Out-Law News 2 min. read

EBA clarifies API testing requirements under PSD2


Banks that go beyond their regulatory obligations on the testing of Application Programming Interfaces (APIs) being developed under EU payment services laws are more likely to reduce their compliance burdens, the European Banking Authority (EBA) has said.

The EBA said banks and other account servicing payment service providers (ASPSPs) may benefit from a regulatory exemption on the development of a 'fallback' mechanism for facilitating third party access to customer account information they hold.

Under the EU's second Payment Services Directive (PSD2), AISPs and PISPs were given new rights to access payment accounts, like current accounts, and statement details, as well as other account information, held by ASPSPs where customers consent to such access.

The detailed requirements on third party access are contained in regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’. ASPSPs must either enable third party access to the data through the customer's normal online banking websites, or alternatively develop a new 'dedicated interface' (API) for that purpose. Those requirements, though, do not apply until 14 September this year.

A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected, including that ASPSPs provide a fallback option to ensure AISPs and PISPs can exercise their access rights where the normal interface they use is down or underperforming. However, ASPSPs do not have to provide a fallback if they benefit from an exemption.

According to guidance developed by the EBA, ASPSPs can benefit from an exemption if their dedicated interface fulfils a number of conditions, including that it "offers at all times the same level of availability and performance, including support, as the interfaces made available to the payment service user for directly accessing its payment account online".

Other conditions on exemption include that the dedicated interface meets stipulated standards on design and testing, and that ASPSPs can show it has been "widely used for at least three months by payment service providers to offer account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments". Any problems related to the dedicated interface must also have been resolved "without undue delay".

Now the EBA has clarified the API testing requirements facing ASPSPs after concerns were raised by an API working group it set up earlier this year. The EBA said the group had "expressed concerns on the testing environment, and in particular the reliability of the testing platforms, the depth of use cases and data available, as well as the ease and speed of testing for third party providers (TPPs)".

In response to those concerns, the EBA clarified that while ASPSPs are required to support testing of their APIs by the third parties, they do not need to provide for "automatic testing" or provide the documentation containing the technical specification of their API – which needs to be made available by 14 March – in machine-readable form. However, the EBA said it may be in ASPSPs' interest to do so.

The EBA said: "ASPSPs are not required, but may find it efficient and in their interest to enable TPPs to use automatic testing programs wherever possible and make documentation available in a machine-readable format. This is likely to minimise the support that ASPSPs may otherwise be required to provide to each TPP using the testing facility. Enabling a degree of automaticity may also enhance the participation rate of TPPs, facilitate better testing results and help ASPSPs achieve 'wide usage' of their production interface, which may in turn be beneficial for the purpose of the exemption process as detailed in the EBA guidelines on the conditions to benefit from an exemption from the fall-back mechanism."

"Given the link between the testing phase and the wide usage criterion and to avoid issues that may otherwise arise in the production environment, ASPSPs may find it to be in their own interest to ensure that the functionalities and scenarios available for testing are as close as possible to the functionalities that will subsequently be offered in the production interface," it said.

"If the testing facility does not function well, this will impact on the assessment of the ASPSP’s application for an exemption," the EBA said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.