Following the Joint Statement between the ECSAs and TPP associations, banks and TPPs now write to provide the European Commission with an update from the Joint PSD2 Task Force. In the Joint Statement, banks and TPPs agreed on some topics, together with progress made so far:
1. The parties agree to call upon ASPSPs to provide contingency relevant documentation in their developer portals, more specifically on TPP identification and use of SCA in such contingency scenario. ASPSPs and TPPs shall collaborate for a coordinated and progressive SCA implementation within the boundaries of the law.
The ECSAs have made this request within their constituency and such documentation will be complemented with registry information as per topic #3 below. Progressive SCA implementation will very much depend on the NCAs’ response to topic #5.
2. The parties agree to call upon ASPSPs and TPPs, to neutrally communicate to PSUs about the changes brought by the introduction of new SCA methods.
3. The parties agree to call upon the ECSA membership to populate and promote transparency initiatives, such as the existing central transparency register maintained by NISP, which contains at minimum the ASPSPs official name, a link to their PSD2 related developer portal and a relevant contact point either email or phone.
The Task Force has held conversations with the three most important API initiatives, i.e. Open Banking in the UK (OB), NextGenPSD2/NISP and STET. The conclusion was that from an EU perspective the current NISP register is the most promising to fulfil the need for a transparency register as meant here. The NISP Steering Committee agreed on 5 September to open up the existing NISP register for all relevant ASPSPs, irrespective of which API initiative they base their APIs on. Next week the ECSAs will communicate this to their constituencies.
4. The parties agree to call upon the TPP’s representative associations to call upon their memberships to intensify testing the APIs that are currently available in developer portals and provide relevant feedback to the ASPSPs.
ETPPA and FDATA have asked their members to intensify testing and requested feedback to be sent to all the ASPSPs concerned and their NCAs. This has been done on an ongoing basis and that final evaluations of sandbox and production APIs will be provided by 13th September 2019, the end of the testing period.
5. The parties agree to call upon the NCAs to use the possibilities given to them within the law to the maximum extent possible to help avoid unintended customer detriment.
ETPPA and FDATA have written to all National Competent Authorities and explained what is in their view required to avoid customer detriment. So far, UK, France and Germany have responded by providing more flexible arrangements post 14 September. It would appear though that some other NCAs are waiting for the EBA to provide guidance and have not yet brought forward arrangements. The EBA does not plan to make any communication on this subject, but that they indicated that national authorities may, at their discretion and subject to the shortest possible period of time, steer a gradual compliance process concerning the implementation of strong authentication on access to online payment accounts. It would be very helpful if the European Commission and EBA could clarify urgently that this is indeed the case and that any decisions on such flexible arrangements lie with each NCA.
6. The parties agree to call upon the relevant authorities to consider urgently the legal possibilities to solve the unintended consequences of 90 day SCA renewal in the context of AIS, taking into account other stakeholder’s views.
Whilst suggestions for alternative pathways for 90 day reauthentication have been provided, it is important that regulatory guidance is provided to enable ideas to be moved from the discussion stage to the standards design phase, and from the design phase to implementation. An industry workshop to focus on alignment between customer experience, regulation and technical delivery organised by the Commission could be instrumental to move this issue forward.
7. The parties agree to continue their constructive dialogue towards the 14 September deadline and agree to maintain the task force referred to in consideration f) to monitor progress on a regular basis.
Ralf Ohlhausen, Vice-Chairman of ETPPA and member of the Joint PSD2 Task Force commented: „It’s good to see progress with our joint bank & TPP activities, but there is a tsunami of problems, which has built up around the implementations of PSD2 APIs and if EBA and NCAs are not acting very quickly now, it will roll over the TPPs by the end of next week. UK, France and Germany seem to be on the case, but we are not seeing much activity elsewhere.”