While we generally understand the rationale behind the proposed man-datory exemption, it is worth noting that the proposed change will no longer allow the ASPSP to choose its risk appetite with regard to how often SCA is requested. The increase from 90 to 180 days between each SCA could increase the potential risk that the ASPSP is considered liable of. The EBA should therefore monitor the proposed exemption closely.
As such, if the ASPSP is currently requesting SCA more often than every 90 days, by design as a risk-mitigating factor, the ASPSP may want to con-sider revisiting whether the other risk-mitigating factors (such as the moni-toring mechanisms) currently in place should be tightened, e.g.,if it will lead to more fraud or data breaches.
According to the proposed article 10a (3): “payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthor-ised or fraudulent access to the payment account.”
However, the Consultation Paper does not give much guidance as to what could be “objectively justified and duly evidenced reasons” other than what is stated in section 32 of the CP. More guidance would be ap-preciated in order to ensure consistent application of the exemption.
We also stress, that we agree that the exemption for direct access by the costumer (article 10) should remain voluntary, as each ASPSP should be allowed to choose how to communicate with their customers.
No.
We believe that a development period of at least 9 months (including the 1 month notification period) is more prudent. The development of banks will differ - but it is critically important that enough time is allowed for changes to be properly implemented so as not to disturb ongoing business. This amendment to the RTS will also be a divergence between the UK rules and the EU rules and may result in significant development in banks that are currently using the same systems to allow access to UK TPP’s to UK accounts and allow access to EU TPP’s to EU accounts. Again, it is vital that sufficient time is allowed to prepare and test the systems.
As such, if the ASPSP is currently requesting SCA more often than every 90 days, by design as a risk-mitigating factor, the ASPSP may want to con-sider revisiting whether the other risk-mitigating factors (such as the moni-toring mechanisms) currently in place should be tightened, e.g.,if it will lead to more fraud or data breaches.
According to the proposed article 10a (3): “payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthor-ised or fraudulent access to the payment account.”
However, the Consultation Paper does not give much guidance as to what could be “objectively justified and duly evidenced reasons” other than what is stated in section 32 of the CP. More guidance would be ap-preciated in order to ensure consistent application of the exemption.
We also stress, that we agree that the exemption for direct access by the costumer (article 10) should remain voluntary, as each ASPSP should be allowed to choose how to communicate with their customers.