1.1 EBA updates Single Rulebook Q&A on PSD2

During the period 1 October 2021 to 31 December 2021, the European Banking Authority (EBA) updated its Single Rulebook Questions and Answers (Q&A) publication (Single Rulebook Q&A) on the Revised Payment Services Directive (2015/2366/EU) (PSD2). The Q&As in respect of the following articles have been updated:

  • Article 3(b) - The implementation of commercial agent exclusion for e-commerce platforms;
  • Article 4(30) – Definitions: Strong customer authentication;
  • Article 28(5) - Application to exercise the right of establishment and freedom to provide services;
  • Article 44/45 – Information to be provided by the payment initiation service provider (PISP) prior to the initiation of the transaction;
  • Article 65 - Confirmation on the availability of funds;
  • Article 66(1) - Rules on access to payment account in the case of payment initiation services;
  • Article 74 - Payer's liability for unauthorised payment transactions;
  • Article 94(2) – Data protection;
  • Article 97 – Authentication; and
  • Article 98 - Regulatory technical standards on authentication and communication.

A copy of the Single Rulebook Q&A can be accessed here.

1.2 EBA repeals guidelines on security of internet payments

On 14 October 2021, the EBA published a press release announcing that it has repealed its guidelines on the security of internet payments. These guidelines, published in December 2014, detail how provisions in Directive 2007/64/EC (the Payment Services Directive or PSD) should be interpreted for the purpose of enhancing the security of payment services, with a view to mitigating the risks from the growing payments fraud that occurred at the time.

These guidelines were, therefore, published before PSD2 entered into force in January 2016 and have since then been superseded by the more specific requirements within PSD2 and supportive EBA instruments, including regulatory technical standards (RTS) on strong consumer authentication (SCA) and common and secure communication (CSC), which have applied since September 2019.

As PSD2 and related EBA instruments go beyond the requirements set out in the guidelines, the EBA has decided to repeal them and ask national competent authorities (NCAs) to take corresponding steps at a national level.

A copy of the press release can be accessed here.

1.3 EBA consults on amending RTS on SCA and CSC under PSD2

On 28 October 2021, the EBA published a consultation paper concerning the amending of its RTS on SCA and CSC under PSD2 with regard to the 90-day exemption from SCA for account access. The objective is to address a number of issues that the EBA has identified in the application of the exemption.

The RTS specified requirements for SCA and a number of exemptions to its application. The EBA allowed for the exemptions to apply on a voluntary basis, and this has led to divergence in their application. The consultation paper pays particular attention to cases where account servicing payment service providers (ASPSPs) have not made use of the 90-day exemption and request SCA for each account access, or where they request SCA more frequently than every 90 days.

To address these issues, the EBA proposes to:

  • Introduce a new mandatory exemption from SCA specifically where access is through an account information service provider (AISP) that is subject to certain consumer data safeguards and conditions;
  • Retain the voluntary exemption in Article 10 of the RTS where consumers access account information directly; and
  • Extend the 90-day exemption period in Article 10 of the RTS to 180 days for the renewal of SCA when the account data is accessed through an AISP or directly by a customer.

The consultation process closed on 25 November 2021, following an online public hearing on 11 November 2021.

A copy of the consultation paper can be accessed here.

1.4 European Commission call for advice on PSD2 review

On 18 November 2021, the EBA published a call for advice received from the European Commission on the review of PSD2.

The review clause contained within Article 108 of PSD2 requires the European Commission to submit a report to the European Parliament, the European Central Bank (ECB) and European Economic and Social Committee on the application of the Directive and, if appropriate, submit a legislative proposal.

The EBA is requested to gather evidence and provide advice on the application and impact of PSD2 relating, inter alia, to the supervision of payment service providers (PSPs), rights and obligations, access to and use of payment accounts data relating to payment initiation services and account information services, and SCA.

The EBA is requested to deliver its advice to the European Commission by 30 June 2022.

A copy of the EBA call for advice can be accessed here.

1.5 Revised Guidelines on major incident reporting under PSD2 come into effect

On 1 January 2022, the revised guidelines on major incident reporting under PSD2 (EBA/GL/2021/03) (the Guidelines) come into effect, following consultation in December 2020.

The Guidelines apply in relation to the classification and reporting of major operational or security incidents in accordance with Article 96 PSD2. The Guidelines are addressed to PSPs and the NCAs under PSD2 and aim to:

  • Optimise and, where possible, simplify the reporting of major incidents under PSD2 and the underlying reporting templates, in order to ease the reporting burden on PSPs and to improve the meaningfulness of the reports received;
  • Capture additional security incidents that would not qualify as major under the criteria set in the original guidelines, but that experience has shown are material; and
  • Reduce the number of operational incidents that will be reported but that do not have a significant impact on the operations of PSPs.

The Central Bank of Ireland (Central Bank) reported their intention to comply by 1 January 2022.

A copy of the final report of the Guidelines can be accessed here.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.