PSD2: EBA’s second opinion on obstacles to account access asks national competent authorities to flex their muscles

It has now been over 18 months since the coming into force of the PSD2 Regulatory Technical Standards, and the European Banking Authority (EBA) is starting to increase the pressure on in-scope entities to reach full compliance.

On 18 February 2021, the EBA published its second opinion regarding obstacles to the provision of TPP services under PSD2. In this opinion, it requests national competent authorities (NCAs) to reinforce supervisory measures taken against Account Servicing Payment Service Providers (ASPSPs) that still retain such obstacles.

This follows the publication of a first opinion by the EBA in June 2020, which itself responded to issues raised by market participants. Such issues  for instance related to redirection methods implemented by ASPSPs, i.e., where the payment service user (PSU) is redirected to the ASPSP to carry out authentication when using TPP services, and included:

• Unnecessary steps in the interaction between the PSU and the ASPSP going beyond requirements for the PSU to authenticate;
• No support of certain authentication methods despite such methods being available to PSUs in the context of their online banking (e.g. app-to-app redirection);
• Multiple SCAs being required and/or SCA being required more frequently than every 90 days;
• PSU required to manually input their IBAN into the ASPSP’s domain.

The above were identified by the EBA as obstacles required to be removed. National authorities were called upon to take this into consideration in exercising their supervision.

• For more details, we invite you to read our June memo.

In its February opinion, the EBA acknowledges that progress has been made and that “NCAs have taken measures to ensure that ASPSPs in their jurisdictions comply with PSD2 and the RTS and that, as a result, many ASPSPs in the EU have removed these obstacles”. However, it also points out that some obstacles persist, undermining the level playing field that the PSD2 aims to create.

NCAs have therefore been requested to assess progress made by their industry and, where remaining obstacles are identified, to take supervisory actions by 30 April 2021. These actions should follow a risk-based approach and may include (without limitation) issuing an instruction/warning to the ASPSP or requiring an amendment to the ASPSP’s rules, procedures and/or systems. NCAs are also asked to set a deadline for compliance.

In a second stage, the EBA requests stronger measures to be taken by NCAs if obstacles are still not removed by the specified deadline, including:

• The imposition of fines,
• The revocation of the exemptions from the contingency mechanism under article 33(6) of the PSD2 RTS.

It will also continue to monitor the situation and take further action if needed.

The EBA seems to be taking a clear stance, suggesting that the ‘tolerance period’ is coming to an end.

Fallback exemption revocation: what impact?

The “fallback exemption” refers to ASPSP’s possibility to apply for an exemption from the obligation to implement contingency mechanisms, which require ASPSPs to provide back-up access in case APIs do not work properly, by allowing use by TPPs of the ASPSP’s standard web banking interface.

Exemptions are granted by national competent authorities only if APIs in place satisfactorily meet a number of criteria set out in applicable texts (e.g. performance, availability, robustness, satisfactory testing by TPPs…).

• For more details, please see Q&A n°9 in our FAQ: “PSD2: Are you ready?”

The fallback mechanism is a PSD2 ‘buffer’ to ensure that the legislation remains effective even where APIs are imperfect, which the EBA visibly intends to encourage resorting to if obstacles to account access persist.

There are several reasons why ASPSPs that have been granted an exemption may not wish to have it removed, including the developments which would be required to implement a compliant fallback solution and the substantial accompanying documentation that would be required to be prepared.

How can we help?

Finologee can provide you with the tools to achieve full PSD2 compliance through its customizable “PSD2 for Banks” product, enabling you to benefit from a white-labelled PSD2 Access to Account portal. You can find out more here.