On February 23, 2017, the European Banking Authority (“EBA“) published a report setting out its final draft regulatory technical standards (“RTS“) on strong customer authentication and common and secure communication under Article 98 of the Directive on payment services in the internal market (“PSD2“).

The RTS were developed in close cooperation with the European Central Bank (“ECB“) and consulted on by the EBA in August 2016. The key points raised in the consultation related to the scope and technologically neutral requirements of the draft RTS, the exemptions, including scope, thresholds and the request of many respondents for an exemption for transactions identified as low risk, access to payment accounts by third-party providers and the requirements around the information communicated.

The EBA states that it had to make difficult trade-offs between the various objectives of PSD2, including enhancing security, encouraging competition, allowing for technology and business‑model neutrality, contributing to the integration of payments in the EU, protecting consumers, facilitating innovation and enhancing customer convenience.

There was extensive input to the consultation paper. The EBA summarizes responses in section 4 of the report and provides its assessment as to whether changes have been made to the RTS as a result of the response.

The final draft RTS are set out in section 3 of the report. The draft will be submitted to the European Commission (EC), after which it will be subject to scrutiny by the European Parliament and the Council of the EU before being published in the Official Journal of the European Union. The RTS will apply 18 months after their adoption by the Commission as a delegated act. The EBA states that this suggests an application date of the RTS in November 2018 at the earliest.