PSD2

The EDPB Replies to Queries from European Parliament on Protection of Personal Data in Context of PSD2

 

The European Data Protection Board (“EDPB“) has published a letter sent to the European Parliament in relation to the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“).

The letter is in response to a request from Parliament for further clarification of a number of issues relating to the protection of personal data in the context of PSD2. The EDPB is monitoring developments owing to the complex legal framework in this area.

The EDPB comments on the following issues in the letter:

  • Whether the processing of personal data of “silent parties” is legitimate when explicit consent for the processing has (only) been given by another data subject.
  • Commission Delegated Regulation (EU) 2018/389, which contains regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and common and secure communications (“CSC“) under PSD2.
  • Whether the legal framework is sufficiently clear in relation to the processes of issuing and withdrawing consent under PSD2. The EDPB considers whether the concept of “explicit consent” included in both PSD2 and the General Data Protection Regulation ((EU) 2016/679) (“GDPR“) should be interpreted in the same way.
  • Whether banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data.

The EDPB considers that there may be grounds for “fruitful” interaction between EU data protection and financial supervision authorities. It would therefore like a dialogue between these authorities to start, with a view to then establishing a coordinated approach aimed at ensuring greater and more consistent consumer protection.

The EDPB replaced the Article 29 Working Party (“WP29“) on May 25, 2018 (the GDPR application date).

EBA Opinion and Draft Guidelines on Implementation of Delegated Regulation Setting Out RTS on SCA and CSC Under PSD2

 

On June 13, 2018, the European Banking Association (“EBA“) published a consultation paper (EBA/CP/2018/09) on draft guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Delegated Regulation (EU) 2018/389, which sets out regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and common and secure communication (“CSC“) under the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“).

Alongside the consultation paper, the EBA has published an opinion (EBA-Op-2018-04) on implementation of the RTS on SCA and CSC. Both the draft guidelines and the opinion are designed to clarify a number of issues identified by market participants relating to the RTS on SCA and CSC, which will apply from 14 September 2019.

The draft guidelines propose a pragmatic and consistent approach to the four conditions that an account servicing payment service provider (“ASPSP“) must meet if it wishes to benefit from an exemption from the fallback option envisaged under Article 33(6) of the Delegated Regulation. The EBA considers that the draft guidelines provide clarity for all parties involved (that is, ASPSPs, national competent authorities (“NCAs“) and the EBA) on the information to be considered to determine whether an exemption request meets the Article 33(6) conditions. In particular, the guidelines will enable NCAs to carry out a quick assessment of exemption requests, especially during the time when the bulk of these requests are received.

The EBA plans to hold a public hearing to discuss the draft guidelines on 25 July 2018. Comments can be made on the draft guidelines until 13 August 2018.

The opinion focuses on implementation of the RTS. It sets out the EBA’s views in “pressing” areas identified by the market and NCAs, including on exemptions to SCA, consent, the scope of data sharing, and requirements for application programming interfaces (“APIs“) and dedicated interfaces to take into account. Although the opinion is addressed to NCAs, given the supervisory expectations it is conveying, the EBA advises it should prove useful for PSPs, among others.

In the opinion, the EBA explains that it will provide further clarification on interpretation of the RTS on SCA and CSC through its online interactive single rulebook and Q&A tool. The tool will be extended to PSD2-related queries by the end of June 2018.

EBA Final RTS on Cooperation and Exchange of Information for Passporting under PSD2

On December 14, 2016, the European Banking Authority (“EBA“) published the regulatory technical final draft on passport notifications under the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“) (EBA/RTS/2016/08).

Article 28 of PSD2 requires an authorized payment institution to inform the competent authorities of its home member state if it wishes to provide payment services for the first time in one or more member states other than its home member state. Article 28(5) gives the EBA a mandate to develop draft RTS, specifying method, means and details of the cross-border cooperation between competent authorities in the context of passport notifications of payment institutions. The RTS must include the scope of information to be submitted, a common terminology and standard templates, to ensure that the process is consistent and efficient.

The EBA consulted on the draft RTS in December 2015. Changes to the final version of the RTS in light of responses to the consultation include:

  • More clarity for when a payment institution uses an agent or an e-money institution uses a distributor.
  • New provisions so that payment institutions will be informed when the notification is transmitted from the competent authority in the home member state to the authority in the host member state.
  • A new field in a number of templates to include the legal entity identifier (LEI) as an identification number where available.
  • Deletion of information relating to governance arrangements and internal control mechanisms, outsourcing and the agent structural organization.

The EBA has also published a flowchart providing a guide to competent authorities on which notification templates to use, a copy of which can be found here.

The final draft RTS will now be submitted to the European Commission for endorsement. The draft Delegated Regulation states that it shall enter into force 20 days after it is published in the Official Journal of the EU (OJ).

EBA Consults on Guidelines on Minimum Professional Indemnity Insurance under PSD2

 

On September 22, 2016, the European Banking Authority (EBA) published a consultation paper (EBA/CP/2016/12) on draft guidelines in relation to professional indemnity insurance (PII) and the criteria competent authorities should follow when stipulating the minimum monetary amount of the PII or comparable guarantees for undertakings that apply to provide payment initiation services or account information services under PSD2 (the Directive on payment services in the internal market ((EU) 2015/2366)). The EBA was mandated to produce the guidelines under Article 5(4) of PSD2. The consultation on the draft guidelines closes on November 30, 2016.

As well as setting out the proposed criteria, the EBA also:

  • Sets out with explanations its proposal to use a formula for the calculation of the minimum monetary amounts.
  • Provides details on indicators for the criteria set out in PSD2 along with the calculation method proposed for some of those indicators.
  • Provides circumstances in which the lowest tier, or default value, should be used.

The EBA also provided practical examples to assist in the calculation of the minimum amount of PII or comparable guarantee.