November 25, 2021
180 days is not enough
The European Banking Authority (EBA) closed its public consultation today on the amendment of its Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and the 90-day exemption — a notorious bugbear in the revised Payment Services Directive (PSD2).
This is great news for the industry, but does it go far enough? The short answer is No.
The new proposal
The EBA suggests a new mandatory exemption from SCA when the account access is done through an Account Information Service Provider (AISP), or, alternatively, through a licensed Third Party Provider, (TPP) such as a Plaid, that has explicit consumer consent to retrieve data.
The “exemption” mandate is clearly a good thing given the often arbitrary process of some banks applying SCA every time an open banking TPP accesses the account, rather than only at the 90-day mark. A mandatory exemption will provide some certainty in the market; and to provide further flexibility, the regulator suggests an extension of the 90-day renewal to 180 days. This will provide some relief but it does not resolve the core of the problem.
What’s on the table
The EBA has also been clear in its public statements that given the tight legal constraints of the RTS, more fundamental reform is not on the cards for now and have pointed to a wider EU Commission review of PSD2 which should follow in 2022. For TPPs like Plaid, this can’t come quick enough, the evidence base is already here.
What the industry needs
Short term - Extend 180 to 365 Days
In the short term, the EBA should extend the SCA renewal period to the maximum time period deemed possible by the law. Plaid would suggest 365 days as a suitable time frame given the EBA’s self-described extremely low-risk activity associated with AIS. This would allow time for the PSD2 review to provide more fundamental reforms to SCA. If in the unlikely event that consumer protection issues arise within this period, the EBA could revert to 180 days.
Long term - Consumer consent should be managed at the TPP level
Longer-term, Plaid firmly believes that the responsibility for carrying out re-consent should lie with the AISP/TPP that is accessing payment account data with the consumer’s explicit consent. Consumers have a relationship with the product or service they are using and this should be where they manage their consent, not in the bank’s domain.
TPP managed consent should ideally occur through a portal approach, where a user can see and manage all their connections. This is the best way to provide consumers with a clear list of (i)TPPs that have access to their payment account data, (ii) the payment accounts they have connected and (iii) the transaction data collected by the TPP.
From a re-consent perspective, TPP managed consent through a portal would enable consumers to review and actively decide if they want to re-consent or if they want to revoke their consent and have their data deleted (as per GDPR).
The EBA has stated in its consultation that, “SCA, as it stands today, has created undesirable friction for customers when using account information services, and has led to a negative impact on the services of account information service providers (AISPs).”
In the short term, the EBA should introduce a 365-day renewal period but long-term reform is needed. It makes no sense for consent to be managed at the bank, but should be held where it belongs - in the hands of consumers.