Digitalisation of Payment Services

General Information about Open Banking

Open banking allows customers to grant selected third-party providers to their payment accounts using secure interfaces (known as APIs). Such third-party providers are registered or licensed at the FMA as account information service providers (AISPs) or payment initiation service providers (PISPs).
The objective of open banking is to increase competition in the field of payments, to promote innovation and to give customers greater transparency and control over their financial data.

Legal bases

The legal basis of open banking is the Second Payment Services Directive (PSD2), transposed in Austria by the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018). This framework is supplemented by Delegated Regulation (EU) 2018/389. In addition, the European Banking Authority (EBA) has published a series of Q&As, that clarify interpretation-based questions as well as the application of PSD2.

Exemptions approvals and ongoing supervision

Payment service providers that make a dedicated interface (API) available for communicating with third-party providers are obliged to maintain a contingency mechanism. This mechanism is intended to ensure that access to payment accounts remains possible in the event of interface outages.

The FMA may grant an exception from this obligation pursuant to Article 33 (6) of Delegated Regulation (EU) 2018/389, if the dedicated interface fulfils all of the following conditions:

• Technical requirements: all rules under Article 32 of Delegated Regulation (EU) 2018/389 are fulfilled.
• Design and testing: the interface was successfully tested in accordance with Article 30 (5) of Delegated Regulation (EU) 2018/389.
• Tried and tested: has been broadly in practice for at least three months.
• Rectifying of problems: technical problems have been remedied immediately.

Die FMA reviews applications for exemptions with great care and conducts ongoing monitoring of dedicated interfaces with regard to their availability, stability and their non-discriminatory design.

General information about Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a core security tool in digital payments. SCA is intended to ensure that only users who are authorised to do so for the account in question are able to trigger payments.

Payment service providers are obliged to use at least two of the following categories of authentication factors that are independent of one another for most electronic payment transactions:

• Possession (e. g. mobile phone, token)
• Knowledge (e. g. password, PIN)
• Inherence (e. g. Fingerprint, facial recognition)

Only where two of these factors are used simultaneously is the access or the payment considered to have been strongly authenticated.
The objective of SCA is to reduce the risk of fraud in payments, and to increase users’ trust in digital payment solutions.

Legal bases

The legal basis for SCA is the Second Payment Services Directive (PSD2), transposed in Austria by the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018). This framework is supplemented by Delegated Regulation (EU) 2018/389 that defines Regulatory Technical Standards for strong customer authentication and secure communications.

Approvals for exemptions and ongoing supervision

The legal basis sets out exemptions from the obligation to use SCA for certain use cases. Some of these exemptions may be used without requiring FMA approval to do so, such as:

• when account information is only being accessed by no payment being made
• for low value payments of up to €30
• or in the case of contactless payments at points of sale of up to €50.

In addition, circumstances also exist for which approval is required to be granted by the FMA: In this way, Article 17 of Delegated Regulation (EU) 2018/389 permits an exception for legal persons that exclusively conduct payment transactions using specially developed payment processes or protocols that are exclusively used internally. A security level that is comparable to that of PSD2 is a prerequisite.

The FMA reviews such applications for exemptions on a case-by-case basis and in so doing considers the technical design, the restriction of access to non-consumers as well as the security architecture of the protocols used.
During the course of its ongoing supervision, the FMA checks whether payment service providers proceed in a proportionate manner when using strong customer authentication and in particularly refrains from making multiple unjustified queries.

The objective of the European Commission’s Financial Data Access and Payments Package is to develop the EU’s digital financial market further and to make it fit for the future.

The package of legal acts consists of two central elements:

• the third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR)
• as well as the Financial Data Access Regulation (FiDA).

PSD3/PSR are intended to adjust the existing rules for payment services to bring them into line with current technological developments and new market requirements. The FiDA will create a harmonised European legal framework for controlled access to and controlled transmission of financial data. In contrast to open banking, which is restricted to payment account information, open finance has a broader data basis – such as savings and investment products, insurance or pension products.

The FMA actively uses its experience from supervision and regulatory expertise both at national and European level to help shape a reliable, secure and innovation-friendly legal framework, which both increases the security of payment transactions as well as supporting the responsible use of financial data.