EBA Finalises 'Fallback Exemption' Guidelines

Banks will need to “provide evidence” to their national regulator that access interfaces do not provide obstacles to third parties, according to final guidelines issued this week by the European Banking Authority (EBA).

A vital part of incoming regulatory technical standards that accompany the revised Payment Services Directive (PSD2), the guidelines are intended to clarify how national authorities can decide whether or not a bank’s interface — typically an application programming interface (API) — should be approved.

If a bank’s API does gain regulatory approval before the standards go live in September next year, it does not have to provide a contingency access method to third-party providers known as a “fallback” option.

“The EBA acknowledges that the timelines for meeting the conditions for an exemption are tight and, therefore, strongly encourages [banks] to start testing, to launch their production interfaces and to engage with their competent authority as soon as possible before the September 2019 deadline,” it said.

Following a large number of responses to the initial draft, published in June, the authority has chosen to make several changes around the guidelines on obstacles to the provision of third-party payment services.

One of the major flashpoints has been around the authentication method that end users go through to use a payment initiation or account information service.

Under the earlier text, banks were instructed to give a summary of access methods chosen and an explanation of why it does not constitute an obstacle.

That must now be provided “together with evidence that the dedicated interface does not give rise to unnecessary delay or friction in the experience available to the [users] when accessing their account via a [third-party provider]”.

APIs would also fail to gain approval if they involve “unnecessary or superfluous steps or the use of unclear or discouraging language”.

A demand that IT processes cannot “directly or indirectly dissuade” customers from using third-party providers has also now been specifically reworded to refer to the authentication process.

The authority explained that the demand for banks to provide evidence that no obstacles exist is because “the assessment of the customer experience implies a certain degree of subjectivity”.

“The EBA also agrees that ‘a confirmation’ may not be best suited,” it said.

Third-party providers have been vocal in their concerns that a complex or convoluted customer journey could kill their businesses outright, as consumer drop-off would likely soar.

The redirect model, where customers are forwarded onto their online banking screen or banking mobile app, has been the focus of many complaints — although the EBA has continued to insist that redirection is not in itself an obstacle to third parties.

Although the additional demand for evidence is likely to assuage those fears to an extent, the final guidelines still insist that the third-party authentication has to be as good as that provided directly to the customer by their bank; some argue that is not enough to allow them to differentiate the services they offer.

Testing, Availability And Real User Data

Other noteworthy changes relate to the testing that APIs must undergo to gain regulatory approval.

Although the standards do not take effect until September 14, 2019, there is a minimum six-month testing period that effectively creates a secondary deadline of March. In addition, banks must demonstrate “wide usage” by third-party providers for at least three months beforehand.

After concerns from within the banking sector that initial testing with actual customer data could pose a security risk, the EBA has confirmed it can take place in “a secure, dedicated testing environment with non-real [user] data”.

There is also clarification that firms implementing a “market initiative” — a set of standards developed collaboratively across the industry, such as the Berlin Group, France’s STET or the UK’s Open Banking projects — can submit information arising from the testing facilities they provide.

Another area of controversy was that banks were instructed to make interface availability statistics public, relating to both their third-party provider interface and those offered directly to customers.

Some argued this would represent a security risk, while others said it could place them at a competitive disadvantage.

The EBA disagreed and said it is a demand set out in the standards themselves. It has, however, tweaked the requirement so that banks must publish data on “each of the interfaces made available” to end users rather than on the “best-performing interface”.

Rules on key performance indicators (KPIs) that banks must set around API uptime and downtime have also been tweaked. Uptime must be measured “per day”, and downtime recorded regardless of whether it is planned or not.

The time taken to fulfil a request from a third-party provider must now be measured in milliseconds, with the authority concluding that a “monthly average would not give sufficient visibility of variations in performance and availability over time”.

The final guidelines are not directly applicable, but member state authorities have the choice either to adopt them in full — in which case they become legally binding — or to reject them and explain to the EBA why they have done so.