PSD2: communication standards set to be implemented in EU law

Out-Law News | 01 Mar 2018 | 3:30 pm | 3 min. read

New regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’, which will apply under the EU's second Payment Services Directive (PSD2), are set to be implemented into EU law in the coming days.

The finalised standards are the same as those that were set out in draft form by the European Commission in November 2017. The Commission's proposals were open to scrutiny for three months by the European Parliament and the Council of Ministers but that period has now passed without objections being raised by the EU's two law making bodies.

An EU source told that it is expected that the standards will be published in the Official Journal of the EU on 7 March, when they will come into law. However, compliance with the standards will not be mandatory until 18 months after that date of publication. 

"There has been much debate over the substance of these new standards, and now this marks a milestone that really sets the clock ticking for account providers and those in the live market for overlay services that benefit from the PSD2 access rights," said payments and technology law specialist Angus McFadyen of Pinsent Masons, the law firm behind

The new standards set out what banks must provide for to ensure that third parties in the payments market can access their customers' payment account data when they are given permission to do so by those customers, as is required under PSD2.

PSD2, which took effect earlier this year, provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts and payment account information held by banks and other account servicing payment service providers (ASPSPs) where customers consent to such access.

The provisions are designed to enable AISPs and PISPs to help consumers to make payments and review information from their payment accounts and, more generally, to open up the payments market to greater competition and innovation. In return, PSD2 subjects AISPs and PISPs to regulation for the first time. Fintechs, technology companies and retailers, as well as incumbent banks and other payment institutions, are among those expected to develop AIS or PIS offerings in the reformed market.

The detail of how AISPs and PISPs are able to exercise their access rights is not specified in PSD2. Instead the Directive has provided for that detail to be set out in regulatory technical standards. However, the implementation of those standards has been delayed by disagreements over the requirements they should stipulate.

The European Banking Authority (EBA), tasked with drafting the standards under the terms of the Directive, prepared recommendations in 2017, following a consultation process. However, the Commission, which is responsible for finalising and implementing the standards under PSD2, moved to change the standards the EBA had developed. Following a summer of disagreement between the bodies and industry uncertainty, the Commission outlined its 'final' standards in November 2017.

Under the new standards, ASPSPs must either enable third party access to the data through the same interfaces they use for interacting with customers, or alternatively develop a new 'dedicated interface' for that purpose. A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected.

Earlier this week, Yves Mersch, a member of the executive board of the European Central Bank (ECB), said that banks should work together to develop a single interface through which third party payment companies can access customer account information.

In a speech in Brussels on Monday, Mersch stressed that the "dedicated interface" should be developed in accordance with "at most a few" technical standards.

Mersch said banks are faced with the choice of enabling third party access to the data they hold through "an adapted customer interface or via a dedicated interface". However, he said that banks that elect to adapt their customer interfaces would "create fragmentation, as providers would have to develop and maintain a huge number of connections to all the different banks they communicate with".

"The plethora of technical solutions required" in this scenario "would be an obstacle for new entrants", he said.

"Only a dedicated and standardised technical interface – an application programming interface, or API – constitutes an efficient access solution that serves the needs of an integrated European payments market," Mersch said.

"I also believe that there should only be one – or at most a few – technical API specifications so that competition takes place at the service level and not at the technical specification level. We need to ensure that innovative services are built on harmonised and standardised technical foundations so that they can be made available across Europe," he said.

A body representing 74 fintech companies, challenger banks and fintech trade associations recently set out what it said are the "key API requirements" for the PSD2 regime and further outlined its concerns about the way APIs might be developed.

"There is a real risk that banks for competition reasons rather than developing as good APIs as possible, will want to minimise the functionalities and information available in the API," the Future of European Fintech said in a statement. "As such, in order for the objectives of PSD2 to be realised, a heavy responsibility falls on the European institutions to ensure that any API offered by banks has the adequate functionalities and performance, and works in practice."