PSD2 update

News
Datum 28 augustus 2019

The RTS (Regulatory Technical Standards) on strong customer authentication and common and secure communication will enter into force on 14 September 2019. This has several consequences for banks and payment institutions. We have also published a number of new Q&As about PSD2.

PSD2

Assessment of fall-back exemptions complete before 14 September 2019

Account servicing payment service providers must grant access to third parties for payment initiation and account information services. We encourage account servicing payment service providers to make a dedicated interface available for this purpose. The access must also be granted through an adapted consumer interface with eIDAS authentication. However, payment services providers can obtain an exemption from DNB for having to provide this fall-back facility if they are able to offer their own dedicated interface which demonstrably complies with certain legal requirements. This exemption can be granted on the basis of the RTS on strong customer authentication and secure open communications standards. Sixteen payment service providers have submitted exemption requests to DNB. We will assess these requests by 14 September 2019, the date on which the RTS enters into force, and will inform the institutions involved about whether we can grant them an exemption.

Account servicing payment service providers that have not obtained an exemption by 14 September must fulfil the requirement to grant access via an adapted user interface.

SCA Extension

The RTS on strong customer authentication and secure communications that enters into force on 14 September 2019 establishes requirements for customer authentication at payment service providers. As not all operators in the European payments market will be ready by 14 September 2019, the EBA has given national supervisory authorities the possibility to grant a limited extension period to payment service providers that process credit card transactions to apply strong customer authentication (SCA), provided they have submitted migration plans.

The overwhelming majority of payments in the Netherlands meet these requirements, although some credit card payments still do not. DNB is therefore granting an extension to market operators who have not yet completed preparations for the implementation of the SCA for credit card transactions. The length of this extension has not yet been determined. In cooperation with the EBA, DNB strives to achieve a uniform migration for compliance with SCA for credit card transactions. For further information see the Q&A on our website(available in Dutch).

Public consultation of Q&A document on efficient customer journeys

On 8 August 2019, we launched the public consultation of our Q&A document on efficient customer journeys for payment initiation and account information services through third parties (available in Dutch).

The RTS on strong customer authentication and secure communications stipulates that access to payment accounts offered by account servicing payment service providers (i.e. banks) should allow third parties to provide their payment services freely and efficiently. Banks should ensure that the interface they use for this does not present any obstacles in the customer journey for the provision of payment initiation and account information services by third parties. The RTS includes examples of these obstacles such as unnecessary delay or friction, superfluous steps and the use of unclear or discouraging language. This description still leaves room for interpretation, however, and the aim of this Q&A document is therefore to provide a more in-depth explanation of potential obstacles.

You can find more information here (available in Dutch). Please contact us with any questions or comments.

Q&A on savings accounts

Under PSD2, the European Commission has stated that savings accounts with a fixed contra account cannot be considered as payment accounts. The European Court of Justice had previously ruled that these accounts should not be recognised as payment accounts under PSD1. The European Commission considers that this ruling should also apply under PSD2. The Commission's response therefore constitutes an answer to the question of whether providers of such accounts must grant access to the account information payment or to payment initiation service providers (with the account holder's explicit consent). For further information please see this Q&Awhich we have updated following the European Commission's ruling.

Q&A on provision of dashboards

We have received inquiries from banks about whether they are allowed to give their customers an overview of the consents that have been provided to payment initiation and account information service providers. This is permitted. They may also in a neutral manner offer their customers the possibility to withdraw this consent through the overview. For further information please see this Q&A (available in Dutch).

Q&A on bank feeds

In a Q&A on bank feeds for accounting services, DNB indicated that PSD2 does not apply when an account holder requests their bank to provide payment data to an accounting firm or to authorise it to initiate payments. A licence does not therefore have to be requested for these activities. For further information please read this Q&A (available in Dutch).

Q&A on exemption for applying strong customer authentication for business payments

Payment service providers can apply several exemptions for strong customer authentication, including the exemption for business payment procedures and protocols. Several conditions must be fulfilled, and DNB must be notified in advance before this exemption can be granted. For further information please see this Q&A.

Q&A European passport

Third parties make use eIDAS certificates for the purposes of electronic identification. On the basis of this Q&A (available in Dutch), DNB establishes that banks do not have to perform additional checks to verify whether third-party providers are in possession of a European passport to be able to offer payment services in the Netherlands.

Provision of statistical data for confirmed cases of fraud

A payment services provider must provide annual statistical data on fraud to DNB, as set out in the EBA Guidelines on fraud reporting requirements under Directive (EU) 2015/2366 (PSD2), DNB follows these guidelines.

which entered into force on 1 July 2019. DNB is currently carrying out technical modifications to ensure that reporting of fraud can be separated from the regular channels for supplying data to DNB. Payment service providers involved will receive further information about this. The first report must be submitted at the beginning of 2020 and will cover the period from 1 July 2019 to 31 December 2019.

> Back to the Newsletter