[Openid-specs-fapi] EBA RTS

Dave Tonge dave.tonge at momentumft.co.uk
Wed Mar 1 16:43:55 UTC 2017 

Hi all,

The EBA has published its latest regulatory technical standards:
https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf

As the FAPI Working Group we responded to the previous draft:
https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2?p_p_auth=uy1W7oVC&p_p_id=169&p_p_lifecycle=0&p_p_state=maximized&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_169_struts_action=%2Fdynamic_data_list_display%2Fview_record&_169_recordId=1617559

Here is a summary of the EBA response to our concerns:

*1. Authentication confused with Authorisation*
The EBA acknowledged the difference but didn't change anything in the draft
- see Comment 1.

*2. Ambiguity as to whether dynamic linking / SCA could take place on a
single device*
See Comment 10 - the EBA provided further clarity around this point. SCA
can take place on a single device.

*3. Monthly re-authorisation too onerous*
The EBA have changed the requirement to re-authorise access from 30 to 90
days.

*4. ISO20022? *
The EBA clarified that they are referring to ISO20022 message elements, not
data format or transports. *"Account servicing payment service providers
shall also ensure that the dedicated interface uses ISO 20022 elements,
components or approved message definitions, for financial messaging.' *

*5. Why not OAuth*
The RTS has strived to be technology neutral and while mention is made of
OAuth2 in the comments they have explicitly decided not to refer to any
specific technologies or standards beyond ISO20022.

*6. How will an ASPSP determine whether a request is "active" or
"automated"*
The EBA increased the allowed number of automated requests from 2 to 4 per
24 hours. They made no reference to how an ASPSP will determine the type of
request.

Separately from the RTS it is also worth noting that the ERPB (Euro Retail
Payments Board at the European Central Bank) has started a working group to
look at technical standards for PSD2:
https://www.ecb.europa.eu/paym/retpaym/shared/pdf/6th-ERPB-meeting/Mandate_of_the_working_group_on_payment_initaition_services.pdf?8011ec3d660529b12af514e6e7bc8639




-- 
Dave Tonge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170301/939ac4f7/attachment.html>

More information about the Openid-specs-fapi mailing list