SCA

The EDPB Replies to Queries from European Parliament on Protection of Personal Data in Context of PSD2

 

The European Data Protection Board (“EDPB“) has published a letter sent to the European Parliament in relation to the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“).

The letter is in response to a request from Parliament for further clarification of a number of issues relating to the protection of personal data in the context of PSD2. The EDPB is monitoring developments owing to the complex legal framework in this area.

The EDPB comments on the following issues in the letter:

  • Whether the processing of personal data of “silent parties” is legitimate when explicit consent for the processing has (only) been given by another data subject.
  • Commission Delegated Regulation (EU) 2018/389, which contains regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and common and secure communications (“CSC“) under PSD2.
  • Whether the legal framework is sufficiently clear in relation to the processes of issuing and withdrawing consent under PSD2. The EDPB considers whether the concept of “explicit consent” included in both PSD2 and the General Data Protection Regulation ((EU) 2016/679) (“GDPR“) should be interpreted in the same way.
  • Whether banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data.

The EDPB considers that there may be grounds for “fruitful” interaction between EU data protection and financial supervision authorities. It would therefore like a dialogue between these authorities to start, with a view to then establishing a coordinated approach aimed at ensuring greater and more consistent consumer protection.

The EDPB replaced the Article 29 Working Party (“WP29“) on May 25, 2018 (the GDPR application date).

EBA Opinion and Draft Guidelines on Implementation of Delegated Regulation Setting Out RTS on SCA and CSC Under PSD2

 

On June 13, 2018, the European Banking Association (“EBA“) published a consultation paper (EBA/CP/2018/09) on draft guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Delegated Regulation (EU) 2018/389, which sets out regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and common and secure communication (“CSC“) under the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“).

Alongside the consultation paper, the EBA has published an opinion (EBA-Op-2018-04) on implementation of the RTS on SCA and CSC. Both the draft guidelines and the opinion are designed to clarify a number of issues identified by market participants relating to the RTS on SCA and CSC, which will apply from 14 September 2019.

The draft guidelines propose a pragmatic and consistent approach to the four conditions that an account servicing payment service provider (“ASPSP“) must meet if it wishes to benefit from an exemption from the fallback option envisaged under Article 33(6) of the Delegated Regulation. The EBA considers that the draft guidelines provide clarity for all parties involved (that is, ASPSPs, national competent authorities (“NCAs“) and the EBA) on the information to be considered to determine whether an exemption request meets the Article 33(6) conditions. In particular, the guidelines will enable NCAs to carry out a quick assessment of exemption requests, especially during the time when the bulk of these requests are received.

The EBA plans to hold a public hearing to discuss the draft guidelines on 25 July 2018. Comments can be made on the draft guidelines until 13 August 2018.

The opinion focuses on implementation of the RTS. It sets out the EBA’s views in “pressing” areas identified by the market and NCAs, including on exemptions to SCA, consent, the scope of data sharing, and requirements for application programming interfaces (“APIs“) and dedicated interfaces to take into account. Although the opinion is addressed to NCAs, given the supervisory expectations it is conveying, the EBA advises it should prove useful for PSPs, among others.

In the opinion, the EBA explains that it will provide further clarification on interpretation of the RTS on SCA and CSC through its online interactive single rulebook and Q&A tool. The tool will be extended to PSD2-related queries by the end of June 2018.

EC Sends Letter to the EBA on RTS Regarding Customer Authentication Under the Revised Payment Services Directive ((EU) 2015/2366) (“PSD2”)

The European Banking Authority (“EBA“) has published a letter (dated February 13, 2018) from Olivier Guersent (European Commission Director-General, DG FISMA) to Andrea Enria (EBA Chairman) that relates to the regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) as well as common and secured communication under PSD2.

The letter is broad but, inter alia, states the following:

  • The Commission has amended the ‘final’ version of the RTS, and these amendments took on board concerns that were raised by the EBA and member state officials;
  • The Commission would welcome the participation of the EBA in group meetings that will evaluate application programming interface (API) standards;
  • Neither the EBA nor the Commission can reasonably anticipate all the problems with APIs, nor can they specify in the RTS how these should be addressed. As such, the EBA and the Commission will rely on relevant market players to develop APIs that work for all sides (i.e., third-party providers, banks and payment service users); and
  • The prior differences discussed between the EBA and the Commission with regards to the RTS were about processes rather than other more substantive matters. The extent to which any of these processes might be burdensome for the EBA and relevant national authorities depends on the behavior of market players.

To see the letter, please click here.