Payment disruptors set to get easier access to bank-account information under EU plan

23 February 2017. By Hugo Coelho.

Banks will be forced to keep the gates open to payment disruptors such as Trustly, Klarna and other authorized third parties seeking information about customers' accounts, under revised EU rules intended to end the dominant position lenders hold in payments services.

The European Banking Authority introduced the rules today as a compromise between established banks and start-ups, which lobbied heavily for changes in proposed standards to implement a new EU law designed to boost competition in payment services and make transactions more secure.

The EBA also made important concessions to payment-service providers and card companies by letting them conduct fewer transaction checks where there is a low risk of fraud and easing customer authentication requirements for online purchases below 30 euros (about $32).

The London-based authority published the final draft standards for the revised EU Payment Services Directive today, one month later than expected. The standards now go to the European Commission, which has the power to amend them.

Wave of complaints

The original proposals drew strong complaints. Startups said they would be shut out of the market, while other payment providers said the plans would make transactions a headache for consumers.

The EBA received a record 224 responses to its consultation — more than the authority received when it sought public feedback on proposals to implement a curb on bonus payments in banking.

One bone of contention involved rules for how third-party services that facilitate electronic commerce by going into consumers' bank accounts to make payments should access the account information in banks' databases. Those criticisms exposed a split between the old and the new worlds of finance.

The EBA decided to prohibit a practice known as "screen scraping," whereby third parties — with the authorization of customers — use a computer program to gather data that is shown in a webpage without needing to identify themselves.

'Dedicated interface'

Access to account information will instead have to be done through a "dedicated interface" set up by the bank, to increase security, the regulator said.

But to prevent banks from taking advantage of their position, the EBA also introduced prescriptive rules about how the access should be maintained.

Banks will need to have contingency measures in place to address any obstruction of the interface. They will also have to respond promptly to queries from payment-service providers asking whether a customer has enough funds to cover a payment, the new rules say.

"We sought to address concerns from [non-bank] providers that banks may not have an incentive to make [access to accounts] always available, and so we introduced a rule that ensures they have the same level of access as their customers," EBA Chairman Andrea Enria said at a conference* in London earlier this week.

Security checks

Enhanced security transaction checks required from payment services was another area of the standards where regulators gave ground.

Companies that conduct transaction risk analysis and keep fraud levels under certain limits got a get-out clause from "strong authentication requirements," which call for a password to be matched with a card reader or some other recognized device, such as an app on a mobile phone, when authorizing a transaction.

The draft standards also contain a new exemption for payments of parking and transport fares at unattended terminals. The threshold for exempting online payments from customer-authentication rules tripled to 30 euros.

EBA Chairman Enria advised companies to press ahead with preparations on the basis of the current proposals and not to wait for the commission's endorsement.

"The draft [published by the EBA] reflects the views of the community of regulators from across the EU," he said. "They should provide sufficient guidance for market participants to start preparing."

The standards will take effect 18 months after they are endorsed by the commission. The EU directive must be written into national legislation by Jan. 13, 2018, so the legislation is likely to be in force for about a year before the implementing standards formally apply.


* "The Future for UK Payments Policy: Infrastructure, Regulation and Consumer Priorities," Westminster Business Forum Keynote Seminar, London, Feb. 21, 2017

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.