Final PSD2 requirements enter into force but with important considerations
The Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication came into force under Payment Services Directive 2 (PSD2) on Saturday 14 September 2019. While this is a welcome development, payment service providers should be aware that there are still some important points to consider.
Under the RTS, payment service providers (PSPs) are required to ensure that interfaces allow for unobstructed and efficient provision of account information and payment initiation services. However, regulators in some countries, such as the United Kingdom and Germany, have granted additional time to allow account servicing PSPs to complete the implementation of their interfaces.
Since all digital payments fall within the scope of the RTS by default, this means that they must be secured by multi-factor authentication methods. There are various exemptions to the RTS requirements, however, which makes optimal implementation of the requirements complex.
Due to these complexities, not all PSPs are currently compliant, despite the deadline now having passed. The European Banking Authority has recognised this issue and has indicated that, in order to avoid unnecessary disruption, supervisory authorities may give certain PSPs additional time to implement all the required changes.
Nevertheless, those PSPs must have a concrete migration plan in place which must be discussed with and approved by the national supervisory authority. This situation is further complicated by the fact that not all EU countries follow the same approach, which creates extra challenges for PSPs with cross-border operations.
INNOPAY continues to monitor these developments closely and has the necessary knowledge to guide you through these uncertain times. We provide a broad spectrum of PSD2 and Open Banking-related services for financial institutions, including strategically aligned PSD2-compliant solutions. We have recently published a blog on licensing of third-party providers (TPPs), in which we point out the most pressing issues for TPPs to be aware of. Additionally, we regularly publish a TPP radar, signalling the latest European developments around TPPs.