Germany’s Federal Financial Supervisory Authority (BaFin) concludes in a circular that bank’s new account interfaces do not conform to PSD2 requirements. They may thus not switch off access through existing interfaces.
Starting 14 September 2019 banks (or account servicing payment service providers/ASPSP) must grant third party providers (TPP) access to a customer’s payment account should the customer wish to use the TPP’s services. The German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) specifies that to fulfill this duty bank’s and TPP’s communication must be secure. The European Banking Authority (EBA) published regulatory technical standards for strong customer authentication and common and secure communication as mandatory guidelines for the design of the interfaces (RTS on SCA and CSC, Commission Delegated Regulation (EU) 2018/389).
Several banks and savings institutions have tested their new account interfaces (API) with TPPs in the recent past. These are supposed to replace the interfaces used by TPPs so far. The conclusion was overwhelmingly positive even though less TPPs than originally expected have participated in the trial run. Some banks have gone on to test their interfaces in a live-test with customers. The echo from the Fintech sector, which makes up the largest chunk of TPPs, was however less enthusiastic, but instead rather critical of the banks new account interfaces.
BaFin now points out in a circular that come September banks may not deny TPPs access to payment accounts and switch off existing interfaces in favor of the new APIs. EBA’s RTS demand that, in principal, a contingency mechanism is to be in place to guarantee TPPs access to the payment account. This means TPPs are now allowed to continue using existing interfaces the account servicing payment service provider (banks etc.) uses for other communications or authentication of its customers until the point the dedicated account interface for TPP’s availability and performance functions at a satisfying level. BaFin may however exempt individual account servicing payment service providers from the contingency mechanism and solely use their newly developed APIs if those meet certain criteria:
1. The general requirements for dedicated APIs.
2. The API is designed and tested to satisfy the needs of the TPPs.
3. The API has been operational for at least a duration of three (3) months by payment service providers offering account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments.
4. All technical and operational issues with the dedicated API were resolved without undue delay.
In December 2018, EBA provided guidance for the use of this special permit option (EBA/GL/2018/07) which BaFin eventually adopted. The guidance notice specifies the above mentioned requirements. Banks that wish to use their dedicated API must submit a written request to BaFin. BaFin will decide on each individual request after consultation with EBA.
Next to the missing availability of relevant data or proper functioning, especially the 3-month operational period will most likely be grounds for denial of the requests. Those banks that may not use their dedicated API following such a request must still provide the contingency mechanism to TPPs and grant access to the payment account. The number of banks that are released from the contingency mechanism requirement after 14 September 2019 remains to be seen.