The so-called ’90-day re-authentication rule’, a key regulatory technical standard under Europe’s payments services directive (PSD2), is under consultation with the EBA until 25 November 2021. Proposed changes suggest that the 90 days be extended to 180 days minimum, meaning in practice that customers currently required to re-authenticate every 90 days will now have a minimum of 180 days to do so.
“Although this does not solve the core of the problem, it is a step in the right direction,” Ralf Ohlhausen, chair of the European TPP Association, told Delano in an interview.
“The 90-day rule is the reason one now needs two (rather than one) factor authentication, either every time one accesses one’s account or at least every 90 days. Unfortunately, it is not even sufficient to re-authenticate once for all accounts aggregated, but instead you have to do it separately for each account and usually at different times, because their 90-day expiry timers are not in sync,” explains Ohlhausen.
“This rule also concerns banks acting as a TPP.”
The proposed change is good news for Luxembourg banks and third-party payment providers keen to take advantage of the prospective security, innovation and competition benefits of the PSD2.
One example of this is the Luxembourg bank Spuerkeess, which has already used provisions under the PSD2 to provide its customers with access to third-party accounts through its S-net app. More recently, it has added neobanks N29 and Revolut to this offering, enabling users of the app to see and manage cross-border accounts in one place.
Spuerkeess believes there is great potential under the PSD2 regulation to improve customer experience in Luxembourg. “Over time, more and more third-party banks will be added,” Daniel Madariaga, the team manager at Spuerkeess’ Business Innovation Office said in a statement in October regarding the addition of N29 and Revolut to the S-Net app.
“A change to the 90-day rule is far less disruptive for this kind of offering,” says Ohlhausen.
What is open banking and PSD2?
Open banking is the practice of allowing third-party applications to access and control consumer banking and financial accounts, ‘opening’ financial data up to be securely shared with financial institutions. In 2018, PSD2 was introduced to create a framework around the early stages of open banking in Europe, namely, account aggregation and digital payments.
Following the introduction of PSD2, Spuerkeess along with three other Luxembourg banks--BGL BNP Paribas, Banque Raiffeisen and Post Luxembourg--founded LuxHub, which claims to be one of the largest open banking platforms in Europe. Spuerkeess went on to become the first bank in the grand duchy to offer services for the aggregation of third-party accounts, according to the bank’s statement on the integration of N29 and Revolut.