Has the ship sailed for PSD2 fallback exemptions?

In addition to providing a sandbox for their API service, PSD2 also requires banks to set up a contingency mechanism (or fall-back solution) in case the dedicated API service becomes unavailable, or is not working properly. In this instance, the fall-back solution would essentially mean banks have to make their customer interface (such as internet banking or mobile banking app) available for screen scraping with the ability to identify TPPs, until the API service is restored.

Fallback fallout

Given that there is no working example of such a fall-back solution, designing something compliant will be a huge challenge, not least because of the additional investment and resources required. For those who have missed the deadline for launching their testing facilities, the pressure will only compound this problem as they play catch-up.

However, there is a chance to reduce this burden by obtaining an exemption from the need to offer a fall-back solution. Banks can benefit from an exemption if their dedicated interface fulfills a number of conditions, centred around how robust, available and well-supported the solution is. To gain the exemption, the dedicated interface also has to meet certain design and testing standards and have been widely used for at least three months.

There are a number of challenges associated with the exemption process, especially given that these assessments include a fairly technical analysis of each interface. Many regulators are very open about the fact they do not have the technical expertise required to perform all these assessments, so they are encouraging banks to use ‘standardised’ conformance tools available in the industry. Many have also mandated self-assessment and audit steps as part of the exemption application process.

Time to grab a lifeline

14th March was also the deadline (or partial deadline) for banks in the Netherlands and Italy to apply for the fallback exemption, which had to be made to the National Competent Authority (NCA) in each country. However, for the majority of countries, the deadlines are just coming up, for instance:

• Luxembourg – May 1st
• Finland – June 3rd
• Germany – June 14th
• UK – June 14th
• France – July 14th

Others, such as Sweden and Ireland, have not yet published their deadline for exemption applications.

It is important for banks in this next batch of countries to get talking to their NCAs as soon as possible, if they haven’t done so already.

The final EBA guidelines around the exemption process were only released in December 2018. The regulators fully understand that nobody can have a production-ready solution in three months, so they are taking a pragmatic approach to the exemption application process. This is why it is worth maintaining and active, open discussion with regulators about the process, and to see what options are available. Regulators want to see that banks can demonstrate clear roadmaps and a concerted effort towards compliance.

Failing to plan….

The Access to Accounts criteria for PSD2 have unfortunately missed an opportunity to create a standardised landscape. Banks who operate in more than one country may need to apply for a fallback exemption more than once, depending on the corporate structure, (how many legal entities across the region and how many access interfaces implemented) with different local criteria and dates to factor into their approach. For banks with legal entities established in multiple European countries, the process can become quite a challenging piece of work.

There are some dangers in following the letter of the regulations in a blanket way. Many countries, such as Italy, have a split approach to the exemption process, with different deadlines. It is therefore vital to evaluate and map these varying factors to avoid missing out on the exemption opportunity or ending up with issues in certain locales.

But it’s not just about deadlines, the processes also differ across countries. For example, in the UK, the exemption process is fairly straightforward and well-assisted, so there isn’t too much research to be done. In France, however, there are a number of additional hoops for banks to jump through, including the requirement to facilitate a full cyber audit carried out by an ANSSI-certified provider prior application for the exemption as well as several additional requirements.

Not an impossible mission…yet

For those banks who are playing catch up – whether that is around launching their testing facilities, or the fallback exemption process, there are a number of key steps that can help set things back on track and put their businesses in better shape to hit the final September deadline.

1. Engage with the relevant regulators as a matter of urgency, especially if you have missed deadlines already, since it is the only potential way to get back on track. It is vital to consult with the relevant NCAs to understand options, next steps and key focus points. Keep the lines of communication open, ask as many questions as you need and ensure you keep them up to date with any plans or developments.
2. Research and evaluate what you need to do to meet the testing and exemption application criteria in each country you operate in. If you are planning to implement a standard solution across all countries, make sure you are clear that it fits the bill and that you understand all the requirements for each geography.
3. Have a plan A, B and C – You must ensure detailed primary and contingency plans are in place to meet all remaining deadlines. For instance, if an exemption is not secured in any of your operational geographies you must have already investigated a a way to build the fallback solution – there is no more time to fall further behind. The planning process can be particularly difficult and any missed details can mean project failure and a huge financial impact. Engaging with objective external experts can help to mitigate this risk and ensure you have covered all eventualities and help you implement tried and tested solutions.

At RedCompass Labs we’ve been working closely with our clients over the last few months to help them plan for and meet their PSD2 compliance obligations, including getting their API sandboxes ready and their fallback exemptions in place on time.

If you would like to get more advice from one of our expert consultants, get in touch.

*Source: Tink online survey: March 15^th 2019