Answer:
Yes, DNB will follow the EBA's recommendations to the national supervisors as described in its Opinion of the European Banking Authority on the transition from PSD1 to PSD2. The opinion document addresses the transitional provisions and the question of how to deal with the fact that some RTSs and Guidelines do not yet apply when PSD2 is incorporated into national laws and regulations or when the licensing issuing process has been initiated. The main recommendations that DNB intends to implement are the following.
- DNB urges all payment service providers to comply with the provisions of the RTS on strong customer authentication and common and secure communication (RTS SCA/CSC) as soon as possible, in anticipation of the deadline for compliance (i.e. 18 months after formal adoption of the RTS by the European Commission, which has yet to happen).
- More specifically, account servicing payment service providers (and banks in particular) are urged to develop and offer a dedicated interface according to the requirements specified in the RTS SCA/CSC as soon as possible. This will promote more secure communication between payment initiation and account information service providers and account servicing payment service providers, and allow less desirable methods of communication such as screenscraping to be phased out. Moreover, using a dedicated interface will help to prevent payment initiation and account information service providers from gaining access to more information than permitted by the customer.
- In licensing, DNB will encourage new payment initiation and account information service providers to use dedicated interfaces, insofar these are offered by account-servicing payment service providers.
- In accordance with the EBA opinion document, DNB will no longer apply the EBA Guidelines on security of internet under PSD1 in stages. With the phasing in of the new RTS SCA/CSC and the Guideline on incident reporting, the EBA Guidelines on security of internet established under PSD1 will become obsolete. However, the EBA will only withdraw the latter guidelines after PSD2 has been implemented in full.