Disclaimer: The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

We close our series of interviews representing the views of various stakeholders on the implementation of the revised Payment Services Directive (PSD2) with a representative from the European Banking Authority (EBA), an independent European Union (EU) supervisory authority. Learn more about how the regulatory agency is assessing the market situation after the PSD2 implementation deadline in the interview below with Dr Dirk Haubrich, Head of Conduct, Payments and Consumers at the EBA. 

First, let’s talk about the implementation of the final Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and common and secure communication (CSC) under PSD2 and their impact on the market. How would you summarise the current status and, in particular, the degree of harmony across the EU?

The degree of harmonisation across the EU for these Technical Standards is high. Not only are the RTS themselves very detailed but the EBA has also provided a large number of additional clarifications, in response to requests we have received from stakeholders. We did so through the Guidelines on the exemption process for the fall-back option, four Opinions on topics such as Electronic Identification and Trust Services Regulation (eIDAS) certificates, the transition from PSD1 to PSD2, SCA compliance, and SCA migration, and more than 100 Questions & Answers. And, as is the case with all EBA publications, the content of these clarifications have been agreed by the national supervisory authorities in the EU.

However, divergences remain, which are driven by a number of factors. These include the different maturities of national payments markets across the EU and the varying degrees of market penetration by third party providers across those markets.

Other factors have been the large number (approximately 5,000) and diversity of credit institutions that were required to comply with very specific requirements under the RTS, and the tardiness with which some payment service provider (PSPs) have taken steps to comply with requirements, many of which had been known since November 2014. While these divergences are undesirable and impede the objectives and opportunities of PSD2 from being realised, only some of them are within the gift of the EBA to mitigate. 

How would you describe customer experience following the implementation of the RTS?

We have seen continuous improvements of customer journeys over time, a trajectory that we expect to continue in the months ahead.

That said, the EBA has to accept that the approaches taken by some credit institutions are unsatisfactory and ostensibly non-compliant. The EBA continues to monitor the situation and to assess which, if any, additional steps need to be taken. However, the enforcement of regulatory requirements against individual PSPs is a responsibility, not of the EBA, but of national supervisory authorities. 

Have the key objectives of PSD2 been achieved and if not, what are the remaining challenges? 

The EU legislators envisaged the Directive to achieve many objectives, some of which are competing with one another: enhancing competition, facilitating innovation, improving payments security, reducing fraud, improving customer convenience, and contributing to a single EU payments market. And all this had to be accomplished while remaining technology-neutral, i.e. while not favouring any particular technology. 

There are early indications that some of these objectives are materialising. For example, in terms of competition, there are now more than 400 legal entities that are authorised to provide account information or payment initiation services in the EU. We also have anecdotal evidence that major players perceive the payments market in the EU as one single market, despite some national variations, which primarily have historic origins that predate the PSD2 by many decades. Other objectives, by contrast, cannot yet be assessed, such as the degree of payment fraud, which has to await consistent fraud reporting data from across the EU, which  will become available later in 2020. 

How do you see the future evolution of APIs both in the context of and beyond PSD2? What are likely future developments that will need addressing, e.g. further standardisation or business needs?

A number of different Application Programming Interfaces (API) standards have developed across the EU in the past few years, which is inter alia a consequence of the EBA not prescribing in its RTS of 2017 any particular API standard that would be imposed on the entire EU. This was not an omission of the EBA at the time but a deliberate choice: we were mindful of the objectives of PSD2 to enhance innovation and to remain technology neutral. Prescribing a particular API standard would have undermined these objectives. As a public authority, the EBA would also not have been well placed to develop the required technological specifications, nor did we have time to do so, given that we were required to finalise the RTS in only twelve months.

We estimate that the existing API standards under PSD2 will compete with one another based on criteria such as effectiveness, cost, take-up by the industry, degree of compliance with applicable requirements, and customer convenience. Eventually only very few API standards will survive, further enhancing the single market objective of the Directive.

With regard to APIs beyond PSD2, the EBA has no particular view. As a supervisory authority, the EBA is bound by its legal remit, which in turn is defined by the EU Directives and Regulations that have been brought into the EBA’s scope of action. PSD2 is one of those Directives and we have published ample clarifications in respect of said Directive. But we remain silent on matters outside of our legal remit. That said, should the EU legislators see merit in promoting interface standards outside PSD2, the EBA stands ready to support such work if asked to do so.

Finally, do you already see a need to revise the RTS and if so, why?

The EBA regularly reviews the technical standards and guidelines it has developed and tends to do so every two to three years. However, the RTS on SCA & CSC are not yet fully enforced, as the EBA decided to react to the low degree of industry readiness and compliance with SCA, by exceptionally granting national authorities supervisory flexibility until the end of 2020.

In addition, a review of Technical Standards may not bring about the improvement that some might expect, because the standards have to be compliant with the legal provisions set out in the underlying Directive. The scope for amendments may therefore be smaller than what some might expect.

Finally, a revision of standards is not a quick fix either. The process from start of the review to the application date of the revised standards, including public consultation, adoption by the EU Commission and scrutiny by the EU Parliament and EU Council, will take at least 12-15 months.

However, the EBA will be keeping an open mind, and we will take the measures that are necessary, available to us and in line with the Directive, with a view to help bring about the objectives of the directive.