On 13 June 2018, the European Banking Authority (EBA) published an opinion and a consultation paper on draft guidelines, to clarify a number of issues identified by market participants in relation to the regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication (CSC), which will apply from 14 September 2019.
The EBA opinion contains both general and specific comments to Member State competent authorities (NCAs) in relation to the RTS on SCA and CSC. It focuses in particular on those queries for which clarity is required sooner, to enable industry players to continue in their preparations and to facilitate early readiness to comply with the RTS, which the EBA already encouraged in its opinion on the transition from PSD1 to PSD2 in December 2017. For example, the opinion explains that the account servicing payment service provider (ASPSP) should not check the consent of the payment service user who has contracted with an account information service provider (AISP), payment initiation service provider (PISP) or card based payment instrument issuer (CBPII) and that it is the ASPSP that applies SCA and decides whether or not to apply an exemption. Also, the opinion clarifies that when determining which method(s) to use for the purpose of carrying out the authentication procedure, the ASPSP needs to ensure that all methods of SCA offered to its customers can be supported using the application programming interface.
The draft guidelines seek to clarify certain issues identified by market participants and NCAs in relation to the four conditions to be met to benefit from an exemption from the fall back option envisaged under Article 32(6) of the RTS. In particular, the draft guidelines provide clarity for parties involved in the assessment process and also allow NCAs to carry out a speedy assessment especially during the time when the bulk of the exemption requests will be received. The deadline for comments on the consultation paper is 13 August 2018.