When can ASPSPs refrain from providing a fallback solution to the dedicated interface under RTS? – EBA publishes draft guidelines
The Regulatory Technical Standards on strong customer authentication and common secure communication (RTS) require account servicing payment service providers (ASPSPs) that have opted for a dedicated interface in order to provide payment initiation service providers (PISPs) and account information service providers (AISPs) online access to accounts to provide a fallback solution in case the dedicated interface does not work properly. However, the RTS allow competent authorities to grant ASPSPs an exemption from providing such fallback solution. On 13 June 2018 EBA has published a consultation paper with draft guidelines on the conditions to be met to benefit from an exemption from contingency measures under the RTS. The consultation period runs until 13 August 2018.
Background under the RTS
PSD2 requires ASPSPs to grant PISPs and AISPs access to payment accounts of its payment services users. Pursuant to the RTS the ASPSP may choose to grant PISPs and AISPs such access either through the interface used for authentication and communication with the ASPSPs payment service user or through a dedicated interface. In addition, the RTS require ASPSPs to provide a contingency mechanism that allows PISPs and AISPs to access the payment account through the payment service user’s interface, if the dedicated interface does not work properly. Under certain circumstances the RTS authorise competent authorities to grant an exemption to ASPSPs with regard to such contingency measures if certain requirements are met. The consultation paper now outlines the conditions to be met in order to grant such exemption.
Content of the consultation paper
The consultation paper contains of nine guidelines that requires the ASPSPs, amongst others, to comply with the following requirements:
The ASPSP must ensure that he has in place the same service level, availability and performance that it provides to the payment service users with the interface provided to them.
ASPSPs must provide statistics regularly to the competent authority on the availability and performance of the dedicated interface.
ASPSPs must provide stress tests in order to ensure that access to the accounts via the dedicated interface can be provided in situations of extremely high numbers of requests of PISPs and AISPs.
ASPSPs must provide a detailed statement to the competent authority, why the method of access chosen by that ASPSP is not an obstacle to the access to the payment account by the AISP and the PISP.
ASPSPs must provide information about the technical specifications of the dedicated interface and the testing facility to the competent authority.
ASPSPs must provide information on a problem resolution procedure.
Finally, the competent authority must consult EBA prior to granting an exemption from contingency measures.
Timeline and next steps
EBA has invited market participants to provide comments to the draft guidelines until 13 August 2018. The final guidelines shall be published after the consultation phase. After publication the guidelines shall apply from 1 January 2019