standards for an safe and secure environment for consumers to use these new financial products that were not available in the market before the introduction of the PSD2.In the consultancy paper 3 options have been considered to change art 10. Out of all 3 options the proposed option is the option that will put a lot of effort, burden and costs on the bankside, while there are no benefits related to this solution for banks. As ING Bank we have invested hugely in the past 5 years to develop and set an organizational structure so that AISPs can access accounts in an easy and secure manner, at no return on investment possibilities and continuous running costs under the regulations. With the proposed changes we feel that the level playing field between ASPSPs and PSD2 licences third party providers will be worsened.
Furthermore, the proposed change will lead to technical changes that will need to be implemented, these changes will have impact on screens that are presented to users who either use our online web channel or mobile based channels (including different operating systems such as Android and iOS). Since ING is present in 16 European countries, these changes are substantial. Regulatory changes such as changing the 90 days to 180 days also means that our change management capacity will need to focus on this, and have less capacity to work on new innovative products.
On the technical standards on strong customer authentication to access payment accounts ING’s position is that it is a must have for ASPSP to validate and authenticate users when they use AIS related services for the first time and as part of re-authentication. From a security point of view this contributes to security and fraud mitigation. We therefore are of the opinion that it is important to keep the strong customer authentication as part of the proposed change as a must have to create a safe and secure environment for our customers. We believe that 180 days is the maximum timeline to which art. 10 should be extended to be able to prevent fraud and ensure security.
Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
In EBA’s hearing ING has provided feedback on question 3 from the consultation paper and was asked by EBA to state our feedback as clear as possible as part of the consultation paper.Our question: How does ING need to interpret the legal implementation timelines as they are proposed in the consultation paper and the draft amendment of RTS article 10 in the context of necessary technical implementation at ING?
The background of this question is that in ING’s operational processes and technical implementation of the current art. 10 we administrate that the PSU does not have to re-authenticate for a duration of 90 days via a mandate (grant). As the user sees this 90 days in the consent customer journey and approves, we cannot change this in our administration.
ING is following the OAUTH 2 industry standard for our security, in this process on the technical side we create a set of access and refresh tokens that are shared with the AISP. The access token has a time to life of 5 minutes and the refresh token has a time to life of 90 days. In line with OAUTH2 with this refresh token an AISP can get a new access token when it expires. The time to life of a refresh token can also not be changed after it is shared with an AISP, and will therefore expire after the 90 days.
With respect to the effective date, we interpret the timelines as such that the 180 days can only be made applicable as of the effective date of art. 10 (6 months after the entry into force). Grants and OAUTH 2 tokens that have been provided before that date are 90 days maximum, so during the first three months after the effective date these 90 days grants will expire, upon such expiry the 180 days shall apply. We would like to receive guidance on whether this interpretation is correct and how to deal with the transition period from a technical perspective.