Implementation of PSD2: a viewpoint from the EBA, the European Banking...

Implementation of PSD2: a viewpoint from the EBA, the European Banking Authority

18 March 20

Share This

Disclaimer: The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

We close our series of interviews representing the views of various stakeholders on the implementation of the revised Payment Services Directive ( ) with a representative from the European Banking Authority ( ), an independent European Union ( ) supervisory authority. Learn more about how the regulatory agency is assessing the market situation after the implementation deadline in the interview below with Dr Dirk Haubrich, Head of Conduct, Payments and Consumers at the

First, let’s talk about the implementation of the final Regulatory Technical Standards ( ) for strong customer authentication ( ) and common and secure communication ( ) under and their impact on the market. How would you summarise the current status and, in particular, the degree of harmony across the ?

The degree of harmonisation across the for these Technical Standards is high. Not only are the themselves very detailed but the has also provided a large number of additional clarifications, in response to requests we have received from stakeholders. We did so through the Guidelines on the exemption process for the fall-back option, four Opinions on topics such as Electronic Identification and Trust Services Regulation ( ) certificates, the transition from PSD1 to , compliance, and migration, and more than 100 Questions & Answers. And, as is the case with all publications, the content of these clarifications have been agreed by the national supervisory authorities in the .

However, divergences remain, which are driven by a number of factors. These include the different maturities of national payments markets across the and the varying degrees of market penetration by third party providers across those markets.

Other factors have been the large number (approximately 5,000) and diversity of credit institutions that were required to comply with very specific requirements under the , and the tardiness with which some payment service provider ( ) have taken steps to comply with requirements, many of which had been known since November 2014. While these divergences are undesirable and impede the objectives and opportunities of from being realised, only some of them are within the gift of the to mitigate. 

How would you describe customer experience following the implementation of the ?

We have seen continuous improvements of customer journeys over time, a trajectory that we expect to continue in the months ahead.

That said, the has to accept that the approaches taken by some credit institutions are unsatisfactory and ostensibly non-compliant. The continues to monitor the situation and to assess which, if any, additional steps need to be taken. However, the enforcement of regulatory requirements against individual is a responsibility, not of the , but of national supervisory authorities

Have the key objectives of been achieved and if not, what are the remaining challenges? 

The legislators envisaged the Directive to achieve many objectives, some of which are competing with one another: enhancing competition, facilitating innovation, improving payments security, reducing fraud, improving customer convenience, and contributing to a single payments market. And all this had to be accomplished while remaining technology-neutral, i.e. while not favouring any particular technology. 

There are early indications that some of these objectives are materialising. For example, in terms of competition, there are now more than 400 legal entities that are authorised to provide account information or payment initiation services in the . We also have anecdotal evidence that major players perceive the payments market in the as one single market, despite some national variations, which primarily have historic origins that predate the by many decades. Other objectives, by contrast, cannot yet be assessed, such as the degree of payment fraud, which has to await consistent fraud reporting data from across the , which  will become available later in 2020. 

How do you see the future evolution of both in the context of and beyond ? What are likely future developments that will need addressing, e.g. further standardisation or business needs?

A number of different Application Programming Interfaces ( ) standards have developed across the in the past few years, which is inter alia a consequence of the not prescribing in its of 2017 any particular standard that would be imposed on the entire . This was not an omission of the at the time but a deliberate choice: we were mindful of the objectives of to enhance innovation and to remain technology neutral. Prescribing a particular standard would have undermined these objectives. As a public authority, the would also not have been well placed to develop the required technological specifications, nor did we have time to do so, given that we were required to finalise the in only twelve months.

We estimate that the existing standards under will compete with one another based on criteria such as effectiveness, cost, take-up by the industry, degree of compliance with applicable requirements, and customer convenience. Eventually only very few standards will survive, further enhancing the single market objective of the Directive.

With regard to beyond , the has no particular view. As a supervisory authority, the is bound by its legal remit, which in turn is defined by the Directives and Regulations that have been brought into the ’s scope of action. is one of those Directives and we have published ample clarifications in respect of said Directive. But we remain silent on matters outside of our legal remit. That said, should the legislators see merit in promoting interface standards outside , the stands ready to support such work if asked to do so.

Finally, do you already see a need to revise the and if so, why?

The regularly reviews the technical standards and guidelines it has developed and tends to do so every two to three years. However, the on & are not yet fully enforced, as the decided to react to the low degree of industry readiness and compliance with , by exceptionally granting national authorities supervisory flexibility until the end of 2020.

In addition, a review of Technical Standards may not bring about the improvement that some might expect, because the standards have to be compliant with the legal provisions set out in the underlying Directive. The scope for amendments may therefore be smaller than what some might expect.

Finally, a revision of standards is not a quick fix either. The process from start of the review to the application date of the revised standards, including public consultation, adoption by the Commission and scrutiny by the Parliament and Council, will take at least 12-15 months.

However, the will be keeping an open mind, and we will take the measures that are necessary, available to us and in line with the Directive, with a view to help bring about the objectives of the directive. 

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.