Opinion of the European Banking Authority (EBA) on the Period of Transition to PSD2
2 January 2018
On 19 December 2017, the European Banking Authority issued its opinion (EBA/Op/2017/16) on the transition from PSD1 to PSD2 that will came into force on 13 January 2018.
The EBA decided to issue the opinion mainly because of the misalignment between the date from which PSD2 will be in force and the application of the general guidelines and regulatory technical standards that the EBA is obliged to issue in connection with PSD2. As of 13 January 2018, only three out of the twelve instruments will be applicable, which brings major interpretation problems.
In the opinion, the EBA provided comments and advice, inter alia, on the following issues:
- Exemptions from the obligation to receive authorisation (registration) for the provision of services;
- Re-authorisation of payment institutions and electronic money institutions;
- Accessing a payment account in the transitional period between PSD2 application and the application of regulatory technical standards related to strong customer authentication (“RTS SCA”); and
- Cross-border provision of services to countries where PSD2 has not been implemented yet.
Thus, for entities operating on the Czech market, the following two conclusions of the EBA are important:
1. Accessing payment account in the transitional period (until the application of the RTS on SCA)
As part of its opinion, the EBA attempted to clarify the obligations that banks and fin-tech companies are to fulfil before the final specific regulation in the RTS on SCA comes into force (ie approximately by September 2019). The EBA’s interpretation is as follows:
- Third parties (TPPs) are not obliged to identify themselves to account servicing payment service providers (ASPSPs);
- “Screen scraping” may be used in the transitional period unless national law prevents such access;
- In the transitional period, ASPSPs will not have the obligation to “communicate securely” with the TPPs nor will the ASPSPs have an obligation to offer dedicated interface; and
- ASPSPs may block the TPPs’ access to the user’s payment account only in reasonably justified cases.
It will be interesting to watch what stance the Czech National Bank will take, namely with respect to the joint opinion of the Czech National Bank and the Ministry of Finance of the Czech Republic from 1 December 20171, which is not fully compliant with the new opinion of the EBA.
The EBA’s view is that “screen scraping” may be used unless it is prevented by national legislation. Although the Czech legislation is sceptical as to providing access to an account to other persons than the user2; the use of “ screen scraping” in the transitional period is allowed in the opinion of the Czech National Bank and the Czech Ministry of Finance (or, more precisely, the opinion does not mention the ban of screen scraping arising from Decree No. 163/2014 Coll.).
Another contradiction is the issue of verifying the identity of TPPs. In the opinion of the Czech National Bank and the Czech Ministry of Finance, “screen scraping” may be used only if the TPP’s identity is authenticated, whereas the opinion of the EBA expressly states that such authentication is not necessary in the transitional period.
Thus, banks and fin-tech companies are rather uncertain how to proceed in the relatively long transitional period that will last from 13 January 2018 to September 2019 (or, as the case may be, even longer, depending on the approval procedure of the RTS on SCA). The situation is even more complicated for banks because disregarding the approach they choose, their activity may be interpreted as contrary to law (either to Act No. 370/2017 Coll., on payment, implementing PSD2, on the one hand, or to Decree No. 163/2014 Coll., on the performance of the activities of banks, credit unions and investment firms, on the other hand).
Nevertheless, it is possible that Czech supervisory authorities will revise their opinion and further clarify the confusing situation that brings discomfort both to banks and fin-tech companies.
2. Exemptions for AISP and PISP providing services before 12 January 2016
The EBA clearly states in its opinion that until the RTS on SCA come into force, account information service providers (AISP“) or payment initiation service providers (“PISP”), ie primarily fin-tech companies, may perform their activities without the necessity to obtain authorisation (registration) (however, they will not be able to use the advantages available only to the registered entities, eg they will not have a right to access payment accounts held by banks). This exemption arises from Article 115(5) of PSD2.
It will be interesting to watch how the Czech National Bank will react to this clear conclusion as, unlike all the other exemptions, the exemption embedded in Article 115(5) of PSD2 has not been expressly transposed into the Czech legislation.
The EBA is apparently aware of the complexity of the issues described above, and therefore considers prolonging the public round of questions and answers related to PSD2. At the same time, it recommends that the national supervisory authorities actively invite the entities operating on the market to ask questions, and to publish the answers to these questions on their websites in order to contribute to the clarification of further problematic issues.
1 COMMUNICATION OF THE MINISTRY OF FINANCE OF THE CZECH REPUBLIC AND THE CZECH NATIONAL BANK from 1 December 2017 on the transition period based on Act No 370/2017 Coll., on payments, available at http://www.cnb.cz/miranda2/export/sites/www.cnb.cz/cs/platebni_styk/pravni_predpisy/download/sdeleni_mfcr_a_cnb_k_zakonu_370_2017.pdf.
2 Refer to Decree of the Czech National Bank No. 163/2014 Coll., on the performance of the activities of banks, credit unions and investment firms, amendment no. 6, point 18.