On 15 August 2019, the European Banking Authority (EBA) published its clarifications to the fifth set of issues that had been raised by participants of its Working Group (WG) on Application Programming Interfaces (APIs) under the revised Payment Services Directive (PSD2).
The API WG has identified issues that market participants may face during the testing and use of API interfaces in the period approaching the Regulatory Technical Standard (RTS) application date of 14 September 2019. The group has proposed solutions to the issues it raised which will be considered by the EBA and national authorities when providing clarifications in response to such issues.
The fifth set response on the issues raised are as follows:
- Machinereadability of the central register of the EBA under PSD2
- Measurement of response times of the dedicated interface
- Contingency mechanism in Art. 33(4) – Identification of third party providers (TPPs) through ‘guestbooks’
- Contingency mechanism in Art. 33(4) RTS – Data that can be accessed
- Documentation of the contingency mechanism in Art. 33(4) RTS
- Availability of, and reliance on, eIDAS certificates under Art. 34 RTS
Setback for fintechs
One of the most highlighting responses by EBA in the published clarifications has been rejecting the proposal for an open banking ‘Guestbook’ as a workaround when third parties are using a bank’s fallback interface.
There have been ongoing disputes over contingency access to accounts under the revised PSD2, which applies when a bank’s main API is unavailable or has not gained regulatory approval.
EBA has clarified: “Concerning in particular the guestbook identification explored by some API WG participants, the EBA is of the view that such identification method does not meet the 3 requirements in Art. 34(1) and 33(5) RTS, as it does not allow Account Servicing Payment Service Providers (ASPSPs) to rely on the eIDAS certificates for the identification of TPPs.
“In addition, such guestbook entry would not be compliant with the PSD2 because the ASPSP would not be able to check whether the TPP has identified itself at the time the access takes place. In this respect, Article 66(3)(d) of PSD2 provides that PISPs should identify themselves towards the ASPSP “every time a payment is initiated”. Similarly, Article 66(2)(c) PSD2 requires AISPs to identify themselves towards the ASPSP “for each communication session”.
“Finally, such guestbook registration would impose a condition for the identification of the TPPs that does not have any legal basis in PSD2 or the RTS.”
EBA’s API Working Group
The API WG was established in January 2019 by the EBA to facilitate industry readiness for the RTS on Strong Customer Authentication and Common and Secure Communication as well as to support the development of high-performing and customer-focused APIs under PSD2. The group consists of 30 individuals representing ASPSPs, TPPs, API initiatives, and other market participants.
On 11 March, 1 April, 26 April, and 26 July 2019, the EBA published clarifications to the first four sets of issues that had been raised by the working group. Today’s publication is the response to the fifth set of issues. In the weeks to come, the EBA will add further clarifications.