On February 13th 2017 the EBA published its final draft on Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 The official status of the document is “Final draft adopted by the EBA and submitted to the European Commission”.What’s going to happen next? The submission of the final draft kicks-off a three month scrutiny period by the Commission. During this period the Commission will analyse the document, discuss it with the EBA and propose changes. Whilst the EBA still has the option of not accepting the changes proposed by the Commission, the RTS has to be approved by the Parliament at the end of the Parliamentary phase.Since the document was published, I have been receiving comments about how Screen Scrapping and other direct access methods are going to be forbidden by PSD2. While it is true that the final draft talks about a dedicated interface, I deem it highly unlikely that the RTS will be approved by the Parliament in its current state. To help you understand why, allow me to provide some context by referring to a letter from the European Parliament Negotiating Team on the 24th of October 2016.The letter was written by MEPs Markus Ferber and Antonio Tajani (now President of the European Parliament) to Andrea Enria (EBA Chairman) in response to the initial draft submitted by the EBA. Amongst other things, the letter says:Furthermore, the letter goes on to say:
And: Just to clarify, articles 66(4) and 66(3) say that ASPSPs have to communicate securely with PISPs and AISPs, treat payment orders and data requests without discrimination and make payment initiation information available immediately.
And lastly: Meaning there is no room for special or different sets of authentication procedures and credentials for AISPs and PISPs. This throws out SCA for AIS purposes, unless EBA is willing to impose SCA to banks for information purposes.
The EP has already told the EBA 6 months ago that they did not agree with the EBA’s proposition of a dedicated interface as it goes against the basic principles of PSD2.
Now EBA is insisting again, this is not a new position by the EBA (although it may be news for some people), and we already know the EP’s position on this request!
So, how likely is it that the same Parliament that approved this Directive will approve an RTS that, according to its President, goes against the Directive? The answer to this question also answers the title question, will PSD2 impose a mandatory dedicated interface? I don’t know about you, but I don’t think so.