Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
• Important changes such as those suggested in the EBA current consultation deserve a solid fact-based and comprehensive analysis. No decision should be rushed even more as the European Commission has announced it will conduct an evaluation of PSD2 (announcement made by M. Eric Ducoulombier on 9th November 2021).
• Such rush is all the more questionable as the main rationale for its adoption is not driven by customer protection. De facto, the level of security would be defined only by the EBA, letting no other choice to EU citizens or companies for more protection.
• The safety policy applied by each bank when it comes to payment account access is a full component of its offer and shall be respected based on the principle of the freedom of services. There is no reason to create artificially a playing field with different rules when it comes to TPP activity.
• If consumers choose to give up the aggregation service rather than having a smooth SCA every 90 days, it is probably a clue that they do not get enough benefit for that service to bother or that they have found another more valuable solution for them. Changing the SCA rules will not create benefits, except if less protection is considered as such.
• Changing the law before the European Commission conducts its analysis and potentially proposes other amendments triggers legal uncertainty. It is not encouraging the move to the more secure dedicated interface (when available in compliance with Article 31 RTS).
In addition, we refer to the legal basis of the EBA mandate, based on Article 10 of the Regulation (EU) establishing an European Supervisory Authority. This article strictly specifies, "Regulatory technical standards shall be technical, shall not imply strategic decisions or policy choices and their content shall be, delimited by the legislative acts on which they are based. :
• We believe that the current proposition to introduce a “mandatory exemption” and to extend the exemption period can be considered as a political orientation, in order to give an advantage to TPP. Introducing a principle of "mandatory exemption" would make the RTS scope broader than the PSD2 perimeter. The content of RTS would therefore go beyond the act on which they are based (PSD2).
Then, we thinks this proposal goes beyond the mandate given to EBA, as a “mandatory exemption” would require a modification of the PSD2 law itself from the European Parliament.
• The wording “mandatory exemption” is misleading. In fact, the proposed amendment would amount to ask PSP not to apply any SCA, contrary to the Article 97 (PSD2) that makes SCA a default principle. Moreover, it is reversing this SCA default principle, and instead forbidding it for payment account consultation inside a 180-day period. We believe such an evolution would require a modification of the substance of PSD2 itself, and is therefore not in the remit of the mandate given to EBA.
• According to Article 98 (1.a) (PSD2), EBA has the mandate to elaborate requirements for SCA, not to forbid its application.
• Exemptions from the application of Article 91(1), (2) and (3), are based on criteria established is paragraph 3 of Article 98 (PSD2), inter alia the level of risk. Therefore, PSP base their decision to use the exemption or not on the level of risk of each operation. Forbidding PSP from applying SCA on an extended period of 180 days will deny PSP from applying this risk analysis on payment data access. We are then wondering who would be liable in case a data leak risk occurs within the 180 days period, since PSP would have been barred from applying the relevant protections.
• If the changes proposed by the EBA are implemented, the immediate consequence is the arbitrary weakening of the current protection of EU citizen in terms of banking data access:
o On one hand, because it increases the attack surface for malicious agents or improper conduct in a context where the European Data protection Board is stressing the fact that major concerns still need to be addressed in the EC Digital Services Packages and Data Strategy (statement dated from 18 November 2021), among which:
- the lack of protection of individuals’ fundamental rights and freedoms;
- fragmented supervision; and
- risks of inconsistencies.
o On the other hand, we also draw your attention on the argument used in Section 3.2.2., point 35, as planned mitigation factors would de facto proved ineffective. In effect, when an AISP is the main connectivity point, he may or may not share with the ASPSP the connectivity information (IP, navigator etc.) allowing to detect whether a connection is risky or not. Without the transmission of such information, it is impossible for any ASPSP to ensure its protection role.
• We think this sends a wrong message to customers/citizens, considering (as explained in the “Background” chapter 3.1.1) that PSD2 mandates SCA to reinforce security around payments (Article 97 PSD2).
• These recent years, French banks have communicated a lot with their customers on the need to often change their passwords and to be vigilant not to misplace their credentials. Going from 90 to 180 days, would be seen as weakening the message previously sent to customers.
• Indeed, as clearly evidenced by RTS Articles 32 and 33, the secured customer interface is the reference. The whole logic of PSD2 is that TPPs use “what is available for the client” and “free to use” as “already paid by the client” to his ASPSP.
• In compliance with RTS Article 31, developing an API (dedicated interface) is a voluntary choice that can be made by ASPSPs, when the ASPSP believes it gives a better service to its customers. Nevertheless, since the API is precisely dedicated to competitors only, there can be no obligation to develop it for free and without contract.
• Technically, such a change for the ASPSPs who didn’t decide to provide a dedicated interface would require the same level of investments than an API (for the AISP part of it). Indirectly, this means the EBA would leave no choice but to develop an API, in clear contradiction with what is stipulated by RTS Article 31.
• So, either such a change does not apply when an ASPSP decides, in compliance with RTS Article 31, to expose the secured customer interface, where there is only one SCA delay common to all access channels, or the core principle of the law explained above must be changed, mirroring other industries where services can use infrastructure for a fee and with contracts. Again, we believe it is not in the remit of the EBA to make such an orientation change in the law.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
As a preamble, the French Banking Federation, would like to say that we do not understand the urgency associated with the proposed changes, which seem highly questionable to us :• Important changes such as those suggested in the EBA current consultation deserve a solid fact-based and comprehensive analysis. No decision should be rushed even more as the European Commission has announced it will conduct an evaluation of PSD2 (announcement made by M. Eric Ducoulombier on 9th November 2021).
• Such rush is all the more questionable as the main rationale for its adoption is not driven by customer protection. De facto, the level of security would be defined only by the EBA, letting no other choice to EU citizens or companies for more protection.
• The safety policy applied by each bank when it comes to payment account access is a full component of its offer and shall be respected based on the principle of the freedom of services. There is no reason to create artificially a playing field with different rules when it comes to TPP activity.
• If consumers choose to give up the aggregation service rather than having a smooth SCA every 90 days, it is probably a clue that they do not get enough benefit for that service to bother or that they have found another more valuable solution for them. Changing the SCA rules will not create benefits, except if less protection is considered as such.
• Changing the law before the European Commission conducts its analysis and potentially proposes other amendments triggers legal uncertainty. It is not encouraging the move to the more secure dedicated interface (when available in compliance with Article 31 RTS).
In addition, we refer to the legal basis of the EBA mandate, based on Article 10 of the Regulation (EU) establishing an European Supervisory Authority. This article strictly specifies, "Regulatory technical standards shall be technical, shall not imply strategic decisions or policy choices and their content shall be, delimited by the legislative acts on which they are based. :
• We believe that the current proposition to introduce a “mandatory exemption” and to extend the exemption period can be considered as a political orientation, in order to give an advantage to TPP. Introducing a principle of "mandatory exemption" would make the RTS scope broader than the PSD2 perimeter. The content of RTS would therefore go beyond the act on which they are based (PSD2).
Then, we thinks this proposal goes beyond the mandate given to EBA, as a “mandatory exemption” would require a modification of the PSD2 law itself from the European Parliament.
• The wording “mandatory exemption” is misleading. In fact, the proposed amendment would amount to ask PSP not to apply any SCA, contrary to the Article 97 (PSD2) that makes SCA a default principle. Moreover, it is reversing this SCA default principle, and instead forbidding it for payment account consultation inside a 180-day period. We believe such an evolution would require a modification of the substance of PSD2 itself, and is therefore not in the remit of the mandate given to EBA.
• According to Article 98 (1.a) (PSD2), EBA has the mandate to elaborate requirements for SCA, not to forbid its application.
• Exemptions from the application of Article 91(1), (2) and (3), are based on criteria established is paragraph 3 of Article 98 (PSD2), inter alia the level of risk. Therefore, PSP base their decision to use the exemption or not on the level of risk of each operation. Forbidding PSP from applying SCA on an extended period of 180 days will deny PSP from applying this risk analysis on payment data access. We are then wondering who would be liable in case a data leak risk occurs within the 180 days period, since PSP would have been barred from applying the relevant protections.
• If the changes proposed by the EBA are implemented, the immediate consequence is the arbitrary weakening of the current protection of EU citizen in terms of banking data access:
o On one hand, because it increases the attack surface for malicious agents or improper conduct in a context where the European Data protection Board is stressing the fact that major concerns still need to be addressed in the EC Digital Services Packages and Data Strategy (statement dated from 18 November 2021), among which:
- the lack of protection of individuals’ fundamental rights and freedoms;
- fragmented supervision; and
- risks of inconsistencies.
o On the other hand, we also draw your attention on the argument used in Section 3.2.2., point 35, as planned mitigation factors would de facto proved ineffective. In effect, when an AISP is the main connectivity point, he may or may not share with the ASPSP the connectivity information (IP, navigator etc.) allowing to detect whether a connection is risky or not. Without the transmission of such information, it is impossible for any ASPSP to ensure its protection role.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
• The French Banking Federation does not believe this change is necessary. Our position is that 90 days was already a good balance between securing data and a smooth customer journey.• We think this sends a wrong message to customers/citizens, considering (as explained in the “Background” chapter 3.1.1) that PSD2 mandates SCA to reinforce security around payments (Article 97 PSD2).
• These recent years, French banks have communicated a lot with their customers on the need to often change their passwords and to be vigilant not to misplace their credentials. Going from 90 to 180 days, would be seen as weakening the message previously sent to customers.
Q3. Do you have any comments on the proposed 6-month implementation timeline, and the requirement for ASPSPs to make available the relevant changes to the technical specifications of their interfaces not less than one month before such changes are required to be implemented?
• The French Banking Federation does not see at all how this change could be made by ASPSP who chose to expose the secured customer interface (as per Article 31 of the RTS SCA & SC). Indeed, such a change implies a development (managing the SCA durations for all the AISPs a client could have chosen) for the sole benefit of competitors.• Indeed, as clearly evidenced by RTS Articles 32 and 33, the secured customer interface is the reference. The whole logic of PSD2 is that TPPs use “what is available for the client” and “free to use” as “already paid by the client” to his ASPSP.
• In compliance with RTS Article 31, developing an API (dedicated interface) is a voluntary choice that can be made by ASPSPs, when the ASPSP believes it gives a better service to its customers. Nevertheless, since the API is precisely dedicated to competitors only, there can be no obligation to develop it for free and without contract.
• Technically, such a change for the ASPSPs who didn’t decide to provide a dedicated interface would require the same level of investments than an API (for the AISP part of it). Indirectly, this means the EBA would leave no choice but to develop an API, in clear contradiction with what is stipulated by RTS Article 31.
• So, either such a change does not apply when an ASPSP decides, in compliance with RTS Article 31, to expose the secured customer interface, where there is only one SCA delay common to all access channels, or the core principle of the law explained above must be changed, mirroring other industries where services can use infrastructure for a fee and with contracts. Again, we believe it is not in the remit of the EBA to make such an orientation change in the law.