Statement on PSD2 transitional issues

National entry into force of PSD2

Changes required by the revised Directive on Payment Services (PSD2) in the Payment Services Act and Payment Institutions Act will enter into force in Finland for the most part on 13 January 2018. Under PSD2, the Commission will adopt a Regulation on Regulatory Technical Standards on strong customer authentication and secure communication. The Regulation will enter into force 18 months after its publication in the Official Journal of the European Union. Currently, the Regulation is expected to enter into force in autumn 2019.

The asynchronous entry into force of national legislative changes and the Commission Regulation poses challenges for banks in developing new interfaces for new payment services and for service providers to start providing new payment services to customers.

Transitional procedures in the provision of new payment services
New payment service providers that have been granted authorisation by the Financial Supervisory Authority or a supervisory authority of another Member State have the right to provide payment initiation services and account information services to customers as of 13 January 2018. Credit institutions and current payment institutions can also start providing new payment services.

The key principles of the new regulation include the following:

• account servicing banks shall not prevent third party service providers from providing new payment services; and
• account servicing banks have the obligation to allow third party service providers to utilise in the provision of new payment services the method of strong customer authentication provided by the account servicing bank to the customer.

The provision of new payment services requires that account servicing banks develop an interface to enable access to customer account information and for payment initiation. As the technical security requirements on the interfaces specified in the Commission Regulation have not yet entered into force, the banks may not necessarily yet have at the time of entry into force of the legislative changes new interfaces for the provision of new payment services to customers. To enable provision of new payment services during the transitional period banks should, upon entry into force of new legislation, provide either an interface that is in line with the Regulation or an alternative temporary interface for the provision of payment initiation services and account information services.

In this regulatory situation, market participants have proposed as an alternative solution the utilisation of the customer interface with the screen scraping method. This means that the provider of new payment services would use the same existing interface as the customer is currently using when logging into an online bank. In its opinion¹ published on 19 December 2017, the European Banking Authority considered the use of the customer interface during the transitional period as possible.

The FIN-FSA's statement on screen scraping

The FIN-FSA considers that in Finland, the customer interface cannot be used with the screen scraping method² in the provision of new payment services unless the service provider is able to fulfill the requirements specified in the FIN-FSA's view below.

The FIN-FSA's view is based on the following factors:

Under the Payment Services Act that will enter into force in Finland on 13 January 2018, the service provider must identify itself towards the account servicing payment service provider every time a payment is initiated via a payment initiation service provider or every time communication is performed via a provider of account information services.

In the utilisation of the customer interface, the customer would have to give its online banking codes to a third party service provider, and the third party service provider would log into the customer's online bank, in the name of the customer. With this method, the service provider would not be able to fulfil the statutory requirement of identifying itself towards the account servicing bank.

The FIN-FSA considers identification of the Third Party Provider towards the account servicing bank a key requirement of the new regulation. Due to reasons of security and allocation of liability, this requirement must be taken seriously. Identification must be realised in an adequately reliable and secure manner also in the transitional period. For example, communication of the IP address to the account servicing bank cannot be considered an adequately secure method of identification due to, e.g. the involved risk of abuse (an IP address can be forged).

The FIN-FSA considers also that the use of the customer interface with the screen scraping method is not a sufficiently reliable method, because for example, it enables access not only to information from designated payment accounts but also to other information in the customer’s online bank, which is not allowed under the new regulation.

The FIN-FSA also states that the use of the customer interface, with the customer's online banking codes, in third party service providers’ payment initiation services or account information services has been forbidden in Finland under the current Payment Services Act. Therefore service providers may not even under the derogation in Article 115, paragraph 5 of the PSD2 provide these services in Finland during the transitional period. Also the EBA has in its above-mentioned opinion stated that there is no obligation to accept the use of the screen scraping method during the transitional period if it has been prohibited by national law until now.

The FIN-FSA’s view on the transitional period

The FIN-FSA points out that a customer interface can be used during the transitional period if identification of the Third Party Provider can be realised in an adequately reliable and secure manner and if access to customer information can be restricted to only payment account information designated by the customer.

The FIN-FSA however urges all parties involved to comply with the requirements of the Commission Regulation, particularly in the development of interfaces and in procedures for identification between the parties, as soon as possible and before entry into force of the Regulation.

The purpose of the FIN-FSA's statement is to ensure the security and reliability of payment services during the transitional period.

For further information, please contact:

• Legal Advisor Sanna Atrila, tel.+358 9 183 5552, sanna.atrila(at)fiva.fi
• Risk Expert Erja Pullinen, tel. +358 183 5358, erja.pullinen(at)fiva.fi

¹ Opinion of the European Banking Authority on the transition from PSD1 to PSD2. (pdf)

² Screen scraping refers to a screen capture method in which a third party service provider logs into the customer’s online bank, in the name of the customer, as the customer enters its online banking codes into the service provider’s service.

The English-language version of this statement was published on 15 January 2018.

See also

• Supervision release 15 January 2018:FIN-FSA statement on PSD2 transitional issues
• The new Payment Services Directive (PSD2)