Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

Intuit fully supports the aims of PSD II to open up the EU payments market and harmonise rules for all payment services in the EU. We agree that there is a need for strong customer authentication and agree with the EBA’s reasoning on the requirements for strong customer authentication.
Intuit would, however, urge the EBA to ensure that strong authentication requirements are proportionate and appropriate to the need, and do not adversely impact the potential for ongoing innovation in service to customers. For example, having a SCA applied “each time” a payment user initiates a payment transaction. Using authentication process each time the customer makes a payment may not be necessary – but rather, illustratively, providing them with an authentication token would not only ensure security standards but also allow for innovation. Non-prescriptive requirements that are proportional to the need, while permitting continued innovations and improvements in security and service delivery, would best advance a thoughtful policy balance that serves the multiple needs and expectations of European consumers.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Intuit agrees with the EBA’s reasoning that the requirements should remain neutral. However, we would call on the EBA to provide more clarity to the wording in Article 2 of the draft RTS to take account of a write-access API.
Article 2.2 is perhaps too prescriptive on a detail level regarding ‘dynamic linking’. This type of security requirement may be best put forward in terms of desired public interest outcomes, with detailed execution accomplished through continuous innovation and improvement over time rather than via a static solution required of Account Information Services Providers.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

Intuit is not currently aware of any additional threats, other than those listed in articles 3, 4 and 5 of the draft RTS.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

Regarding frequency of access and re-authentication, Intuit is concerned about the exemption for Account Information Services (AIS) providers when strong customer authentication is required. Here the AIS providers’ customer(s) will have to re-authenticate on a monthly basis. This may result in AIS providers not using APIs as a result.
Intuit believes there should be no expiry of access as the customer is free to cancel the access at any time.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

Intuit does not have concerns with the list of proposed exemptions, but would highlight again, that SCA requirements should not impede innovation. It will be important for EBA to define what it means by these exemptions so as to not create confusion among the industry – and essentially, limit the innovation.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Intuit agrees that the confidentiality and integrity of the payment service users’ personalised security credentials are of utmost importance. The EBA’s reasoning in the draft RTS would appear to sufficiently address the issue and ensure no unauthorised use of the personalised security credentials and of authentication devices.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

Intuit fully supports the core aim of PSD II to open up the EU payments market. We therefore, support common and secure open standards of communication.
However, Intuit is concerned by the wording of Article 19 of the draft RTS and the notion of a ‘dedicated interface’. We urge the EBA to reflect carefully upon the draft RTS to ensure that open access to APIs is not impeded. Providers of Payment Initiation Services (PIS) should have the ability to offer services based on open access and should not be tied to a dedicated interface imposed upon them. Open access to APIs for PIS providers would ensure direct access to a payers account. However, the notion of a dedicated interface would suggest only ‘indirect’ access to a payers account. Intuit is concerned that this would be moving away from one of the very core goals of PSD II, to open up the EU payments market.
Furthermore, Article 19 (3) of the draft RTS shifts the responsibility to define common and secure open standards for communications to third parties. Intuit believes these standards should be clarified and defined by the EBA. We also believe these standards must ensure direct and open access.
In order to ensure the core aims of PSD II are reached (i.e. open market, increased competition and innovation) there needs be legal certainty for all players involved in the payment services market.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

ISO 20022 is a bank-to-bank communication standard. Intuit would, therefore, question if ISO 20022 is the best standard available for communication interface. The EBA should also carefully reflect whether the wording of Article 19 (3) of the draft RTS would impede direct and open access to payment accounts, given the reliance on i) a potential unsuitable and outdated standard; and ii) the perceived delegation of powers to third parties to develop standards of communication.

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

Intuit would urge the EBA to consider how countries outside the EU would perceive the adoption of e-IDAS identification services. We would propose that the draft RTS remain neutral as regards the identification technology.

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

Given the fact that the nature of different businesses will require varying access to data, and the fact that the data is used to service the customer, Intuit believes that there is no need to limit access to data. Any limit to data access could be to the detriment of the customer. Instead there should be Guidelines issued on the responsible use of APIs.

Please select which category best describes you and/or your organisation

[Other "]"

If you selected "Other", please provide details

Technology company

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

financial management software

Name of organisation

Intuit, Inc.