EBA publishes responses to issues raised about APIs under PSD2

Ellie Duncan
30 Jul 2021

The European Banking Authority (EBA) has published its responses to a sixth set of issues raised by its working group on APIs under PSD2, which included queries about authentication of electronic signatures and the prevention of social engineering fraud.

The EBA also issued clarifications in response to issues raised by the working group participants on biometrics and authentication on mobile apps, ability of payment initiation service providers to refuse a payer’s request to initiate a payment transaction, and complexity in the authentication process.

A few participants of the working group “asked whether the name of the account holder and the IBAN can be shared with PISPs before the initiation of the payment transaction in order to prevent attempts to carry out fraud (including by the payer) before the initiation of the payment transaction”.

The working group on APIs under PSD2, which was established in January 2019 by the EBA and comprises 30 individuals representing account servicing payment service providers (ASPSPs), third-party providers (TPPs), API initiatives, and other market participants, met up in mid-June this year, following an extended break as a result of the Covid-19 pandemic.

In regards to authentication with electronic signature required by ASPSPs, a few issues were raised by the group, one of which is that: “The use of electronic signatures was also seen as preventing AISPs to make use of authentication procedures that lead to good customer journeys, such as those relying on biometric authentication.”

The EBA’s full response to the sixth set of issues can be viewed here, while the EBA confirmed it will provide further clarifications in the coming months.

It published clarifications to the first five sets of issues that had been raised by the working group on 11 March, 1 April, 26 April, 26 July and 14 August 2019, having tasked the group with identifying issues and challenges that market participants face during use of API interfaces.