PSD2: Navigating the fallback mechanism exemption

The payment industry has undergone profound changes in its technological and service offering since 2018. Banks offering online access to their client’s payment accounts were obliged to open the access to their infrastructure to third party payment providers (TPP) or providers in the process of obtaining such authorization on 14 March 2019.

Two alternative access routes have been selected: the use of an adapted interface used for identification and communication with their payment services users (PSUs) and the building of a dedicated application programming interface (API), fulfilling the quality criteria defined by the Regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication.

In case the dedicated API is not working properly, banks face the obligation to offer a contingency mechanism, also called “the fallback mechanism”. Via the contingency mechanism, TPPs can use the online interfaces made available to the PSUs such as the traditional web banking. This contingency mechanism is used until the dedicated API is restored with the appropriate level of availability and performance. Both banks and the Payment Services Provider (PSP) shall report problems with dedicated interfaces to their respective competent national authorities without delay. Unplanned system unavailability or a breakdown of the systems is defined when five consecutive requests to access information related to the provision of payment initiation services fail or when account information services are not responded to within 30 seconds.

Bank’s contingency measures shall include two items:

• A communication plan to inform PSPs making use of the dedicated API of measures to restore the system,

• A description of the immediately available alternative options PSPs may have during this outage.

Requests for exemption of the fallback mechanism, if desired by the bank, should be filed with the Commission de Surveillance du Secteur Financier (CSSF) no later than 1 May 2019 in compliance with the following four conditions:

• The dedicated API complies with all the obligations for dedicated interfaces set by the European Banking Authority (EBA) Guidelines. Obligations include: definition of KPIs and service level targets, publication of statistics, establishment of processes in high stress situations and confirmation that the methods of carrying out the authentication procedures defined by the bank allow TPPs to rely on the appropriate authentication procedures,

• The dedicated API has been designed and tested to the satisfaction of the TPPs,

• The dedicated API has been widely used in test the last three months (particularly since 14 March 2019) by TPPs, with the purpose of offering account information services and payment initiation services,

• Any problem related to the dedicated interface can be solved without undue delay.

On 28 February 2019, the CSSF clarified in a press release the deadlines to be respected by a bank willing to obtain a fallback mechanism exemption. If submitted no later than 1 May 2019, the exemption request should be complemented with two sets of information provided respectively on 14 July 2019 and on 14 August 2019. In the meantime, the roll-out of the bank’s dedicated API in production should be done no later than 14 June 2019 to ensure wide usage of the interface for at least three months before 14 September 2019. If so, an exemption from the fallback mechanism may be granted by the CSSF by 14 September 2019 after assessment and testing, in concertation with the EBA.

The fallback mechanism exemption request is an attractive option for the banks. It is time to act. If the bank wants to benefit from this exemption, the request needs to be filed within less than 6 weeks.

Patrice Fritsch, Principal, Associate Partner,  Advisory Services  EY Luxembourg

Anton Christov, Senior Manager  Advisory Services  EY Luxembourg

Articles Associés