European Commission adopts EBA/RTS

27 Nov 2017 04:32 PM

Rules on strong customer authentication and screen-scraping finally published.

The long-awaited Regulation on strong customer authentication (SCA) has finally been agreed at Commission level and published (see Commission press release).

The Delegated Regulation (full text) sets rules on how account servicing payment service providers (ASPSPs – who are mainly banks) must ensure the security of customer data which is released to third-party providers (TPPs) under the PSD2. It also aims to improve competition in the market.

The text has adopted a compromise position on the difficult issue of screen-scraping. This will be preserved as a ‘fall-back’ but national authorities will be able to exempt banks from maintaining the fall-back interface as long as performance criteria for a dedicated TPP interface are met.

The European Parliament and Council still have 3 months to examine the text before final approval and publication in the Official Journal. It will then become final.

Main provisions:

Transition period: The PSD2 comes into effect on 13 Jan 2018 and the RTS in Sept 2019. In this period, banks must adapt their systems. The Commission is clear that TPPs will be able to continue to use screen-scraping during this time.