Single Rulebook Q&A

Question ID: 2019_4681
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Articles 31, 32, 33
Type of submitter: Credit institution
Subject matter : What is considered as a dedicated interface
Question:

Payment Service Users (PSUs) communicate with an account servicing payment service provider (ASPSP) via Web using HTTP while mobile PSUs and Third Party Providers (TPPs) via REST Application Programming Interfaces (APIs) but in all cases the processing is done by the same back-end server using the same credentials, authorisations and business logic. In the case of mobile and TPP channels, the APIs are similar and are exposed from the same ASPSP’s gateway. Any issue in the back-end server will result in downtime for all channels. Clarification is required whether this solution is considered as a dedicated interface or not.

 

Background on the question:

The question emanated from the need to apply for an exemption from the contingency mechanism under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC) in relation with Article 31.

Date of submission: 25/04/2019
Published as Final Q&A: 09/08/2019
EBA answer:

According to Article 30 of the Commission Delegated Regulation (EU) 2018/389, account servicing payment service providers (ASPSPs) that offer to their customers payment accounts accessible online must offer at least one access interface to third party providers (TPPs). Article 31 of the Delegated Regulation provides that ASPSPs “shall establish [such] interface(s) by means of a dedicated interface or by allowing the use by [TPPs] of the interfaces used for authentication and communication with the [ASPSP's] payment services users”.

This means that ASPSPs have a choice in accordance with Article 31 of the Delegated Regulation between (i) offering access to TPPs via a dedicated interface; and (ii) allowing TPPs to use the interface(s) used by its customers for accessing their payment accounts online, which also includes ASPSP’s mobile interface used by its customers for accessing their payment accounts.

In the case where a TPP uses the same interface that a payment service user uses for authentication and communication with an ASPSP, adapted to the extent necessary to enable TPPs to identify themselves towards the ASPSP in line with the requirements of the Delegated Regulation, this interface should not be considered as a dedicated interface.

Status: Final Q&A
Permanent link: link