The European Banking Authority (EBA) Opinion on obstacles follows repeated requests for clarification from Tink and other fintechs, but also banks and the national financial authorities. The document reflects on how banks should design their dedicated interfaces (PSD2 APIs), to allow licensed third-party providers (TPPs) to access checking account information and initiate payments.
The regulatory technical standards (RTS) for strong customer authentication (SCA), and common and secure open standards of communication (CSC), specifies that banks building PSD2 APIs must do so without creating obstacles for TPPs.
To date, in the assessment of whether the PSD2 APIs are compliant, the financial authorities across Europe have largely been left to their own interpretation on what is or isn't an obstacle.
Banks all over Europe have been building PSD2 APIs with only a handful of pointers on the features that need to be supported. As a result, the look and feel of APIs across Europe vary wildly, and there are features (or the lack thereof) that have been considered an obstacle in one country, but not in the next.
Here are some of the most significant points raised by the EBA - and what they mean.
1. Authentication needs to be smooth
The SCA flow – where users authenticate towards their banks and allow licensed TPPs to retrieve account information or initiate a payment – must be as smooth as the interface on the bank’s mobile banking app.
This means PSD2 APIs should not redirect a user through an inferior or more cumbersome authentication process. It’s quite common for PSD2 APIs to enforce authentication exclusively through web redirect, which means that mobile users would need to complete the SCA flow on an internet browser, to access the services offered by licensed TPPs. This is considered an obstacle when the user would typically authenticate within their bank’s mobile app already installed on the phone. The EBA hopes this will help to improve the experience when TPPs use PSD2 APIs.
2. Supporting payments at point of sale
The EBA has made clear that banks offering customers the option to perform instant payments at the point of sale (POS), or anywhere else for that matter, should design PSD2 APIs that let licensed TPPs do the same. It clarifies that banks don’t have to develop new authentication methods for that, but must support all their existing ones.
In practical terms, this means that TPPs can offer POS solutions, for example using NFC or QR codes, either by relying on a bank’s specific POS authentication method if they have one, or using another existing authentication to initiate the payment.
3. Account selection should not require manual input
For payment initiation services from licensed TPPs, the user needs to identify and select the payment account for money to be transferred from. Currently, there are many PSD2 APIs that require the user to manually input the international bank account number (IBAN) details to allow the TPP to initiate a payment.
The EBA has now said this is an obstacle that should not be allowed.
Instead, banks should design PSD2 APIs that let a licensed TPP collect a user’s available payment account and IBAN details by accessing the account information, or offer an authentication flow (redirection or decoupled) that lets the user select which account the licensed TPP can initiate a payment from.
4. One SCA flow is more than enough
The EBA has clarified that in nearly all scenarios, one SCA flow is sufficient for the user to authenticate towards their bank when using the services of licensed TPPs.
Many banks have designed PSD2 APIs where the user needs to authenticate more than once, to allow a licensed TPP to retrieve information the user has already given explicit consent for. Some banks argue that by applying multiple authentication flows in the PSD2 APIs, they are enforcing an even stronger authentication protocol.
The EBA has clarified that this creates unnecessary friction in the user journey, especially when compared to the authentication procedure the bank itself offers online or on a mobile phone.
This makes a lot of sense, because the strength of an SCA lies in the fact that it requires two independent credentials, and not in entering the same ones multiple times.
5. Consent is given to the licensed TPP
The PSD2 states it is the obligation of a licensed TPP to ensure it has obtained the user's explicit consent for its services. Although these licensed TPPs are regulated businesses, under the supervision of the financial authorities, many banks have designed PSD2 APIs that only work when the user has given up-front consent to the bank to enable such services, or where the bank requires the user to confirm or check the consent that has already been provided to the licensed TPP.
Double checking consent is seen as a significant obstacle to a smooth user experience by not just the EBA, but by the European Commission too.
Although the EBA Opinion on obstacles also addresses a number of other topics, the five above should help clear up some misconceptions, and harmonise the current PSD2 API landscape. It’s exciting to see the progress of the open banking landscape since the RTS was enforced on 14 September 2019.
We’re looking forward to seeing what new opportunities, innovations, and great customer experiences will be enabled in the next generation of financial services.