The Regulatory Technical Standards for Strong Customer Authentication (RTS SCA) are coming into effect on September 14, 2019, and will require day-one changes for systems in place. After spending the last few months beta-testing bank APIs in their sandbox environments, we can conclude that the PSD2 Open Banking mission, and its successful implementation, will greatly benefit from an extended transition period.
At Eurobits, we have often underlined the importance of open banking and the contributions PSD2 implies for the industry as a whole, in terms of innovation, consumer experience and integration. A relevant number of European banks keep on working hard on issuing operational interfaces as quickly as possible, yet most APIs available up to now are not yet compliant in terms of quality, maturity and availability. This circumstance could potentially jeopardize the way those innovative payments services will be offered, thus delaying proper functionality.
Furthermore, the RTS on SCA and CSC will also hinder those third-party interactions that are already working as of now, unless ASPSPs are ready to implement the PSD2 fallback mechanism as per article 33(4) and 33(6) of the RTS. It all comes down to readiness, as TPPs will have no choice but to use the existent APIs. However, there are many ASPSPs that have yet to establish sandbox environments that meet the requirements of a production API, which were due last June 14th for those banks that aimed to qualify for the exemption of creating the abovementioned fallback mechanism.
As the deadline draws near, it becomes increasingly unlikely that testing time will prove sufficient. The purpose of the sandbox environment is to create a failsafe interface for TPPs and developers to try out functionality, to connect and to test the user experience. Their behaviour is expected to be the same as the production APIs, thus allowing a seamless transition. APIs have to be ready for TPPs to integrate with, to reliably access information and to build upon. However, tested APIs are coming short of achieving such objectives and are instead implementing additional obstacles as defined in article 32.3.
With less than six weeks to go, TPPs are facing many challenges and have good reason to be wary about SCA entering into force on September 14th due to the lack of availability of compliant testing environments. The risk of encountering non-working API’s, coupled with, as of yet, undocumented fallback mechanism will demand a blind, fast reaction from TPP’s to continue to provide services to their customers. With a rushed reaction to this new technology, the probability of a negatively impacted customer experience is increasing every day, and this places TPPs’ business foundation at risk. There is an increasing need for a transition period that allows banks to finalize work on their APIs to facilitate a smooth transition and avoid an unfavourable situation for stakeholders.
It is beyond any doubt at Eurobits that TPPs aim to provide a successful, stable and secure open banking experience for end users. As banks and API vendors are developing new PSD2 compliant interfaces, feedback becomes a critical aspect to improvement. Interfaces need to be, first and foremost, useful and functional in order to support APIs and business-critical services.
Even though there are some bank APIs that are starting to meet the expectations, not all sandboxes have been able to accurately reflect the user’s journey nor provide a satisfactory testing environment. Under SCA, the authentication flows will have a relevant impact on TPPs and end users alike, more so than current online or app-based banking services.
The RTS on SCA & SCS entails the relevance of communication and documentation between ASPSPs and TPPs, with particular focus on the technical instruction manuals for PSD2 API integration and TPPs’ identification and certification procedures. Definitions and ranges of each type of account, payment or user for AIS/PIS services is also largely missing from current production environments as required by the European Banking Authority’s (EBA) guidance.
Any transition period to be implemented must follow a strict monitoring and evaluation process to guarantee a successful adaptation, and compliance to the new standards. There is a concern about the measuring of the availability and performance of the dedicated interface and the comparison of said performance with the interfaces made available to the payment service user. Testing is essential as it helps identify errors that need debugging and will underscore issues with the bank APIs. This exceptional extension period will ensure continuity for business and a level playing field that fosters innovation and competition amongst current and new services providers.
Should national authorities create this extended transition period, they must also encourage banks to establish a fallback mechanism. TPPs must not only be involved in the exemption process; they also need to continue to offer their services while banks take the time they need to develop and deploy production ready, fully PSD2 compliant APIs. Otherwise, come September 14th millions of customers across Europe will be prevented from managing their daily finances as they are used to, deteriorating existing services altogether and setting a negative precedent in contrary of the very reason PSD2 was created.