European Authority Weighs Response To PSD2 Access Recommendations

The European Banking Authority (EBA) is contemplating its response to a series of recommendations issued this month by the API Evaluation Group, as firms sweat over meeting tight deadlines for facilitating third-party access.

The group, which launched in January with the aim of guiding industry-level initiatives working on common application programming interface (API) standards, is overseen by several regulators and includes banks, third-party providers, retailers and other sector-specific experts among its members.

Its final list of recommended functionalities drew questions, however, as many went beyond the base-level legal requirements set out in the revised Payment Services Directive (PSD2) and its accompanying regulatory technical standards.

“It's not our document,” said Dirk Haubrich, the EBA’s head of conduct, payments and consumers, at Wednesday’s Payments International event in London. “But we are having a look at it to see whether we can support it, and might be making a public statement about that.”

Under the standards, banks building APIs to facilitate third-party access must have them approved by their national regulator by September next year, or provide an alternative “fallback” access mechanism based on the customer-facing online interface.

The process of gaining that approval requires extensive market testing, and Haubrich acknowledged there could be a further role for the regulator to play in making that process as straightforward as possible for firms.

“We are currently considering and discussing at the EBA internally how, over the next 10 or 11 months, we can continue to facilitate the process,” he said.

The regulator will work to ensure that any issues that do arise during that period  “are surfaced quickly and addressed quickly”.

Haubrich explained that the authority has not yet finalised its position on exactly how that will be done, however.

Another possibility mooted was establishing “a sort of industry group where we have banks and TPPs — technical experts, not lobbyists — that come together, meet with us and the national authorities, and explain what sort of issues they see”.

“That's what we are looking into at the moment, but we still have to finalise some of the detailed thinking, the logistics and so on, before we can go public with that and start the process,” the regulator said.

EBA Rules Out Deadline Extension

One of the features that has characterised the debate so far, including within the API Evaluation Group, has been a clash between existing third parties and incumbent banks.

TPPs have argued that the reforms give banks too much leeway to place limitations or add complexity to the services they can offer to end users, potentially resulting in customer drop-off.

Banks, meanwhile, insist that access via APIs is necessary for security reasons and that the legislation should give them some room to provide value-added services as a commercial offering, rather than forcing them to give away core services free of charge.

The two camps continue to disagree on what precise criteria should be met in order for banks to have their API given regulatory approval.

That has created a situation where some banking groups are deeply concerned they will not be able to gain that exemption in time, yet remain reluctant to invest in building a second contingency interface.

Asked whether there is any chance the industry could be given an extension, Haubrich was clear: “No. That’s not going to happen”.

He agreed the timelines “seem to be rather compressed”, but that it has been clear since the PSD2 text was finalised in December 2015 that these requirements were coming.

Legislators foresaw the IT implementation needed and so deliberately took a staggered approach to implementation, something Haubrich described as “very unusual for an EU directive”.

“If of course some players in the industry didn't use that time, that's unfortunate, but that is not because of lack of transparency on our side, or PSD2, because it was clear,” he said.

“It's a shame that for some of the market participants it only becomes clear now, but still there are ten months left; it could still be feasible, though it will be much more challenging.”

eIDAS And Next Steps

The EBA is already in the process of taking other steps towards providing legal clarity to the industry.

Its final guidelines on obtaining an exemption from providing a fallback interface are likely to be published before the end of the year, and its Q&A tool continues to provide a resource for institutions unsure about specific provisions.

Haubrich added that the regulator is in the process of finalising further guidance on the use of eIDAS certificates within the third-party account access regime.

“This will also be published by the end of the year if everything goes well,” he said.

“It might be next week or the week after, and it will be in the form of an opinion addressed to the national authorities, to recommend how they should use eIDAS certificates, what sort of procedures are to be followed, and who has which role to play in the process.”

The opinion is likely to be closely aligned with the work of ETSI, the European Telecommunications Standards Institute, he added.