What the EBA putting its foot down on PSD2 API obstacles really means

article published by Tink

The latest EBA Opinion sets its sights on a level playing field for PSD2 APIs across Europe, by calling for the removal of obstacles that obstruct TPP’s access to accounts for open banking services – by 30 April 2021. Here’s Tink’s take on the most important bits of the Opinion, and what it means for banks and TPPs alike.

The quick take

The EBA Opinion sends an important signal to the market. It sets out that obstacles in PSD2 APIs, that prevent third-party providers (TPPs) from accessing accounts for open banking services, are no longer subjective or dependent on TPP feedback – and will no longer be tolerated.

This aims to create much more of a level playing field across the EU, and between banks. Our take is that the removal of obstacles, especially during the authentication flow, will ultimately increase conversion, increase the adoption of open banking solutions, and ensure that payment initiation becomes a true alternative to many established payment technologies.

One of the biggest problems lies in the fallback exemptions that have been granted to a large number of banks. This is despite common obstacles obstructing authorised TPPs from accessing payment accounts.

This EBA Opinion essentially tells financial authorities to revoke fallback exemptions if banks don’t remove obstacles from their PSD2 APIs – suggesting financial authorities can resort to fines if banks fail to comply. If the EBA finds inconsistencies in the way PSD2 and the Regulatory Technical Standards (RTS) are applied after 30 April 2021, it will take action to rectify this across EU Member States.

Why it matters

This EBA Opinion shows that ‘obstacles’ are no longer seen as subjective. They are measurable, and the responsibility to assess PSD2 APIs lies within the financial authorities’ competence. This is a significant step on from obstacles being defined by TPP’s feedback, which inevitably varies across EU states depending on the number of TPPs present and the maturity of the open banking market.

So what are the obstacles the EBA is referring to? Most of them are highlighted in the EBA Opinion from June 4, 2020, and relate to the authentication flow.

1. Not supporting app-to-app or decoupled redirection, when this is offered to customers in their normal banking interface, forcing users through inconvenient and unintuitive journeys where they need to enter IBAN details or username and passwords on their mobile devices.
2. Requiring more than one strong customer authentication (SCA) for AIS and PIS. Some banks require the user to complete an SCA flow at the start of the authentication journey, when they select and confirm an account to connect to, and when they give access to low-risk payment account information for 90 days.
3. That some banks have embedded superfluous steps and consent checks into the authentication journey, forcing users to go through 5-15 screens which can take the average user 2-3 minutes to complete, instead of 1-3 screens that can be completed in 10-30 seconds.

But there are more obstacles than the ones listed above. TPPs frequently find obstacles in the registration process, support communication, scope of account access, scope of data, access to the account when the user is not present, and many other areas.

Whatever the obstacles are, the EBA stresses that PSD2 APIs should not create unnecessary friction or add unnecessary steps to the customer journey.

The bigger picture

To understand the real importance of this EBA Opinion, we need to go back to basics on PSD2 and the RTS for Strong Customer Authentication (SCA) and Common Secure Communication (CSC).

After PSD2 was enforced in 2016, the EBA laid out how authorised TPPs – offering account information or payment initiation services – could access a customer’s bank account. It was common for companies like Tink to do this by accessing the existing and proven customer interface, to provide valuable open banking services with the customer’s explicit consent.

But many banks indicated it would be better for their customers and back-end systems if TPPs only used a dedicated interface – PSD2 APIs – to access payment account data.

To protect established TPPs from the impact of poor PSD2 APIs, the EBA stated that banks could only receive an exemption from allowing TPPs to access the customer interface (know as a fallback exemption) if the PSD2 API met strict criteria:

1. The PSD2 API is available for testing for six months and widely used for three months.
2. The PSD2 API would perform as well as or better than the customer interface from a technical perspective.
3. It would not create obstacles for the TPP when using the PSD2 API to offer open banking services.

Feedback and fallbacks

When the PSD2 APIs were first introduced – between March and September 2019 – many financial authorities hadn’t received any feedback from TPPs on whether the PSD2 APIs created obstacles. In countries where there were only a handful of licensed TPPs, authorities were quicker to provide fallback exemptions than in countries where established TPPs have been operating for many years.

Back in the summer of 2020, the EBA urged authorities to remove obstacles that were making it difficult for TPPs to offer competitive open banking services, whether they had received complaints about PSD2 APIs or not. But this newest opinion goes a step further.

The EBA is now asking financial authorities to enforce PSD2 and the RTS the way it is intended.

Now that the TPPs have been testing and using PSD2 APIs for 24 months, the EBA wants financial authorities to review the fallback exemptions and ensure that the obstacles in PSD2 APIs are identified and removed within reasonable time and with undue delay.

If banks don’t or can’t remove these obstacles, the authorities are expected to revoke the fallback exemptions – giving TPPs back the ability to provide open banking services through screen scraping or reverse engineering the customer interface. The EBA has even suggested that authorities have the power to impose fines for non-compliance, and the EBA will itself take action if inconsistencies are found in the application of PSD2 and the RTS after 30 April 2021.

We are glad that the EBA is clearly putting its foot down, to create the level playing field that is needed.