2019_4681 What is considered as a dedicated interface

Question ID: 2019_4681
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: Articles 31, 32, 33
Type of submitter: Credit institution
Subject matter: What is considered as a dedicated interface
Question: Payment Service Users (PSUs) communicate with an account servicing payment service provider (ASPSP) via Web using HTTP while mobile PSUs and Third Party Providers (TPPs) via REST Application Programming Interfaces (APIs) but in all cases the processing is done by the same back-end server using the same credentials, authorisations and business logic. In the case of mobile and TPP channels, the APIs are similar and are exposed from the same ASPSP’s gateway. Any issue in the back-end server will result in downtime for all channels. Clarification is required whether this solution is considered as a dedicated interface or not.
Background on the question: The question emanated from the need to apply for an exemption from the contingency mechanism under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC) in relation with Article 31.
Submission date: 25/04/2019
Final publishing date: 09/08/2019
Final answer: According to Article 30 of the Commission Delegated Regulation (EU) 2018/389, account servicing payment service providers (ASPSPs) that offer to their customers payment accounts accessible online must offer at least one access interface to third party providers (TPPs). Article 31 of the Delegated Regulation provides that ASPSPs “shall establish [such] interface(s) by means of a dedicated interface or by allowing the use by [TPPs] of the interfaces used for authentication and communication with the [ASPSP's] payment services users”.
This means that ASPSPs have a choice in accordance with Article 31 of the Delegated Regulation between (i) offering access to TPPs via a dedicated interface; and (ii) allowing TPPs to use the interface(s) used by its customers for accessing their payment accounts online, which also includes ASPSP’s mobile interface used by its customers for accessing their payment accounts.
In the case where a TPP uses the same interface that a payment service user uses for authentication and communication with an ASPSP, adapted to the extent necessary to enable TPPs to identify themselves towards the ASPSP in line with the requirements of the Delegated Regulation, this interface should not be considered as a dedicated interface.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer