PSD2 'Whitelists' Not Open To Third Parties, European Commission Says

European authorities have clarified that banks do not have to make whitelists of trusted payees visible or editable to third-party providers (TPPs) under incoming EU-wide security rules.

Under regulatory technical standards on strong authentication that take effect in September, forming a crucial part of the revised Payment Services Directive (PSD2), end users can set up a list of “trusted beneficiaries” so that transfers to those recipients do not require two-factor authentication.

However, TPPs have clashed with banks over the level of access they should have to a customer’s whitelist. Some third parties have argued they should be informed whether a payee is listed, and should be able to make or suggest changes to the whitelist as part of the execution process.

The issue was identified as an area of legal uncertainty by the API Evaluation Group, a cross-industry working group that facilitated dialogue between banks, fintechs and regulators, in November’s final list of recommended functionalities.

That question was submitted to the European Banking Authority (EBA) in July by the European Payment Institutions Federation, then passed on to the European Commission, which emphasised that control of the list should remain within the bank’s domain.

“As it is ultimately the [bank] that applies strong customer authentication or decides whether or not to apply an exemption, … the information as to whether or not a payee is on the list of trusted beneficiaries is not necessary for the provision of the PIS (payment initiation service),” it said.

Payment initiators can still rely on the whitelisting exemption to bypass strong authentication but generally, under PSD2, information that is not deemed “necessary” for carrying out a third-party service does not have to be supplied by a bank.

The same principle applies to card payments, where the merchant’s acquirer may want to know if a payee is whitelisted.

“From this it follows that the [bank] is not obliged to inform the acquirer if the payee is included on the trusted beneficiaries list, and by extension is not obliged to share the trusted beneficiaries list with the acquirer or payee,” the answer stated.

The commission also emphasised that its remarks do not mean banks and third parties are forbidden from reaching an agreement where access to the whitelist is part of a payment initiation or card transaction service.

However, its answer on whether a TPP can make changes to a list of trusted beneficiaries was stricter.

“No suggestions for new entries or amendments are allowed to be made” by payment service providers within the bank’s domain, it said, echoing earlier guidance from the EBA.

The commission added that banks “can design their banking environment in such a way that it would be easy for a [user] to add a new trusted beneficiary to its own list”, although did not give any technical detail on what that would look like.

Information Available to TPPs

The authority also fielded questions on what information a payment initiation service provider is allowed to see when accessing an account held by a bank.

One of the underlying principles of third-party account access under PSD2 is that third parties can only demand the information necessary for carrying out a payment initiation or account information service.

An unnamed entity asked whether this can include a list of accounts from which the payer is able to initiate a transaction, including information such as the IBAN or the currency. It suggested that information would be necessary so that the end user can choose where funds are drawn from as part of the transaction.

The answer was again supplied by the European Commission.

“As it is always the payment service user that specifies the account the transaction shall be initiated from, there is no need for the [bank] to provide or make available to the PIS provider a list with all the account numbers of the payment service user and the associated currencies,” it said.

A more complex question posed by the French central bank was whether names associated with payment accounts should be displayed to a TPP through a bank’s interface.

The European Commission said that interfaces “should foresee the possibility of providing the name of the payer in case this information is required for delivering payment initiation services or account information services”.

However, third parties must “be able to justify that obtaining the name of the payer  is necessary for the provision of the payment initiation service as explicitly requested by the payer”.

The same is true of account information service providers, it said.

According to an EBA disclaimer, guidance set out through its question and answer tool is not legally binding in itself, and in instances where the European Commission has intervened it retains the right to “adopt a position different from the one expressed”.