[Openid-specs-fapi] Update on EBA RTS
dave.tonge at momentumft.co.uk
Wed Oct 11 14:21:20 UTC 2017
Dear FAPI Working Group
As discussed on the call, here is the latest information we have on the RTS:
1. RTS is in the final stages of approval by EC – expected early Nov
(effective date likely to be Sept 2019). On screen scraping (known as the
fall back option) the draft EC proposal is that PSP firms will be able to
seek a regulatory exemption, to be granted by the competent authority, to
avoid having to supporting screen scraping at all. To obtain an exception
will require a vetting process based upon at least the following criteria:
a. The APIs are technically PSD2/RTS compliant
b. They are available 3 months ahead of implementation
c. They have been market tested
d. They adhere to specific performance criteria
The EC also proposes that the ERPB (European) industry group on APIs, that
I established and which I co-chair, could, de facto, become the industry
group to ‘vet’ APIs with support and active participation by EC (DG FISMA
and DG COMP) and including the national competent authorities (like FCA).
This is a very significant and incredibly positive development as the EC is
effectively saying that they want to ‘bless’ industry to guide them, the
regulators,to get this right.
Therefore, the OB PSD2 APIs would conceivably have to go through this
vetting and approval process, which illustrates the importance of aligning
our PSD2 roadmap assumptions based on the direction set at European level.
This will help to avoid divergence between standards at the national level.
2. There have been some questions recently about the redirection
model for PSU authorisation and whether it is PSD2 compliant.
EC supports the view that “APIs must support all authentication procedures
provided by the ASPSP to the PSU, but *must not require the TPP to have to
use the redirect option*”. Strictly speaking, the EC is not banning
redirection, but it does support the view that a TPP should not have to be
forced to use it. Logically therefore, it cannot be the only option
available. The EC also supports the view that the TPP must be “free from
constraints to innovate the design of the user interface for the PSU’s
consent and authorisation journey for both PIS and AIS”. Within the ERPB
API group we agreed yesterday in Brussels to go into detail on this topic
to define what is acceptable based on the three methods of redirect,
and embedded. The objective is to set a ‘bar’ of acceptability to be
blessed by the EC as a one of the criteria by which to ‘vet’ API standards
for conformity with PSD2/RTS.
[image: Moneyhub Enterprise]
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120
Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi