EBA Recommends a Standard API for Open Banking in New PSD3 

The European Banking Authority (EBA) published on Thursday, June 23 an opinion in response to the European Commission’s call for advice on the upcoming review of the Payment Services Directive (PDS2). The opinion, far from being a mere reply to fulfill its statutory duties, contains more than 200 proposals that in the regulators’ view “would contribute to the development of the single EU retail payment market.”

The European Commission has recently launched public consultations on the review of the PSD2 and open finance, and it is planning to update the legal framework covering payments in Europe by the end of this year. While the European Commission is not bound by this formal opinion issued by the EBA, it is likely to take it into consideration when it drafts the new PSD3. 

Read more: EU Regulator Launches PSD3, Open Finance Consultations 

The overall message from the EBA is that the objectives of PSD2 have started to materialize. For example, the security requirements, in particular Strong Customer Authentication (SCA), are having the desired effect of reducing fraud, thus contributing to the objectives of PSD2: improving security of payment transactions and payments data and enhancing consumer protection. Yet, after a careful examination of the text, the EBA concludes that there are a significant number of issues that should be addressed, and it recommends that the EU Commission revises the PSD2. 

The 126-page report contains over 200 proposals, and they allow us to identify some areas of concern that the Commission may review in the upcoming revision. 

For instance, the EBA proposes merging the PSD2 and the Electronic Money Directive 2 as it suggests that this will resolve a significant number of challenges faced by the industry and supervisory authorities in delineating between the two legal frameworks. The EBA also suggests applying identical legal requirements for payment providers and electronic money providers, including authorization process and requirements on safeguarding, initial capital and own funds. 

There are three areas, somehow intertwined, that cover a significant part of the opinion and probably represent the biggest gap to fill between the technological advances in the market and the legal text. These are the SCA requirements, the fight against authorized push payments (APP) fraud and access to payment accounts in open banking and towards open finance.  

On SCA, the EBA urges the Commission to clarify the distribution of liability between third-party providers (TPPs) and account servicing payment service providers (ASPSPs) and between the issuing and acquiring PSPs when an SCA exemption has been applied. The EBA also states that more clarity is needed with the terms ‘reasonable grounds to suspecting fraud,’ ‘fraudulent act,’ ‘gross negligence’ and others, because the lack of a proper definition has led to legal uncertainty and an inconsistent application of the Directive. 

The EBA is also concerned about APP fraud, and it proposes some measures to mitigate this problem. The EBA proposes the Directive introduce requirements on specific educational and awareness campaigns, incentivizing PSPs to invest in more efficient transaction monitoring mechanisms and facilitating the exchange of information between PSPs in relation to known cases of fraud, specific fraudsters and specific accounts used to carry out fraud. 

But perhaps the most innovative yet challenging proposal from the EBA is about how to foster the implementation of open banking and open finance provisions. The banking regulator is asking the Commission to explore the possibility of having a common application programming interface (API) standard across the EU to be developed by the industry. The EBA acknowledged that introducing a single API standard at this stage would bring additional compliance costs, but these would be outweighed by the significant benefits that would accrue as a common API would reduce barriers for new market entrants. The EBA said that this common API would also be extended in the potential move towards open finance — the expansion from access to payment accounts data towards access to other types of financial data (such as savings, investments and insurance data). 

Read more: EU Banking Authority Payment Fraud Consult May Impact PSD2