On November 27th the final version of the RTS on strong customer authentication and secure communication under PSD2 came out, which is by far the most important of them all. There were some surprises and some new additions, and with them some interesting questions have arisen:
- Does the RTS really ban redirecting in the dedicated thus making the use of widely used OAuth standard impossible?
- Is it really mandatory for the bank to allow screen scraping as a fallback mechanism?
Now it is up to the Parliament and the Council to come to a decision during the 3 months of scrutiny period, after which the RTS can be announced in the official journal, from when the 18 (and 12) months are counted until it comes into force. For some countries, this date comes sooner, but the rules are no different across the EU.
Read more about our findings in the linked document.