Plaid warmly welcomes the EBA’s initiative to review the PSD2 RTS and to enhance access mechanisms that allow the RTS to be more proportionate and fit for purpose in the open banking market.
Plaid agrees that a new mandatory exemption is required for the case when the PSU accesses their account information “through an AISP” pursuant to PSD2 Art. 97(4). This mandatory exemption will allow fair competition in Europe, with the same rules for the same business.
Other points to consider
Clarification on “Background Refresh”
The EBA should clarify that a background refresh can not be construed to be an instance of the payer accessing their account online, which would ostensibly require SCA as per current PSD2 legislation. Instead, Plaid is of the view that the AISP accessing the payment online in the absence of the payer actively participating in that process would not require SCA.
As many AISP business models revolve around the authorized retrieval of data from a PSU account several times a day, it can be safely assumed that the PSU can not be required to be online for each instance of data retrieval. In support of this, we refer to Article 36(5)(b) of the RTS and would like to echo thoughts in the open banking ecosystem that suggested a background refresh can not be construed to be an instance of the payer accessing their account online, which would require SCA as per current PSD2 legislation.
Article 10 Exemption should be extended to include PISPs
The EBA should extend article 10 exemption to include account access, by PISPs, as currently only AISPs are specifically mentioned.
The text of Art.10 in the current RTS (CDR 2018/389) did not limit the use of the SCA exemption to a specific authorized third-party provider type (AISP or PISP). There are legitimate payment account information access Use Cases that form part of current PISP customer journeys; these are also impacted by the inconsistent application of the SCA exemption by ASPSPs across the Union.
For example, the PISP customer is required to review payment account information and select an account to be debited in the ASPSP domain. Such account information access requests should also benefit from the scope of the mandatory SCA exemption introduced in the proposed Art10a of an amended RTS. Therefore, we encourage the EBA to replace the explicit references to AISPs in Art.10a with references to “payment account access online through an authorized payment service provider”.
Plaid is supportive of the proposal to extend the timeline for the renewal of SCA from 90 days to 180 days but would like to take this opportunity to provide further context for the EBA’s consideration. As the EBA will be aware from previous consultations and contact with market participants, the SCA renewal requirement is a very sensitive one for TTPs such as AISPs, as this is where the most customer churn is seen.
Data from both the market and Plaid’s own experience shows that attrition rates typically range from 20-40% upon renewal of SCA at the 90-day mark. As such, this logic could also be reasonably applied to the 180-day renewal as well. Although the interval of SCA would change, and attrition would likely decrease slightly as a result, it would still remain a risk for AISPs in their product lifecycles and would continue to present obstacles to PSUs in automating their financial data experiences. With the acknowledgement that the current implementation of SCA under the RTS results in unfavourable outcomes for AISPs, Plaid asks for consideration in extending this time period to for instance a one year period, substantiated by the fact that AIS activities are classified as extremely low risk for fraud and other illegal practices. If in the unlikely event that consumer protection issues arise within this period, the EBA could revert to 180 days.
Re-consent model- TPP controlled
Longer-term, Plaid firmly believes that the responsibility for carrying out re-consent should lie with the AISP/TPP that is accessing payment account data with the consumer’s explicit consent. Consumers have a relationship with the product or service they are using and this should be where they manage their consent, not in the bank’s domain.
TPP managed consent should ideally occur through a portal approach, where a user can see and manage all their connections. This is the best way to provide consumers with a clear list of (i)TPPs that have access to their payment account data, (ii) the payment accounts they have connected and (iii) the transaction data collected by the TPP.
From a re-consent perspective, TPP managed consent through a portal would enable consumers to review and actively decide if they want to re-consent or if they want to revoke their consent and have their data deleted (as per GDPR).
Please note, Plaid could meet these obligations through our own consent portal “Plaid Portal”, but other TPPs can choose their own methods to easily replicate these approaches. We would be happy to discuss these proposals in more detail with you.
Plaid welcomes enforcement timelines as it gives a clear overview of expectations in the market, and specifically welcomes the one month notice period in advance of the changes entering into force before the changes take effect in the market. However, given the daily, if not hourly, hindrance that AISPs suffer as a result of the current interpretation of the RTS, Plaid is of the opinion that a 6-month run-up is extremely long, especially in the face of impending regulatory review of PSD2 and the RTS. This is further compounded by the fact that a switch from 90 days to for instance, 180 days, is, from a technical perspective, unanimously seen as a very light touch technical intervention amongst TPPs and something that could be very easily effected. In light of the abovementioned, Plaid would urge the EBA to reconsider the 6-month timeline and shorten it to 3 months at the maximum, allowing TPPs to enjoy much needed relief sooner, so as to make better use of the time bridging the amendment and further PSD2 review.