Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
Having said this, the proposal of introduction of a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption is based in two main points that are questionable.
The right to apply the exemption does not arise from the RTSs but it is intrinsic as an exemption to the general rule, considering that PSD2 prescribes access to account to be secured by SCA application by the ASPSP whether the user is accessing directly or thought a third-party provider (AISPSP). The proposed amendment would hinder compliance with PSD2 if an ASPSP wishes so.
Additionally, it is not the voluntary nature of the exemption that has led to divergent practices across the EU in its application, but the competitive nature of the provision of the payment services in Europe, and the different proposals carried out by PSPs, this in terms of customer experience, risk appetite, and many other factors. Harmonization must not be understood as uniformity, and less as uniformity as conceived by third parties.
Consequently, the exemption to the application of the SCA should not become mandatory, since this would not allow PSPs to carry out an adequate risk & fraud-management, nor to apply the appropriate protection level to their customers, leading to undesirable effects and consequences of frauds and scamming.
As established by PSD2, the exemptions to the application of the SCA in a specific operation depend on the criteria of the ASPSP, which is the one who bears the legal responsibility. In the end, it is precisely the ASPSPs that have the legal responsibility to adequately protect access to their clients' payment accounts. The proposed change would represent a setback in the successful application of the SCA in the European environment in terms of risk protection and competition. Any explanation on the concrete cases should only be owed to the relevant supervisory authority and it would only be post-transaction and for information purposes.
Contrary to the EBA’s view, the proposed mandatory exemption for the particular case where the account information is accessed through an AISP is far to ensure a level playing field amongst all PSPs, at least not vis à vis the customer. It does not add safety to the user’s data, nor would allow customers to decide upon it. From the customer perspective, there is only one single service which is the access to the account.
Finally, as the proposed amendment reduces the discretionary capability of ASPSPs on their authentication processes, should the amendment go further, it would be important to ensure that any additional risk that could emerge by this obligation were borne by the third parties AISPs, being the addressees of the proposed amendment, and not the ASPSPs already complying with existing requirements.
The opportunity must be carefully analysed, considering the indirect impact that any data breach or misuse of data has in fraud. Nowadays, most of the scams committed are initiated by sophisticated social engineering technics making use of all customers’ data available, whether they are consumers or employees of SMEs or big corporations. Payments related data in hands of criminals, makes it very easy for them to impersonate the bank in front of the customer that will rely on them just because of the nature of the concrete piece of information they manage.
Additionally, PSPs have carried out a lot of work to raise awareness amongst customers. Changing the rules again could cause lack of credibility in the sector. The changes proposed in this consultation paper would imply that all entities should perform additional IT modifications and inform their customers accordingly.
Nevertheless, although not solving the root problem, if the timeline is to be extended to 180 days as a measure to reduce friction in the customer journey, at least for a longer period, the proposal would be tolerable provided that the exception applies to any user’s access to the account, regardless of whether it is done directly or through an AISPS, and provided that the ASPSP can keep the risk control and decide to apply or not the exemption. The contrary would create mistrust to the payment users and would loosen up the rigour of the security measures prescribed by SCA application where the risks are higher and they are most needed. These requisites are needed, in order to avoid regulatory asymmetries and competitive disadvantages.
However, this amendment should be complemented in parallel with an extension of the period of transactions that can be consulted without applying SCA. For coherence, it would be easier to modify the extension to both limits, which are somehow linked, to 180 days. Changing both limits at the same time would probably ease the communication of this amendment to final users as well as their understanding of the rule without harming the trust.
In any case, it should be complemented with the need to ensure that customers might be able to revoke previous consent given to the AISPs. Despite of the still little experience, there is evidence that customers approach the ASPSPs to ask for the cancelation of the service, that is, requesting to stop the exchange of information with concrete AISPs. Unfortunately, not all accesses have the same purpose as envisaged in the PSD2, not always access payment accounts is for information consolidation purposes, but also with other objectives such as IBAN validation or credit scoring, when users often consent for a single access as required for another service. Thus, extending the SCA obligation for 180-days would increase the risk of subsequent unauthorized access to users’ information by third parties having been authorized for a single-access only.
For the extension purpose, article 10 of the RTS on SCA&CSC should be amended as follows:
Article 10 - Payment account information
1. Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 180 days through one or more designated payment accounts.
2. For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following condition is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time;
(b) more than 90180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.
In any case, clarification is required in the amended RTS that the existing 90-SCA grants given before the date of entry into force of the amended RTS remain valid until end of the 90-day period, so during the first three months after the effective date these 90 days grants will expire and upon such expiry the 180 days shall apply.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
Although the dissatisfaction expressed by AISPs by the application of SCA can be understood, it is doubtful that the 90 exemption is the root cause of the issue, and therefore the proposed modification might not solve the issue while other concerns might arise.Having said this, the proposal of introduction of a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption is based in two main points that are questionable.
The right to apply the exemption does not arise from the RTSs but it is intrinsic as an exemption to the general rule, considering that PSD2 prescribes access to account to be secured by SCA application by the ASPSP whether the user is accessing directly or thought a third-party provider (AISPSP). The proposed amendment would hinder compliance with PSD2 if an ASPSP wishes so.
Additionally, it is not the voluntary nature of the exemption that has led to divergent practices across the EU in its application, but the competitive nature of the provision of the payment services in Europe, and the different proposals carried out by PSPs, this in terms of customer experience, risk appetite, and many other factors. Harmonization must not be understood as uniformity, and less as uniformity as conceived by third parties.
Consequently, the exemption to the application of the SCA should not become mandatory, since this would not allow PSPs to carry out an adequate risk & fraud-management, nor to apply the appropriate protection level to their customers, leading to undesirable effects and consequences of frauds and scamming.
As established by PSD2, the exemptions to the application of the SCA in a specific operation depend on the criteria of the ASPSP, which is the one who bears the legal responsibility. In the end, it is precisely the ASPSPs that have the legal responsibility to adequately protect access to their clients' payment accounts. The proposed change would represent a setback in the successful application of the SCA in the European environment in terms of risk protection and competition. Any explanation on the concrete cases should only be owed to the relevant supervisory authority and it would only be post-transaction and for information purposes.
Contrary to the EBA’s view, the proposed mandatory exemption for the particular case where the account information is accessed through an AISP is far to ensure a level playing field amongst all PSPs, at least not vis à vis the customer. It does not add safety to the user’s data, nor would allow customers to decide upon it. From the customer perspective, there is only one single service which is the access to the account.
Finally, as the proposed amendment reduces the discretionary capability of ASPSPs on their authentication processes, should the amendment go further, it would be important to ensure that any additional risk that could emerge by this obligation were borne by the third parties AISPs, being the addressees of the proposed amendment, and not the ASPSPs already complying with existing requirements.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
Current experiences are not considered to have been a burden or seen as an obstacle to the users when accessing the accounts (it might have happened at the beginning as natural resistance to change) since nowadays it is perceived as a security measure. As such, it is essential to assess it from a fraud prevention perspective and therefore bear in mind that there is no urgence for the current 90 days timeline to be enlarged.The opportunity must be carefully analysed, considering the indirect impact that any data breach or misuse of data has in fraud. Nowadays, most of the scams committed are initiated by sophisticated social engineering technics making use of all customers’ data available, whether they are consumers or employees of SMEs or big corporations. Payments related data in hands of criminals, makes it very easy for them to impersonate the bank in front of the customer that will rely on them just because of the nature of the concrete piece of information they manage.
Additionally, PSPs have carried out a lot of work to raise awareness amongst customers. Changing the rules again could cause lack of credibility in the sector. The changes proposed in this consultation paper would imply that all entities should perform additional IT modifications and inform their customers accordingly.
Nevertheless, although not solving the root problem, if the timeline is to be extended to 180 days as a measure to reduce friction in the customer journey, at least for a longer period, the proposal would be tolerable provided that the exception applies to any user’s access to the account, regardless of whether it is done directly or through an AISPS, and provided that the ASPSP can keep the risk control and decide to apply or not the exemption. The contrary would create mistrust to the payment users and would loosen up the rigour of the security measures prescribed by SCA application where the risks are higher and they are most needed. These requisites are needed, in order to avoid regulatory asymmetries and competitive disadvantages.
However, this amendment should be complemented in parallel with an extension of the period of transactions that can be consulted without applying SCA. For coherence, it would be easier to modify the extension to both limits, which are somehow linked, to 180 days. Changing both limits at the same time would probably ease the communication of this amendment to final users as well as their understanding of the rule without harming the trust.
In any case, it should be complemented with the need to ensure that customers might be able to revoke previous consent given to the AISPs. Despite of the still little experience, there is evidence that customers approach the ASPSPs to ask for the cancelation of the service, that is, requesting to stop the exchange of information with concrete AISPs. Unfortunately, not all accesses have the same purpose as envisaged in the PSD2, not always access payment accounts is for information consolidation purposes, but also with other objectives such as IBAN validation or credit scoring, when users often consent for a single access as required for another service. Thus, extending the SCA obligation for 180-days would increase the risk of subsequent unauthorized access to users’ information by third parties having been authorized for a single-access only.
For the extension purpose, article 10 of the RTS on SCA&CSC should be amended as follows:
Article 10 - Payment account information
1. Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 180 days through one or more designated payment accounts.
2. For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following condition is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time;
(b) more than 90180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.
Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
Depending on the final proposal a longer implementation than the proposed 6-month might be required. It is important to note that the implementation period needs to consider that most of the implementation burden is on the ASPSP side and budgets for the year 2022 are already closed. For the initial proposed amendment – mandatory exemption for the case when the information is accessed through an AISP – a longer implementation period of one year would be needed. For a solution consisting only of an extension to 180 days for renewing SCA 6-months after publication in the official journal could be enough.In any case, clarification is required in the amended RTS that the existing 90-SCA grants given before the date of entry into force of the amended RTS remain valid until end of the 90-day period, so during the first three months after the effective date these 90 days grants will expire and upon such expiry the 180 days shall apply.