Payment Services Directive (PSD2)

EBA Publishes Final Draft RTS Report Specifying Requirements on More Secure Customer Authentication


On February 23, 2017, the European Banking Authority (“EBA“) published a report setting out its final draft regulatory technical standards (“RTS“) on strong customer authentication and common and secure communication under Article 98 of the Directive on payment services in the internal market (“PSD2“).

The RTS were developed in close cooperation with the European Central Bank (“ECB“) and consulted on by the EBA in August 2016. The key points raised in the consultation related to the scope and technologically neutral requirements of the draft RTS, the exemptions, including scope, thresholds and the request of many respondents for an exemption for transactions identified as low risk, access to payment accounts by third-party providers and the requirements around the information communicated.

The EBA states that it had to make difficult trade-offs between the various objectives of PSD2, including enhancing security, encouraging competition, allowing for technology and business‑model neutrality, contributing to the integration of payments in the EU, protecting consumers, facilitating innovation and enhancing customer convenience.

There was extensive input to the consultation paper. The EBA summarizes responses in section 4 of the report and provides its assessment as to whether changes have been made to the RTS as a result of the response.

The final draft RTS are set out in section 3 of the report. The draft will be submitted to the European Commission (EC), after which it will be subject to scrutiny by the European Parliament and the Council of the EU before being published in the Official Journal of the European Union. The RTS will apply 18 months after their adoption by the Commission as a delegated act. The EBA states that this suggests an application date of the RTS in November 2018 at the earliest.

European Parliament Writes to EBA About the Development of Regulatory Technical Standards (RTS) on Strong Customer Authentication and Secure Communication


On November 11, 2016, the EBA published a letter (dated October 24, 2016) from the European Parliament in relation to the development of regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and secure communications under the Revised Directive on Payment Services (“PSD2“) in the internal market ((EU) 2015/2366).

The European Parliament’s negotiating team is of the view that payment initiation service providers and account information service providers should have direct access to the payer’s account without being required by an account servicing payment service provider to use a particular business model. In its letter, the European Parliament therefore raised its concerns surrounding the EBA’s proposal for a dedicated interface that could give rise to account servicing payment service providers excluding or limiting direct access to a payer’s account via existing online banking facilities. Article 98(2) of PSD2 mandates that the EBA develop RTS in order to secure and maintain fair competition among all payment service providers and to ensure technology and business model neutrality, and the introduction of the dedicated interface will go against this principle.

The European Parliament also stated in its letter that it is of the view that the RTS are unclear in relation to the exemptions from the SCA (notably, whether the exemptions are optional or mandatory).

Text of PSD2 Adopted by European Parliament

On October 9, 2015, the European Parliament published the provisional text of the proposed directive repealing and replacing the Payment Services Directive (2007/64/EC), known as PSD2.

PSD2 will need to be formally adopted by the Council of the EU and will then be published in the Official Journal of the EU, after which date there will be a 2-year implementation period for member states.

EBA Outlines Upcoming Initiatives for the Regulation of Retail Payments

The European Banking Authority (“EBA”) has announced details of its plans to harmonize regulatory and supervisory practices to ensure secure, easy and efficient payment services across the EU. The Payment Services Directive (PSD2) is expected to mandate improved operational and security requirements for payment services, in close cooperation between the EBA and the European Central Bank (ECB) through the Forum for the Security of Retail Payments which the ECB and the EBA chair jointly. As the security requirements under PSD2 are not expected to come into force until 2018/9, the final Guidelines issued by the EBA in December 2014 (applicable as of August 1, 2015) will apply until such time.