EPIF members would like to raise three key aspects to take into consideration:
1. As the rules on account access are not restricted to AISPs and the current Article 10 is not limited to AISPs, limiting the proposed SCA exemption to AISPs only would have undesirable and unintended consequences for Payment Initiation Service Providers (PISPs);
2. Mandatory SCA exemptions should be applied consistently across the EU;
3. Third party providers, whether these are AISPs or PISPs, should still be able to instruct account-based payment service providers to apply SCA.
Account access exemption should not be restricted to AISPs
Article 10 of the RTS currently does not limit the account access exemption to AISPs only and account access goes beyond the scope of AISPs. Limiting the SCA exemption to AISPs would have unintended consequences on other payment services providers.
A specific example:
There are cases where the actual account to be debited within a bank has been designated by the Payment Initiation Service in its request for payment. In such a PIS journey the same SCA exemption should apply as for a pure AIS. There are no technical barriers to the inclusion of such a use case. In fact this use case would be much more secure than a normal AIS application because the PIS journey is much more narrowly defined.
We do not believe that the current Article 10 limits the SCA exemption to AISPs. We therefore challenge the suggestion that Article 10a limits the SCA exemption to AISPs and not in the broader context of account access. This could lead to undesirable effects for PISPs who also utilise the elements of account access, such as in the example described above.
Should the EBA not follow our argument EPIF would still welcome the proposed changes by the EBA rather than retaining the current status quo.
Making the exemptions mandatory:
We agree with the view laid out in the Consultation Paper that the voluntary SCA exemption has been applied differently by different account servicing payment service providers (ASPSPs). Some ASPSPs have only recently implemented the exemptions and some other ASPSPs have not yet implemented the exemption at all. The voluntary nature of the exemption has led to divergent practices and unpredictable and a non-harmonized experience for the customer. Especially for customers who hold accounts with several ASPSPs, this leads to a bad customer experience. For these reasons, we agree that the exemption should be mandatory.
TPPs should be able to instruct payment services providers to apply a SCA:
As TPPs rely on the authentication process provided by the ASPSPs, TPPs have built their services so as to rely on the ASPSPs authentication solutions. Similar to ASPSPs, TPPs should also be able to revert to SCA if they have objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access. The TPP should therefore be able to instruct ASPSPs, at the discretion of the TPP, to apply SCA for individual customers without impacting the rest of the SCA exemption. Similarly, there should be clarity in the reporting requirements of ASPSPs to regulators why was SCA was invoked and introduce transparency of the decisions taken.
EPIF welcomes the EBA’s consideration to extend the timeline, as well as the rationale for the 180-day proposal in the consultation paper. We believe this to be an excellent step in the right direction; we however strongly believe that 180-days is not enough. Ideally, we would be in favour of having no timeline for the renewal of SCA, as it does not really contribute to security and severely disrupts the customer experience. Indeed, we would note that we have seen extremely low fraud levels after the first successful SCA to establish the AIS relationship. We would also recall that TPPs are payment institutions and therefore regulated entities under scope of the security rules of PSD2 and data protection requirements in the GDPR.
As an alternative, EPIF proposes that the period for re-authentication could be one-year instead of the suggested 180 days.
EPIF is supportive of TPPs being informed one month in advance about the required changes to the SCA requirements.
Regarding the six months implementation timeline, we believe this to be an appropriate timeline.