Intuit welcomes the opportunity to comment on the EBA’s consultation EBA/CP/2021/32. As background, Intuit is regulated as an AISP in France and is passported into the other EU 26 countries. Intuit is authorised as an AISP as this allows our customers to connect their payment accounts to our tax and accounting platform, and automate the download of relevant data, rather than manually entering payment transactions into our platform. Our tax and accounting platform for small businesses, QuickBooks, has customers in most EU countries. Globally Intuit connects to more than 20,000 financial institutions and serves more than 100 million customers through our products. Intuit is strongly supportive of the measures that have been proposed by the EBA but would welcome a broader review to address further fundamental issues of PSD2.
This consultation addresses two areas which are of key concern though we strongly encourage a broader review to address the fundamental challenges of the existing (re)authentication model.
The inconsistent approach across the European Union is at the detriment of the PSU and risks PSD2 not delivering on its stated goal of enhancing and integrating the internal market for electronic payments across the European Union.
We are pleased that the EBA recognises that due to the voluntary nature of the Article 10 exemption some ASPSPs enforce SCA at far shorter time intervals than 90 days. This practice is causing widespread disruption: As an example, on average, for banks that require 24h consent renewal, 18 to 20% of the credentials are in error on a daily basis (compared to 8 to 13% for banks with 90 days consent duration). This 5 to 12 points difference is due solely to expired consent.
As an accounting software provider we work closely with our professional financial services partners. In a recent survey (November 2021) with an EU based accounting trade body we found that as a consequence of strong customer authentication, the accounting profession has seen a significant increase in the number of problems with bank connections connecting to accounting software due to PSD2 requirements. This issue accounts for 75% of incidents.
We note that the EBA has proposed to introduce a rule that allows PSPs to revert to SCA where the PSP has “objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account”. Intuit is concerned that this mechanism could be applied in an inconsistent manner by ASPSPs and thereby limit the application of the new Article 10A. The recitals to the new delegated regulation suggest that this exemption may be applied in conjunction with transaction monitoring. However, transaction monitoring under Article 2 of the RTS is primarily focused on unauthorised and fraudulent “payment transactions” (rather than access), which is not a risk that is strongly associated with AISPs. Intuit’s view is that Article 68(5) of PSD2 provides an adequate mechanism for ASPSPs to cease service provision to AISPs in these circumstances (as noted in paragraph 33 of the consultation), and this separate exemption is redundant at best and, at worst, risks limiting the utility of Article 10A. If the EBA does decide to retain this mechanism, ASPSPs should be required to promptly notify AISPs when they are seeking to apply this exemption, i.e. at the same time that they notify their competent authority.
Intuit supports an interim harmonised approach to implementing a mandatory exemption for SCA, ensuring the customer journey is as frictionless, but importantly as consistent, as possible. We further note that the EBA recognises, in paragraphs 34 and 35 the low risk nature of AISP services (including as a result of other provisions under PSD2) and we encourage the EBA to keep this in mind as it revises PSD2.
Small businesses are the backbone of the European economy. Increased numbers of small businesses are using cloud accounting software to manage their finances in real time. Connecting their bank accounts to their accounting software is a critical aspect in real-time accounting and improving cash flow for small businesses. More than 50% of small businesses will fail in the first five years of opening their doors. Cash flow is the primary reason for business failure. Good quality, reliable banking data supports small businesses in their decision making and ability to manage cash flow. Continuing to impose any re-authentication requirements on regulated AISPs is harmful to the PSU and overall success of PSD2.
Professional financial services advisors, including accountants and bookkeepers play a critical role in supporting small businesses to survive and thrive. SCA every 90 days is limiting an advisor's ability to serve their customers. One accounting partner, who serves more than 100 small business customers, has projected losing 8 working days a year in educating and chasing customers to re-authenticate their bank connection. This is played out in an environment where some small business customers do not log on to accounting software but rely on their accountant or bookkeeper to manage their tax affairs on their behalf.
To best support small businesses manage their finances and meet their yearly tax obligations Intuit strongly recommends an interim renewal of SCA of 365 days. This would mitigate in-year tax preparation and allow accountants, bookkeepers and small business owners to plan ahead with greater confidence. We note that in paragraph 42 of the consultation the EBA has observed that some market participants have suggested a one-year renewal timeline but the EBA considered this “too long from a consumer protection perspective.” We would not anticipate that a 365 day renewal process would materially prejudice protection as compared to 180 days, or even 90 days. Furthermore, if the renewal period was extended to an annual process, we believe that any marginally increased risks would be outweighed by the clear advantages of a clearly understood and applied annual renewal process.
Generally, Intuit would encourage the introduction of these rule amendments as soon as possible. Intuit does not have any concerns regarding the proposed 6-month implementation timeline. Intuit encourages the EBA to work with competent authorities and to create a central database which can be accessed by TPPs to view ASPSPs technical specifications. This will also support compliance of the publication of technical specifications more than one month before the changes are implemented.