With only four months to go to the final PSD2 implementation date of 14 September 2019, all payment service providers must make sure they are urgently progressing plans to meet the additional regulatory obligations or to confirm that their obligations are met.
The additional obligations are contained in the regulatory technical standards for strong customer authentication and common and secure open standards of communication (the RTS). This document was published in November 2017, only a few months ahead of the implementation of the second Payment Services Directive (PSD2) in January 2018, but comes into force on 14 September 2019. The EBA has a draft version on its website but the final version is on the Commission's website, here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R0389
All payment service providers must take action to establish whether these additional requirements apply to them. We have some helpful blogs to explain the basics and are keen to work through the details with you.
Open banking: not just for banks
All payment and e-money institutions should consider whether they too are account servicing payment service providers. Read more here: http://blog.fscom.co.uk/open-banking-not-just-for-banks-0
Strong customer authentication
All payment and e-money institutions should consider whether they will have to apply strong customer authentication. You can read about the basics here: http://blog.fscom.co.uk/strong-customer-authentication-under-psd2-the-basics
If you do have to apply SCA, you'll want to minimise the amount of times you have to make your clients go through SCA, so find out more about the exemptions here: http://blog.fscom.co.uk/strong-customer-authentication-the-exemptions
If you intend to use the corporate exemption, we can help you assure that your systems are up to the expected standard of security. Remember, you have to provide evidence in your REP018 by 14 June.
And finally, SCA is more complicated than simply two-factor authentication (2FA). Find out more here: http://blog.fscom.co.uk/strong-customer-authentication-not-as-simple-as-just-2fa
If you need any help understanding the obligations, please get in touch.