Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

PSD2: communication standards written into EU law


Regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’ for payment services businesses have been formally written into EU law.

The majority of the new standards, stipulated in an EU regulation now published in the Official Journal of the EU, will not apply until 14 September 2019, however.

Out-Law.com reported earlier this month that the standards that the European Commission had proposed back in November 2017 had passed through a three month scrutiny period before the EU's two law-making bodies, the European Parliament and Council of Ministers, without objection.

The new standards set out what banks must provide for to ensure that third parties in the payments market can access their customers' payment account data when they are given permission to do so by those customers. Such access rights are provided for under the EU's second Payment Services Directive (PSD2), which took effect earlier this year.

PSD2 provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts and payment account information held by banks and other account servicing payment service providers (ASPSPs) where customers consent to such access.

The provisions are designed to enable AISPs and PISPs to help consumers to make payments and review information from their payment accounts and, more generally, to open up the payments market to greater competition and innovation. In return, PSD2 subjects AISPs and PISPs to regulation for the first time. Fintechs, technology companies and retailers, as well as incumbent banks and other payment institutions, are among those expected to develop AIS or PIS offerings in the reformed market.

The detail of how AISPs and PISPs are able to exercise their access rights is not specified in PSD2. Instead the Directive has provided for that detail to be set out in regulatory technical standards. However, the implementation of those standards has been delayed by disagreements over the requirements they should stipulate.

The European Banking Authority (EBA), tasked with drafting the standards under the terms of the Directive, prepared recommendations in 2017, following a consultation process. However, the Commission, which is responsible for finalising and implementing the standards under PSD2, moved to change the standards the EBA had developed. Following a summer of disagreement between the bodies and industry uncertainty, the Commission outlined its 'final' standards in November 2017.

Under the new standards, ASPSPs must either enable third party access to the data through the same interfaces they use for interacting with customers, or alternatively develop a new 'dedicated interface' for that purpose. A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.