Tink Thinks: EBA's clarifications on PSD2 APIs – and what they mean
This is the first piece in our ongoing series called Tink Thinks, where we explain and comment on the business of the European Banking Authority’s (EBA) PSD2 API working group, which is helping to ease the implementation process ahead of the September deadline.
By Tomas Prochazka, VP of Product, and Ralf Ohlhausen, Director Public Affairs
Our series Tink Thinks: Inside the EBA is part of a broader public policy effort at Tink to advocate for third-party providers (TPPs) like us, so that the possibilities for innovation are broadened ahead of the September PSD2 deadline. We’ll take you deep into the EBA’s PSD2 API working group to talk about the progress that’s been made – and offer an explanation about how it impacts the industry.
We have a decidedly unique view into the EBA’s innerworkings. Tomas Prochazka, our VP of Product, is a member of the working group, representing TPPs. And our Executive Advisor Ralf Ohlhausen is a member of the European Central Bank’s Euro Retail Payments Board – and to top it off – is vice-chairman of the European TPP association (ETPPA).
Now that our resumes are out of the way, we’re kicking off this first installment by talking about some important issues that were raised in the working group’s first meeting last month.
Three clarifications, one tangible direction
The first issue on the table was about testing. TPPs requested that the ASPSP’s (the banks) provide test automation tools for a large selection of use cases. The EBA said it was in the banks’ interest to offer these, but it wasn’t required. Each individual bank can decide – a clarification that ultimately lacks clarity. Without specificity and firmness, the option to provide the testing tools leaves too much room for interpretation – and inevitably leads to discrepancies in terms of how different players address it.
It’s the same case with the second issue – the alignment of API functionalities. TPPs want a comparison table across the different API standards when it comes to functionality. And while the EBA reiterated the documentation requirement for banks, it only suggested that it could be done in a machine-readable format. It fell short of actually requiring it – making it voluntary instead.
But on issue three, the EBA created real value by providing tangible and useful information to all TPPs on which Qualified Trust Service Providers (QTSPs) they can turn to.
TPPs have been concerned that it was almost impossible to get test certificates – and that the QTSPs listed on the official European Commission website were not machine readable, and doesn’t show which of them actually issue PSD2 eIDAS certificates.
The EBA has provided a list of 14 QTSPs that issue at least usable test certificates for now – a helpful move given the difficulties that TPPs have faced when navigating the offerings of these QTSPs across Europe. It is very welcome.
There are many other important issues we hope to see discussed and addressed in the upcoming workgroup meetings – and we’ll have another update in our series after their next meeting on 19 March in London.