2. Post Brexit and Beyond: PS21/19 - Changes to the SCA-RTS and Approach Document
- Posted on: 17 December 2021
- Written by: John Burns
Changes to consent
You may have already seen commentary on the new exemption created in Article 10A of the Strong Customer Authentication-Regulatory Technical Standard (SCA-RTS) on 30 November which removes the requirement for a customer using an Account Information Service (AIS) to reconfirm their consent to their Account Servicing Payment Service Provider (ASPSP) (bank) every 90 days, replacing it with an obligation on the Account Information Service Provider (AISP) to reconfirm at least every 90 days that the customer continues to consent explicitly to the AISP accessing the customer’s account data. The FCA are also saying that if a customer fails to reconfirm consent by the 90-day limit, but subsequently does so, the AISP can restart accessing the account(s) as soon as the reconfirmation is received.
The requirement to have the customer reconfirm with their bank has been seen as a significant barrier to the continued take up of AIS’s offerings, with customer inaction causing a drop off after initial sign up, as customers fail to make the reconnection using Strong Customer Authentication.
The FCA has helpfully said that a single reconfirmation of consent can be used to apply to more than one of the customer’s accounts which the AISP accesses, and that the AISP will not be required to communicate customer consent. Although they do point out that the application of exemptions is at the instance of the bank, so that they can require the use of Strong Customer Authentication (SCA) whenever they think appropriate. However, there is a strong steer that banks should rely on the exemption “unless they have proportionate and objective reasons for not doing so.” One hopes that the FCA will be active in policing this if banks attempt to require SCA as a disincentive to their clients using AISPs.
This is a major step forward for firms providing AIS and should markedly reduce customer friction.
On the other side of the Third Party Provider (TPP) divide, the FCA has provided some clarification on the requirement to provide a dedicated interface for access to payment accounts by AISPs and Payment Initiation Service Providers (PISP). Taking their lead from the Payment Accounts Regulations (PARs) the FCA has mandated the use of dedicated interface by credit institutions, authorised Payment Institutions (PIs), authorised Electronic Money Institutions (EMI)s, and credit unions that offer personal payment accounts within the scope of the Payment Account Regulations 2015 (PARs), equivalent payment accounts held by Small and Medium-sized Enterprises (SMEs), and credit card accounts held by consumers and SMEs. They have excluded accounts provided by small payment institutions (SPIs), small e-money institutions (SEMIs), firms relying on the Temporary Permissions Regime (TPR) or supervised run-off regime (SRO) and non-SME businesses’ accounts from having to provide a dedicated interface. It is, however, important to note that this does not mean that firms benefiting from the exclusion do not have to make arrangements for access by AISPs and PISPs (TPPs). Such firms are still required to modify their customer interface to allow TPPs to identify themselves and to check their eIDAS certificate before allowing access.
Where an ASPSP has a dedicated interface, there is a requirement in the Regulatory Technical Standards for them to have adapted their customer interface as a fallback in case of failure of the dedicated interface (unless the FCA has granted them an exemption from having a fallback interface, on the basis if the proven stability of their dedicated interface). The FCA has now helpfully allowed firms six months after launch of their dedicated interface to apply for the exemption before requiring them to make the amendments to the customer interface.
So, in summary, this is a helpful amendment to, and clarification of the rules which should reduce the friction for customers in making use of AISP services and remove some of the cost and overhead for Payment Service Providers (PSPs) providing payment accounts which are accessible online (although it does not address the issue that the likelihood of AISPs or PISPs actually wanting access to accounts held at many of the smaller APIs and EMIs is vanishingly small, yet they are required to facilitate such access by modifying their customer interface). As such, it should help Open Banking to become more established, with benefits for consumers and firms.