Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
Xero strongly agrees that RTS Article 10 should be amended to provide for a new mandatory exemption to SCA when a user accesses their account information via an AISP. Making the exemption mandatory will harmonise the rules across all ASPSPs which will promote competition and deliver benefits to consumers. In the case of Xero’s small business customers, it will ensure that whichever ASPSP they bank with, they will have equal access to the convenience of accessing and reconciling their bank transactions through the Xero platform. This amendment is therefore very welcome.
In its consultation on this topic earlier this year (CP21/3), the UK FCA noted that “the interruption in a customer’s ongoing access to a TPP service after failing to re-authenticate could cause consumers and SMEs to make decisions based on out-of-date data, potentially resulting in harm” (see para 3.9). The same paragraph noted that the re-authentication requirement causes significant churn despite customers being satisfied with the service and that this is preventing the full benefits of Open Banking from being realised.
To investigate this further, in 2020 we surveyed 500 accountants/bookkeepers and 98% of them wanted to see the removal of 90 day re-authentication. This is because they are often having to chase clients to re-authenticate and/or having to help them with re-entering their banking credentials. In some cases, clients are even having to share their banking credentials with their accountant/bookkeeper which compromises the bank account’s security.
While extending the 90 day re-authentication requirement to 180 days is a step in the right direction, it falls well short of what is required in order to fully mitigate the harms outlined above. Small business customers and their advisers will still face the same problems they currently face, albeit (at least) twice rather than four times per year. In order to prevent this, the re-authentication requirement needs to be replaced with a requirement for TPPs to ask customers to re-confirm their consent to their banking information continuing to be shared with the TPP, rather than requiring that the customer re-authenticate by entering their banking credentials again on the ASPSP’s platform. This was the FCA’s proposal, which will likely be adopted in the UK in the coming year. So that EU small businesses can benefit equally, we would strongly encourage the EBA to adopt the same approach.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
Xero is a leading provider of cloud accounting software to small and medium businesses with over 3 million customers globally. Xero is a registered AISP in the UK and has applied for AISP registration in the EU. At Xero, AIS is used to power a bank feeds integration so that our customers can reconcile their bank transactions with accounting entries on their general ledger. This is important as it gives businesses an up-to-date view of their cashflow and financial position.Xero strongly agrees that RTS Article 10 should be amended to provide for a new mandatory exemption to SCA when a user accesses their account information via an AISP. Making the exemption mandatory will harmonise the rules across all ASPSPs which will promote competition and deliver benefits to consumers. In the case of Xero’s small business customers, it will ensure that whichever ASPSP they bank with, they will have equal access to the convenience of accessing and reconciling their bank transactions through the Xero platform. This amendment is therefore very welcome.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
Many of Xero’s small business customers use an external bookkeeper or accountant to assist them with the day-to-day aspects of managing their finances and therefore rely on their accountant/bookkeeper having accurate information about the business’ financial position. The current requirement in RTS Article 10 requires accountants/bookkeepers to chase their clients at least quarterly (or more frequently if the client has multiple banks or businesses) to log-in to Xero (and then their bank) to re-authenticate, or otherwise the accountant/bookkeeper loses access to this information and cannot do its job of assisting small businesses to manage their finances and comply with their taxation obligations. This places a heavy burden on advisers’ time and stops them providing the essential services small business owners need during these challenging times. In turn, this may cause small businesses to struggle with problems ranging from poor cashflow to not being able to file their tax returns on time.In its consultation on this topic earlier this year (CP21/3), the UK FCA noted that “the interruption in a customer’s ongoing access to a TPP service after failing to re-authenticate could cause consumers and SMEs to make decisions based on out-of-date data, potentially resulting in harm” (see para 3.9). The same paragraph noted that the re-authentication requirement causes significant churn despite customers being satisfied with the service and that this is preventing the full benefits of Open Banking from being realised.
To investigate this further, in 2020 we surveyed 500 accountants/bookkeepers and 98% of them wanted to see the removal of 90 day re-authentication. This is because they are often having to chase clients to re-authenticate and/or having to help them with re-entering their banking credentials. In some cases, clients are even having to share their banking credentials with their accountant/bookkeeper which compromises the bank account’s security.
While extending the 90 day re-authentication requirement to 180 days is a step in the right direction, it falls well short of what is required in order to fully mitigate the harms outlined above. Small business customers and their advisers will still face the same problems they currently face, albeit (at least) twice rather than four times per year. In order to prevent this, the re-authentication requirement needs to be replaced with a requirement for TPPs to ask customers to re-confirm their consent to their banking information continuing to be shared with the TPP, rather than requiring that the customer re-authenticate by entering their banking credentials again on the ASPSP’s platform. This was the FCA’s proposal, which will likely be adopted in the UK in the coming year. So that EU small businesses can benefit equally, we would strongly encourage the EBA to adopt the same approach.