What banks should consider for timely implementation.
On 13th January, 2018, the PSD2 came into force and has been the law since then. But there can be no talk of relaxation among banks in Europe, because there is still a lot to do. The regulatory standards for strong customer authentication and common and secure communication, RTS for short, issued by the European Banking Authority (EBA) give financial institutions 18 months to implement them. That sounds like a lot of time, but the first impression is deceptive.
The core element of the RTS is the requirement for an interface for the connection of third-party payment service providers, which include payment initiation services (PIS), account information services (AIS) and payment service providers who issue card-based payment methods. If you do not want to give third-party payment service providers, also known as TPPs (Third Party Providers), access to customer accounts through regular online banking, you have to build a dedicated access interface.
So far so good. However, the challenge is not necessarily in the implementation itself, but above all in the rather ambitious timetable of the EBA. Implementation deadline for the RTS and its associated interface is 14th September, 2019, 18 months after the RTS was published in the Official Journal of the EU. At least that’s what you’ve always thought…
But the first date on which the payment institutions have to work is 14th March, 2019, already half a year earlier! The account-providing payment institutions must provide the TPPs with a test environment including support six months prior to Go Live, because the whole thing should be tested properly and work properly. The FinTechs were able to assert themselves in preliminary discussions on the RTS at the EBA with their demand that the new PSD2 interface must have the same performance and availability as existing customer interfaces (for example, in online banking) – keyword prohibition of discrimination.
But that’s not all. If banks think they have until September 2019, at least for the completion of their interface in live operation and for all the associated organizational measures, they could, in the coming weeks, experience a rude awakening. BaFin has not yet communicated a concrete date, but if a bank wishes to receive the waiver of the establishment of a fallback access in case of unavailability of the actual interface, we believe it should rather consider a Go Live by 14th June, 2019, at the latest. The date has already been mentioned verbally by the authorities at one point or another. One of the four prerequisites for not having a fallback scenario at hand is the evidence of at least three months of widespread use of the interface by the TPPs in live operation. Thus, you will end up in the next year of June as a milestone for the provision of the interface; Banks and FinTechs will therefore only have 10 months left to implement the requirements. Is this already clear to anyone on the market? Our feeling tells us that not all institutions are aware of the seriousness of the situation. And what is the consequence if the interface is live on time, but no TPP uses the interface during the three months? That can happen, at least to the smaller houses. The EBA already has an answer for that, too. In this case, the institute must prove that it has done everything in its power to communicate the availability of the interface to the outside, to actually advertise it. For example, through an appropriate publication on the homepage, via social media channels or in another suitable network. So let’s wait and see, as to how it looks later in practice.
In addition to the tight schedule, there are a few more obstacles that need to be overcome. A controversial topic, for example, are the possible business transactions that a PIS may trigger for the customer via the interface. The opinion of the German Banking Industry Committee (GBIC) and among the associations and institutes was so far that standing orders and date transfers do not fall under the PSD2. The EBA sees this very differently and has clarified in its Opinion on RTS on 13th June, 2018, that a PIS may trigger exactly the same payment transactions as the customer himself. According to the latest information, that apparently are based on an exchange of the GBIC associations with BaFin for the implementation of the RTS at the end of July, the BaFin will follow the EBA’s opinion and institutions should therefore also include standing orders and date transfers in their scope if they have not already done so. Depending on the system landscape, this change is not an easy task for the banks. The good news is, however, that only the creation and deletion of a standing order, not the processing or the suspension of the standing orders, must be made possible by the ZAD. An inventory report against the KID is neither necessary for standing orders nor for scheduled transfers. Direct debits remain unaffected by the PSD2.
The Opinion, among other things, made it clear once again that the AIS must be granted access to the same account information that the customer can also see through its online access. This is nothing new. But now this information should also be made available to a PIS on request. Namely, when the bank has batch booking in use, which probably applies to the majority of all banks in Germany, and thus the PIS cannot confirm immediately upon payment initiation that the payment has been posted. With the help of the account information, the PIS should be enabled to assess the risk of a default on their own. But how should that work in practice? Does the payment initiation service then have the dual role of the PIS and AIS in the transaction? Does the bank still need to give it access to the account information without the customer having to do another strong customer authentication? Or do the same requirements and the 90-day rule apply here as in the classic PIS?
There is still a lot of need for clarification. We will continue to follow the latest developments and publications by EBA, BaFin and GBIC with eagle eyes and keep you up to date.