PSD2: Clock Ticking For Banks Seeking 'Fallback' Exemption, Warns FCA

The UK’s Financial Conduct Authority (FCA) has warned banks, credit card providers and e-money institutions against waiting too long to seek approval for their dedicated third-party access interface.

The regulator opened a four-week consultation on Monday on its approach to regulatory technical standards on security that take effect in September 2019, and accompany the revised Payment Services Directive (PSD2).

A payment account provider that chooses to build an application programming interface (API), allowing newly regulated third-party providers to initiate payments or collect data, must gain the approval of their national regulator under the incoming rules.

Failure to do so would require them to build a contingency mechanism by adapting their customer-facing online banking interface, which the FCA said “will pose extra costs”.

“Subject to the outcome of this consultation, the [exemption] process will be available from January 2019,” the regulator said in its consultation paper.

“Those seeking to be exempt by September 14, 2019 should consider how long they might need to develop a contingency mechanism in the event that an exemption request is rejected.

“We would expect to receive exemption requests by June 14, 2019.”

The reason for that three-month gap is because the FCA intends to respond to exemption requests within a month, and if the decision is negative the account provider should be given two months to implement a contingency mechanism.

However, the tight timeframes place further pressure on the banking sector.

To gain an exemption, an interface must have been available for testing for six months and been “widely used” by existing third parties for at least three months.

The FCA confirmed in Monday’s paper that those two time periods can run concurrently, meaning the latest a bank should begin testing would be March 14 next year.

The country’s nine largest banks were instructed by the Competition and Markets Authority (CMA) in early 2017 to collaborate on an open banking project, but the process has been fraught with delays and complications.

Six were scolded for missing this year’s January 13 deadline, albeit for relatively minor failings, and complaints from fintechs have since arisen over the quality of APIs made available so far.

The overseer of that project — the Open Banking Implementation Entity (OBIE) — promised in June that upgrades would be made as a priority, and a third version of its standards were published on September 7.

FCA Reiterates Support For ‘Redirect’

The FCA also used Monday’s consultation paper to address an issue that has proven highly contentious throughout Europe: the authentication process for a customer when using a third-party provider.

In markets where third parties have long operated by using login credentials shared with them by the end user, the possibility of APIs that force a customer to authenticate themselves via redirection has been met with outcry.

However, authentication by redirection — where the customer is forwarded onto a login screen or process controlled by their bank — has always been the favoured method offered by OBIE, and the FCA reiterated its support in its paper.

“This ensures that customer credentials never have to be provided to anyone other than a customer’s bank or PSP [payment service provider],” the regulator said.

Draft guidelines published by the European Banking Authority in June concluded that offering only redirection is not necessarily an obstacle to third parties, provided users are not “directly or indirectly” dissuaded from using their services as a result.

The FCA’s proposed changes to its existing approach document for PSD2 echoed that stance.

If a bank chooses to offer authentication by redirection only, it must provide “an explanation of the reasons why this method of access is not an obstacle” to the authority.

It must also show that any authentication method available to the customer when accessing their bank account directly is also available when a third-party provider is being used.

“For example, if a customer can authenticate using fingerprint biometrics when accessing their account directly, this should be available as an authentication method when the customer is accessing their account through [a third-party provider],” the FCA said.

It added that “an explanation should be given” if that is not the case, although did not suggest exceptions would be made.

The authority explicitly said it would not grant an exemption to any bank that imposes additional steps on a third-party provider that are not imposed on other banks.

One example given was “asking the customer to confirm that they agree to share data with an AISP (account information service provider) will be considered an example of an additional consent step”.

The FCA is consulting on its approach until October 12. It explained that the relatively short time period is in order to provide legal clarity to the market “as soon as possible”.