Question ID:
2019_4661
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
Article 32(2)
Type of submitter:
Competent authority
Subject Matter:
Inclusion of time taken for SCA in the performance KPI
Question:

Does the Key Performance Indicator (KPI) for the performance of the dedicated interface include the time taken for conducting Strong Customer Authentication (SCA)?

 

Background on the question:

Article 32(2) of the Commission Delegated Regulation (EU) 2018/389 provides that account servicing payment service providers that have put in place a dedicated interface should define transparent key performance indicators and service level targets. These provisions are furthermore elaborated in the EBA Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of Regulation (EU) 2018/389. Guideline 2.3(a) states the ASPSP should define the daily average time (in milliseconds) taken, per request, for the ASPSP to provide the payment initiation service provider (PISP) with all the information requested in accordance with Article 66(4)(b) of PSD2 and Article 36(1)(b) of the RTS. It is however not clear whether this time indicator should also include the time taken for the SCA procedure. Taking into account that SCA procedures involve end-users and in some cases take place outside the APIs (e.g. redirect SCA), the indicator would lead to rather different KPIs with or without time taken for SCA.

 

Date of submission:
08/04/2019
Published as Final Q&A:
09/08/2019
EBA Answer:

Article 32(2) of the Commission Delegated Regulation (EU) 2018/389 states that “account servicing payment service providers that have put in place a dedicated interface shall define transparent key performance indicators [KPIs] and service level targets, at least as stringent as those set for the interface used by their payment service users both in terms of availability and of data provided in accordance with Article 36”.

Guideline 2 of the EBA Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the Delegated Regulation, defines a minimum set of KPIs for the dedicated interface. In particular, Guideline 2.3(a) defines “the daily average time (in milliseconds) taken, per request, for the account servicing payment service provider (ASPSP) to provide the payment initiation service provider (PISP) with all the information requested in accordance with Article 66(4)(b) of PSD2 and Article 36(1)(b) of the RTS”. The EBA also explained on page 43 of the EBA final report on these Guidelines that “the response time in GL 2.3 includes the interval between the point in time when a request is received by the ASPSP from a PISP […] and the point in time when all the information requested […] has been sent back by the ASPSP”. As highlighted by Article 32(2) of the Delegated Regulation, the KPIs defined by the ASPSPs should be as stringent as those for the customer interface. Therefore, whatever is included in the calculation of the response time for the payment service user (PSU) interface should also be included for the purpose of such calculation via-a-vis PISP. This may or may not include the time it takes the PSUs to authenticate themselves (the human intervention).

Given the interval measured is the one between the receipt of the request and sending the information back, where Strong Customer Authentication (SCA) is required, the time it takes for the ASPSP to perform SCA (including to verify the SCA information provided by the PSU) should be included, regardless of the method used for SCA, in a way that is “at least as stringent” as when calculating the response time where a PSU is using the PSU interface.  

 

Status:
Final Q&A