PSD2: Commission Provides Long-Awaited Update on RTS and Screen-Scraping

Frederik Mennes, October 26, 2017

Many European banks, banking associations and fintech companies are currently waiting for the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) to be adopted by the European Commission and Parliament. These RTS define the technical requirements for the communication interfaces (APIs) that banks have to provide to Third Party Providers (TPPs) in the future, and specify how banks have to authenticate users when they access a payment account or initiate a payment.

The most recent evolution regarding the RTS dates back to June. At that time, the European Banking Authority (EBA) published its opinion about the European Commission’s proposed amendments to the EBA’s so-called final draft RTS. The EBA’s opinion showed diverging views between the EBA and Commission about the need for banks to provide a “fall-back” communication interface based on screen scraping in case a bank’s API-based interface would not be available or not functioning adequately. The EBA and financial institutions were not in favor of the need for such a fall-back interface. The Commission and TPPs, on the other hand, requested this to be incorporated into the RTS.

At The Berlin Group’s NextGenPSD2 conference, which took place in Berlin on 25 October, a representative of the European Commission provided a long-awaited update. Mr. Ralf Jacob discussed the timelines for the RTS and explained the approach regarding the communication interface.

Regarding timelines, Mr. Jacob explained that the text of the RTS is ready, and that it is currently being translated. The RTS is expected to be published around 25 November. In order to become official the RTS needs to be published in the Official Journal of the European Union, which should happen in late February 2018. The RTS will go into effect 18 months later, in August 2019.

The Commission proposes to solve the catch-22 situation regarding the communication interface by not requiring banks to provide a fall-back interface based on screen scraping, if their API-based communication interface functions adequately. At first sight, the Commission seems to follow the approach proposed by the EBA and banks. However, the devil is in the details: the criteria to determine whether a certain API-based interface functions adequately will be defined by a new industry body consisting of representatives from both banks and TPPs. In this way, the Commission shifts the responsibility for defining criteria to the market participants, and ensures that TPPs will have a say on the quality of API-based interfaces which are to be provided by banks.

All in all, the approach proposed by the Commission largely favors API-based interfaces, and tries to do away with the practice of screen scraping, which is long overdue.

The communication of the Commission at the NextGenPSD2 conference brings an end to several months of regulatory radio silence, and brings a new momentum to the PSD2 implementation process. It is now up to standards organizations, such as The Berlin Group, Open Banking UK and STET to finalise its API standards, and to banks to make decisions regarding their procedures for Strong Customer Authentication.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.