Since January 2018 account servicing payment service providers (ASPSPs), for example banks and building societies, who offer a payment account that is accessible online have been required to allow customers to grant access to an authorised third-party provider (TPP) to enable them to view payment account information and initiate payments on their behalf.
Currently, such access is usually granted by allowing customers to share their banking credentials with a TPP who logs into a customer's online banking to access their accounts as if they are the customer. This allows them to ‘scrape’ data from the account to provide services to the customer (this is known as "screen scraping").
From 14th September 2019 access must be enabled via either a modified version of the customer interface, which meets the requirements of the regulatory technical standards for strong customer authentication and common and secure open standards of communication (RTS), or by building a dedicated interface.
If an ASPSP chooses to implement a dedicated interface it also needs to have in place contingency measures that come into effect if the interface does not perform to the standards required by the RTS e.g. there is unplanned unavailability of the interface or a systems breakdown. These contingency measures cover:
- having a strategy and plans in place for when its dedicated interface stops complying with the requirements of RTS;
- having communication plans for informing TPPs of the issue and alternative options; and
- having a ‘contingency mechanism’ in place.
A contingency mechanism ("fall-back" option) must allow a TPP access via the customer interface which has been modified to meet the requirements of the RTS, for example it must enable the TPP to identify itself (e.g. screen scraping +).
ASPSPs can apply for an exemption from having to create this 'fall-back option'. It should be noted that this does not exempt ASPSPs from the broader contingency measures.
Applying for an Exemption
The FCA can exempt ASPSPs that have opted for a dedicated interface from the obligation to set up the contingency mechanism where the dedicated interface meets certain conditions.
The FCA has published a consultation paper (CP18/25) which contains (amongst other things) details on how ASPSPs can apply to be exempt from having to build a contingency mechanism, the requirements to be met and information to be provided to the FCA in order for them to consider the application.
ASPSPs can apply for an exemption by submitting the form within SUP 15C Annex 1 as well as the required information to the FCA. This form contains 28 questions ASPSPs need to answer. These questions are broken down into sections according to the EBA Guidelines.
Click here, or on the image below to view a summary of some of the key information that will need to be provided in the application and a timeline of the EBA guidlines.
How we can assist you
The key message here is that ASPSPs who offer payment accounts online, need to do something to enable TPP access in an RTS compliant manner by September 2019.
For now, compliance programmes remain the most immediate priority for most banks and building societies who offer payment accounts that can be accessed online.
The FCA and Treasury have made it clear that they support the implementation of PSD2 using application programming interface-based dedicated interfaces (APIs). The FCA have also explained that they believe the use of standardised APIs will have benefits for the market and consumers, such as reducing barriers to entry and encouraging innovation.
The FCA has specifically referenced the Open Banking Implementation Entity (OBIE) API standard in their approach document. However, there is no national consensus on which industry standard (e.g. the Berlin Group, the UK Open Banking, etc.) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.
The method for granting access will directly impact the information to be provided to the FCA when seeking an exemption. In assessing whether a dedicated interface has been designed and tested to the satisfaction of PSPs, the FCA will make use of the results of conformance testing undertaken by initiatives such as the OBIE. Therefore, it appears that complying with a standard API will be helpful in getting applications for the exemption over the line.
Our Payments Team can advise you on the broader implications of the RTS on your business, and our integrated compliance function has considerable experience in assisting businesses with applications to the FCA for an exemption.
CP18/25 - issued September 2018
Compliance Director (Non Lawyer), Financial Regulation LondonView profile
Partner, Financial Regulation