The idea behind PSD2 Open Banking is not new. Yodlee and others have aggregated accounts through a process known as screen scraping. Now, though, the world is changing radically, writes Konsentus’s Brendan Jones
The first and most important point to make is what has been published by the EU is Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) and Common Secure Communications, and although not technical per se, they are mandated. This is not like PSD2, a directive where some countries may delay implementation: the timings for PSD2 Open Banking are mandated across the whole of the EU.
Go deeper with GlobalData
In August 2016, the EBA published a consultation on the RTS; subsequently, there have been several iterations and on 14 March 2018, the European Parliament and European Council approved the final version.
There are two key dates:
• 14 March 2019: all financial institutions (FIs) offering a transactional account must have APIs available for approved third-party providers (TPPs) to start testing.
• 14 September 2019: systems must be available for TPPs to go live.
The RTS comes into force on 14 September 2019 and before this, all financial institutions that offer transactional accounts must develop and implement technical solutions required to deliver Open Banking.
FIs will look to deliver the PSD2 Open Banking access via an API, although they can continue to allow, in effect, TPPs to access Payment Service User data via the online banking interface – a contingency mechanism often referred to screen scraping. However, they must comply with PSD2 by putting in place measures so the FI knows who is accessing the data.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataThe RTS states that for a financial institution to be exempted from having to provide a contingency mechanism, the dedicated interface (API) must be available for testing by TPPs (AISPs, PISPs and PIISPs) no later than six months before the RTS live date of 14 September 2019; 14 March 2019 is the date when FIs must be ready for TPPs to start testing with them.
Many FIs consider screen scraping to be a significant security risk, as Payment Service Users’ security credentials need to be shared with potentially unapproved third parties. These third parties could be breached, and Payment Service User secure data accessed.
Getting consent right
Article 94 of PSD2 allows FIs and TPPs to process personal data necessary for the provision of their respective payment services only with the “explicit consent” of the Payment Service User.
Under Article 6 of the EU General Data Protection Regulation, which comes into force in May 2018, “consent” is one of the lawful bases for processing personal data. “Explicit consent” has a very different meaning under GDPR, though: an explicit consent statement must specifically refer to the element of the processing that requires. Otherwise, the requirements for explicit consent are the same as the GDPR’s definition.
In the UK, the FCA’s guidance on the implementation of PSD2 clarifies that the interpretation of “explicit consent” under GDPR should not be read across into Article 94 of PSD2, and that an FI cannot use the requirement to obtain “explicit consent” under Article 94 as a means to avoid its obligation to disclose payment account data to a TPP. Explicit consent” must be obtained, but it cannot be used as an obstruction to the sharing of data.
The FI needs to remember that it also remains the controller of its Payment Service User’s account data under GDPR. Therefore, it will be responsible for protecting its Payment Service Users’ data from unauthorised access or loss, and thus needs to ensure at all times that it only shares data with approved TPPs. GDPR guidance on data portability, for instance, explains that controllers will be expected to implement safeguards to ensure that third parties from whom they receive data porting requests are genuinely acting on the data subject’s behalf.
There is still some uncertainty over who foots the bill when things go wrong. It has long been the case that the FIs have to refund Payment Service Users in the event of unauthorised and incorrectly executed transactions, but what happens if Payment Service Users push funds into the wrong account?
The FCA comments that the burden of proof lies with the TPP to demonstrate it was not responsible for the error. The TPP will be required to prove, among other things, that the payment order was received by the Payment Service User’s FI and that while within the TPP’s “sphere of influence” it was authenticated and dealt with correctly.
The FCA clarifies that it will consider any part of a transaction over which the “TPP has control” to be within the TPP’s sphere of influence. A key part of this process will be to have an irrefutable tracking system in place so they can prove what data was sent to whom, when and where.
The European Payments Council commented that under PSD2, the risk and the burden of financial recovery appeared to lie with the FI, and cautioned against the FIs being made liable for TPP’s mistakes or other risks (such as cybervulnerabilities) arising from the TPP’s activities. It stated that this would only be acceptable where an agreement between the TPP and the FI was in place.
It argued that such an agreement should relate to the terms of the payment initiations and account information services offered by the TPP in question.
The government has yet to introduce a mechanism for resolving stakeholder concerns around liability. It noted the FIs’ unease in relation to the practical difficulties of obtaining compensation from a TPP, but says FIs should rely on their traditional rights of action against a TPP which breaches its regulatory obligation to refund them for an unauthorised transaction. This could lead to many messy court cases.
