When conceiving the RTS on SCA and secure communication, we believe the EBA was right in considering that exemptions to SCA requirement should be of a voluntary nature: ASPSPs bear indeed the ultimate responsibility of safeguarding their clients’ accounts and protecting them from unauthorized access or fraudulent transactions. In the specific case of account information services, the PSD2 and the RTS ensure that access to payment account data is secured by specific processes that protect the integrity of these data: AISPs are indeed supervised entities that, through contractual arrangements, access their clients’ payment accounts to provide aggregated data on a regular basis.
We therefore agree with the EBA proposed amendment to make the exemption of article 10 of the RTS mandatory when payment accounts are accessed through an AISP.
Given the secured framework within which access to payment accounts by AISPs is done, we believe the exemption could have been extended to 1 year instead of 180 days.
We nevertheless support the EBA cautious approach to extend the exemption to 180 days as a temporary measure pending the revision of PSD2: We indeed believe that the exemption granted to AISPs should be amended further and be in direct connection with the contract that binds them with their PSUs. We would therefore propose to replace the requirement to re-authenticate at regular intervals through SCA by a re-authorization process (i.e, re-confirmation of the initial contractual arrangements), as proposed by the Financial Conduct Authority in its latest consultation back in January 2021. The re-authorization will allow consumers to actively re-engage directly with their AISP and confirm their wish to continue receiving aggregation services, even in case they do not actively request the information. The timing within which such re-authorization could either be 90 days, as proposed by the FCA, or 180 days in line with EBA’s current proposal. Alternatively, we would propose to draw a parallel with Direct Debits (SDD), in a way that SCA would be required to create the initial mandate and to confirm the PSU consent for the AISP to aggregate his or her accounts. As for SDDs, PSUs would then exercise their opt-out right when they no longer wish to receive aggregation services from their AISP.
The timeline proposed is reasonable in view of the need for ASPSPs to adapt their interfaces to meet the new exemption timeline.