The European Commission has published regulatory technical standards (RTS) that are part of the Payment Services Directive, or PSD2. The standards ensure greater security when paying for goods and services in Europe, as well as for third party access to bank customers’ data.
The new regulation revealed by the European Commission (EC) seeks to protect consumers, as EC Vice President Valdis Dombrovskis said in a statement: “These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security.”
The first phase of PSD2, which replaces the PSD from the year 2007, will enter into force on January 13th in Spain. However, some of these security elements like those approved this week will become legally binding around September 2019 to give banks and financial technology companies time to adjust. Furthermore, the European Parliament and European Council have three months to review them.
These rules, defined by the European Commission “in close collaboration with the European Central Bank” establish the use of two safety features to help combat fraud. These features include a password, PIN, card, mobile phone, iris scan or digital fingerprint, among others. Current practice tends to require only a password or credit card information.
Authentication using two safety features currently exists. The ability to easily check these two features in one step (or none) will become a competitive advantage.
Access to customer data through interfaces
One of the most interesting aspects of PSD2 is that it regulates third party access to accounts. This means that third parties can be given access to individual and corporate accounts in the European Union.
With the rules announced yesterday, the EC is regulating access to these payment accounts. Account holders must give consent for a licensed third party who wants to offer payment services to access their data. These rules prevent so-called “screen scraping,” as the European Banking Authority recommended. Access to data via screen scraping means that a third party makes a copy of the information contained in a web site by pretending to be an ordinary user without the bank being able to detect this type of access.
With the recently approved technical standards, the EC enables access via banks’ open APIs, which are safer for consumers. Banks will have to grant the third party access, either by adapting the existing interface or creating a new one for fintech companies.