top of page

Changes in Strong Customer Authentication (SCA) for Account Information Service Providers (AISP)


digital security photo

The beginning of April this year came with some interesting changes proposed by the European Banking Authority (EBA), when publishing the Final Report on the amendment of its technical standards on the exemption to strong customer authentication for account access, under the PSD2 Directive.


What are the main changes?

The EBA Report introduces a mandatory exemption to SCA (Strong Customer Authentication) for customers accessing their payment account information when they use an Account information service provider (AISP) under certain conditions. ‘The amendment aims to reduce frictions for customers using such services and to mitigate the impact that the frequent application of SCA and the inconsistent application of the current exemption have on AISPs’ services.’


As per EBA competency, the Regulatory Technical Standards (RTS) were modified as follows:


  • Introduction of a new mandatory exemption to SCA, for the specific case when access is through an AISP and only if certain conditions are met’. These conditions are as follows: the information accessed is limited to the balance of the account and/or the recent transaction history; no sensitive payment data are disclosed; and SCA is applied when the account information is accessed for the first time, and renewed periodically.

  • Limitation of the scope of the voluntary exemption in Article 10 RTS to instances where the customer accesses the account information directly’. In other words, ASPSPs (namely banks) can decide whether to apply the exemption based on its risk assessment in this case, and will have the ability, but not the obligation, to apply a timeline for the renewal of SCA of up to 180 days.

  • Extension of the timeline for the renewal of SCA from every 90 days to every 180 days, both when the information is accessed through an AISP or directly by the customer’. This is maybe the most important aspect of the Report from our point of view, as this extension aims directly to encourage adoption.

As next steps, ‘the draft amending RTS will be submitted to the Commission for endorsement following which it will be subject to scrutiny by the European Parliament and the Council before being published in the Official Journal of the European Union. The amending RTS will apply 7 months after entry into force.’


What does this mean exactly for Account Information Providers and their customers?

With the relaxed timeline and these exemptions proposals, the European Bank Authority (EBA) aims to boost the adoption of account information services (AIS) throughout the public, by making the procedure more friendly to the end users and simplifying the access, without affecting the security of customers’ data and funds. However, the EBA underlines the importance of consent given by the customer, that can still be revoke at any time should a customer not want for a AISP to access their account information anymore.


Moreover, the EBA has decided to ‘extend the period for making available to TPPs the changes to the technical specifications of ASPSPs’ (Account servicing payment service provider, such as banks or other financial institutions) interfaces to 2 months before implementation (instead of the 1 month period proposed in the Consultation Paper, so as to allow sufficient time for TPPs (Third Party Providers) to test and make any necessary changes to their systems before these changes are implemented by ASPSPs). In addition, the EBA has decided to extend accordingly the application date of the draft amending RTS from 6 to 7 months after the publication of the amending RTS as a Delegated Regulation in the Official Journal of the EU’.


This means that, after the publication date of the final amending RTS in the Official Journal of the EU, ASPSPs will have:


· 5 months to make available to TPPs the documentation with the changes to the technical specifications of its interfaces and allow TPPs to test them in the testing facility; and

· 7 months to implement those changes in the production environment.


What are the expected results?

In consequence, providing these new regulations, a good cooperation between banks (ASPSPs) and Fintechs (TPPs) is expected to level the processes and align the technical challenges in making the account information services (AIS) grow in the options of their joint customers, with an improved customer experience for both simple and secure innovating financial solutions.

Us, as TPP, welcome EBA’s proposal to harmonise the requirements between the interested parties, as well as the extension of the consent period that will enhance our users’ experience and will facilitate de usage of Account information services by the end-users.

Find out more by reading the full EBA Report following this LINK.

 

References:


Comments


bottom of page