Since 2014 I have written about the status of PSD2 Access to Account and suggested it might not be simple exercise. Open Banking Europe, has been following and helping the delivery. This article looks whether we are nearly there in terms of regulatory deliverables.
Status of National Transposition of PSD2
It is worth remembering that, although PSD2 should have come into force in January 2018, today, 24 out of 31 states have transposed PSD2. 7 still have not. The map below shows which countries have transposed (green) and which have not (amber).
Status of Regulatory Texts
PSD2 mandated the European Banking Authority (EBA) to create a number of pieces of secondary legislation. The mandates conferred on the EBA in the PSD2 comprises six technical standards, five sets of Guidelines, and a register. In November, EBA reported the following status.
Additionally, there are Guidelines on exemption to the fall back interface in progress and other explanatory material.
Regulatory Commentary and Interpretation
As transposition happens, and as we progress towards Access to Account, European and National competent authorities are providing interpretations of PSD2 and RTS which are causing the banks and TPPs withing each jurisdiction to change their understanding and hence their plans. Example of guidance that has come out in the last six months include:
- The EBA published an Opinion paper on the interpretation of some aspects of the RTS on Strong Customer Authentication and Common and Secure Communication. They also state that they will provide “clarifications on eIDAS” during Q4 of 2018.
- The EBA also provides a public Q&A tool which at the time of writing has 15 “Q”s and corresponding “A”s. These are added to each week when there is new material.
- At national level there are many guidance documents, opinons and positions taken in different fora. Examples include a three page paper on “Agents” published by the French regulator that has led to a lot of discussion about the role of “fourth parties” in the access to account chain or the UK’s consultation on “Approach to final Regulatory Technical Standards and EBA guidelines under the revised Payment Services Directive (PSD2)“. Other national authorities have made statements on scope of batch payments, or interpretations around CVV numbers that have changed industry thinking about what national regulators expect.
The impact of these interpretation changes, is (in some cases) new understanding of interface requirements, e.g. whether batch payments are in or out of scope. This in turn is leading to changes in the outputs of the standardisation initiatives such as Berlin Group and STET (which explains why the version numbers are creeping up). It has also impacted the project planning of ASPSPs and TPPs.
The recent report from the API Evaluation group, flagged up 48 “recommended functionalities” of PSD2 APIs. Of these nearly a fifth have a status of “In the process of clarification by the EBA” in the column dealing with legal scope. And it is not surprising that the functionalities that await clarification are most often the contested ones!
National Competent Authority Identifiers List
The EBA’s RTS on Strong Customer Authentication and Common and Secure Communication states that each certificate will contain “the name of the competent authorities where the payment service provider is registered”. (Check here for some background on PSD2 eIDAS certificates.) The problem is that there is no list of names that QTSPs can draw on when issuing certificates and so effectively, which competent authorities are in scope and how does one get removed (think Brexit…); which names can actually be used.
The EBA is producing a list of codes to represent competent authorities, that will be put into certificates and will uniquely and unambiguously identify NCA’s in a machine-readable way. I expect this to come out in the next weeks.
Readiness of National Registers
PSD2 (article 14) mandates competent authorities to create public national registers. These registers will be used to obtain the information that goes into PSD2 eIDAS certificates, i.e. The name of the competent authority, the authorisation number of the TPP, the role(s) of the TPP. There is also the expectation of passporting information being available.
Since November 2017, Open Banking Europe has been auditing the national registers, and creating the following readiness heatmap. As of end October 2018 there were 11 national registers that today cannot hold the information (red), or that can hold the information but do not always update it. This is shown on the maps below:
- Red – the register cannot store all the above information due to missing fields.
- Amber – There is space to store information, but it is not updated for all institutions.
- Green – the register can and does hold the above information (although this information may still be in various languages, using non-standard naming conventions and published in any format!)
The Open Banking Europe directory consolidates all the information into a single place and distributes it in a machine-readable, standardised format, with notifications on changes – but only where such information is available!
In Summary
Looking on the bright side, we can say that there is a year to go, that a lot of progress has been made. Being more critical, there are still gaps coming from regulators or competent authorities and interfaces must be in place by March in order to win exemptions – i.e. in four months. The banks are struggling to understand what they can/must supply and TPPs face an uncertain year, and are struggling to understand what they will be offered.
Keep calm and carry on. Problems are being solved, working together on shared problems still gives the best outcome for the industry, and Access to Account will only work when all stakeholders are ready with their deliverables.
Are we nearly there yet? Well, children, not too far now! If only we could be sure which route we are taking and where precisely we aim to end up. Well, its still a voyage of discovery so try and enjoy the ride!