EBA clarifications to APIs requirements under PSD2

Philipp Rosenauer Partner Legal, PwC Switzerland 25 Mar 2019

On 11 March 2019, the European Banking Authority (EBA) published the first set of clarifications elaborated by the Working Group on Application Programming Interfaces (APIs) under PSD2. 

In March 2018, the Regulatory Technical Standards on strong customer authentication and common and secure communication (RTS on SCA & CSC) was published in the Official Journal of the European Union. The RTS requires account servicing payment service providers (ASPSPs) to provide at least one interface for third party payment service providers (TPPs) enabling them to initiate payments and access account information. In order to comply with the requirements of the RTS, which shall apply from 14 September 2019, many ASPSPs have decided to develop dedicated interfaces such as APIs.

Taking into account the APIs complexity and the demanding timeline, the EBA established in January 2019 a Working Group aimed to facilitate the industry readiness for the timely application of the RTS. In particular, the Working Group is supposed to address the issues arising during the testing and preparation period leading up to the final application date of the RTS and to develop solutions, which will be further analysed by the EBA and the national competent authorities. The Working Group is well diversified and consists of 30 representatives of ASPSPs, TPPs, API initiatives and other interested stakeholders that meet every four to six weeks. 

In this post we would like to give a short overview of the discussion output regarding the first three issues addressed by the Working Group.

Issue 1: Testing

Issue summary: Some industry participants are concerned about the reliability of the testing platforms, the depth of use cases and the data available. Furthermore, they indicate the speed and ease of testing for TPPs as an issue requiring further guidance.

EBA clarification: According to Article 30 (5) RTS on SCA & CSC, all ASPSPs are obliged to provide support for authorised and applying for authorisation TPPs. Furthermore, the ASPSPs should make available the documentation containing the technical specifications of the API. The EBA states that it may be in interest of the ASPSPs to enable TPPs to use automatic testing programs and make documentation available in a machine-readable format, since it could minimise the need for additional support and may help the ASPSPs to achieve “wide usage” of their production interface. This, in turn, may lead to an exemption of the requirement for a fall-back mechanism.

All elements that TPPs are allowed to test are listed in Guideline 6.5 of EBA Guidelines on the conditions to benefit from an exemption from the fall-back mechanism (EBA/GL/2018/07). Guideline 6.6 postulates that the ASPSPs should provide the competent authority with a summary of the testing results and information about the number of TPPs that have used the testing platform. According to Guideline 7.2 when deciding if an ASPSP meets the “wide usage condition”, the competent authorities should consider the testing results and the solutions developed by the ASPSPs in order to address the issues raised by the TPPs during the testing phase. Hence, if the testing facility does not function well, this will impact the ASPSP’s application for an exemption.

The EBA recommends the ASPSPs to use the test cases catalogues developed by the API initiatives and to ensure that the testing functionalities and scenarios are as close as possible to the production interface.

Issue 2: Aligning functionalities and data requirements between API initiatives

Issue summary: Some participants stress that the data and functionalities available through API initiatives deviate from each other. They suggest that EBA should conduct a survey in order to identify the requirements of each API initiative.

EBA clarification: The EBA points out that according to Article 30 (3) RTS on SCA & CSC, the ASPSPs should disclose all documentation including technical specifications of the dedicated interface no later than 14 March 2019. This will lead to transparency in the market regarding the functionalities of the APIs. 

In EBA’s point of view, the API initiatives may also be interested in conducting a survey though the ASPSPs implementing their software and tools in order to analyse and publish the functionalities supported by these ASPSPs.

Issue 3: List of qualified trust service providers (QTSPs) issuing PSD2 eIDAS certificates

Issue summary: Some participants expressed concerns that PSPs are not able to identify which QTSPs issue PSD2 eIDAS certificates on the QTSP list, which is published on the webpage of the European Commission. They suggest an amendment of the QTSP list and its publication in a machine-readable format.

EBA clarification: The EBA has already provided the list of the QTSPs in a machine-readable format. The list contains detailed information for each QTSP, which is authorised by the national supervisory body. However, it does not identify if the QTSP provides PSD2 eIDAS certificates. Taking into account the fact that the deadline for starting the testing the API interfaces is 14 March 2019, the EBA approached the listed QTSPs and asked them if they issue or intend to issue eIDAS certificates under PSD2. Based on the responses, the EBA has created a list of QTSPs issuing eIDAS certificates and test certificates.

Around 10 QTSPs intend to provide certificates in another Member State different from their home country. The EBA stresses, however, that the list is not exhaustive and several other QTSPs are planning to provide eIDAS certificates as well as test certificates in the near future.

EBA Register of payment and electronic money institutions under PSD2

On 18 March 2019, the EBA launched a central electronic register of payment and electronic money institutions under PSD2. The register aims to increase the transparency and the level of consumer protection in the European Economic Area (EEA). It provides free accessible information for the following market participants in the Union:

  • Payment institutions acc. to Article 4 (4) PSD2;
  • Exempted payment institutions acc. to Article 32 PSD2;
  • Account information service providers acc. to Article 33 PSD2;
  • Electronic money institutions acc. to Article 2 (1) EMD2;
  • Exempted electronic money institutions acc. to Article 9 EMD2;
  • Agents acc. to Article 4 (38) PSD2;
  • EEA branches acc. to Article 4 (3);
  • Institutions entitled under national law to provide payment services acc. to Article 2 (5);
  • Service providers excluded from the scope of PSD2 under points (i) and (ii) of point (k) and point (l) PSD2.

The legal basis for the creation of the central register is Article 15 (1) PSD2. The provisions of the RTS and ITS on the EBA Register under PSD2 have been considered during the establishment phase. 

The information contained in the register is provided by the national competent authorities and is identical to the content of the national registers. The national competent authorities are responsible for its accuracy and actuality. At least a daily update is required.

The register is free of charge and the information may be downloaded in a machine-readable format.

How we can help

PwC team brings extensive legal, regulatory and compliance experience in financial services to help clients negotiate the risks and capitalise on the opportunities created by the new rules. 

Our service offering is available here.


Ihre Ansprechpartner

Philipp Rosenauer

Partner Legal, Zurich, PwC Switzerland

+41 58 792 18 56

Email

Gabriela Tsekova

Senior Manager, FS Regulations, PwC Switzerland

+41 58 792 29 93

Email

Contact us

Stefan Haag

Stefan Haag

Director, Corporate Reporting Services, PwC Switzerland

Tel: +41 58 792 71 29

Bruno Gmür

Bruno Gmür

Technical Partner Financial Services Banking, PwC Switzerland

Tel: +41 58 792 7317