Article 98(4) of the revised Payment Services Directive (PSD2) empowers the European Commission (Commission) to adopt, following submission of draft standards to the European Banking Authority (EBA), and in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010, delegated acts specifying the requirements of strong customer authentication, the exemptions from its application and common and secure open standards of communication.
The Commission has now published Commission Delegated Regulation (EU) No…/… supplementing PSD2 with regard to regulatory technical standards (RTS) for strong customer authentication and common and secure open standards of communication.
The Commission has made some limited substantive amendments to the draft RTS submitted by the EBA. The Commission states that this was done to better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.
The PSD2 becomes applicable as of 13 January 2018 except for the security measures outlined in the RTS. These will become applicable 18 months after the date of entry into force of the RTS. Subject to the agreement of the Council of the EU and the European Parliament the RTS are due to become applicable around September 2019.