Transition to PSD2
With the approaching of the first regulatory deadline, envisaged by the PSD2 Directive, on January 13th 2018, and several open points still to be clarified, the EBA published on December 19th the Opinion on the state of the legislation, and in general on the transition from PSD1 to PSD2.
The set of regulations related to the PSD2 will in fact NOT be fully applicable on January 13th 2018, and this generates issues related to the "Transitional Periods", namely time periods in which some regulatory obligations are applicable, while others are not.
Here are the most relevant points of the text signed by Andrea Enria (EBA).
MANDATES of the EBA
- On January 13th 2018 only 3 of the 12 EBA mandates, among RTS and Guidelines, will be applicable – more details in the slides attached.
- During Transitional Periods - despite the requirements are not yet directly applicable - EBA suggests to CAs and PSPs to consider the latest version of the documents as an indication of what is considered compliant with the PSD2.
ISSUE SPECIFICATIONS ADDRESSED BY THE EBA
1. Registration/authorization obligation
- Starting from January 13th, only PIs, EMIs, AISPs, PISPs that have registered / been authorised under the PSD2 will be able to operate, with the following exceptions:
- The subjects, typically FinTech, who provided AIS and PIS services before January 13th, will be able to continue to do so (in the same areas) until registration / authorization.
- Existing PIs and EMIs may continue to provide these services until July 13th 2018 (6 months), and within this deadline they must obtain authorization; in this period they cannot provide other services, such as AIS or PIS, without proper registration.
- Existing PIs that enjoyed exemption under the PSD1, have until January 13th 2019 (1 year) to obtain - under the PSD2 - similar exemption or authorization.
- The most important indications present in the EBA's Opinions are addressed to FinTech players, who are suggested to proceed with the registration / authorization as soon as possible, as the non-registration could have a negative impact since these providers:
- would not benefit from the rights deriving from titles III and IV of the PSD2 and from the passporting rules to offer their services in several countries;
- would have negative reputational impacts compared to the players that are registered.
2. Another important element in the EBA text concerns the rules relating to the so-called Transitional Period II (from January 13th 2018 to the entry into force of the RTS on SCA and CSC)
- AISP and PISP may access the accounts at the ASPSP, but are NOT obliged to identify themselves
- AISP and PISP may use current methods of access to accounts (eg screenscraping) unless national laws have prohibited such access before the PSD2 enters into force (12 January 2016).
- ASPSP are not obliged to "communicate securely" with AISP and PISP and are not obliged to offer dedicated interfaces for access to accounts
- ASPSP may block access to accounts only for duly justified and documented reasons, in particular in the case of suspicions of fraudulent or unauthorized accesses or payments
- The EBA encourages NCAs and PSPs to be compliant with the legislation before the legislative deadline, recognizing that this implies a high degree of cooperation among all the parties involved, including an advance in the development of industry standards
- The EBA encourages early compliance with the regulatory deadline, arguing that a proactive approach may facilitate and simplify the implementation of the regulatory framework being adopted, even if not strictly related to PSD2 (eg GDPR)
3. Application of the EBA Guidelines on "Security of internet payments" under the PSD1
- To ensure the continuity of application of the security requirements contained in the EBA Guidelines, the requirements previously envisaged on "Security of internet payments" will be progressively repealed.
- These guidelines apply - until they are repealed - to PSPs subject to PSD1, but NOT to Third Party Providers.
- The EBA advises the CAs to replicate this gradual repeal, also for the laws issued at national level.
4. Cross-border services in the case of Member States with delayed transposition of the PSD2
- Delayed transposition of the PSD2 in some of the Member States for which the NCAs have decided to postpone the implementation of the PSD2 compared to 13 January 2018 does not exempt the subjects to the submission of the passporting notification in the state where the subject has been authorized (and in which the PSD2 has been implemented in time).
- Furthermore, delayed transposition of the PSD2 does not prevent other parties from operating in that Member State.
5. Support proposal of the EBA during the Transitional Period
- The EBA is considering extending the Q&A procedures to the benefit of the stakeholders, in order to ensure regulatory convergence within the EU.
- In addition, the EBA is considering further steps to provide clarity in the interpretation of mandates, such as involvement in national or supra-national programs for the development of interfaces.
Authors: Silvia Bernini, Deloitte Itlia, Jonathan Negri, Deloitte Italia.