PSD2: fintech access to bank account data "does not go far enough"
European Commission considering targeted amendments to the proposed technical standards.
14 December 2018
Under the revised Payment Services Directive (PSD2), banks are required to allow licensed third parties (TPPs) access behind their firewall to customer data and even to initiate payments on behalf of customers who have authorised TPPs to act for them. The rules on TPP access have been subject to competing interests – on the one hand, fintechs see TPP access as an opportunity to establish a profitable business model for payments without having to provide the costly bank account infrastructure whereas banks worry, quite rightly, of the potential risk of fraudsters getting access to customer banks using a doorway deliberately created by the legislation.
This debate has been going back and forth, culminating in the European Banking Authority (EBA) publishing its final draft of the regulatory technical standards setting out its view on TPP access methodology in February this year. Following strong pushback from the fintech industry, however, the European Commission is considering targeted amendments to the proposed technical standards.
Why, what's the beef with the technical standards?
At the moment, TPPs typically gain access to clients' payment account information by having clients share their login details with the TPP. Under this model, the TPP effectively impersonates the client when logging in and obtains payment account information by "screen scraping". This is the so-called "direct access" model.
However, after consulting with the Commission, the EBA concluded that screen scraping will not have to be supported by banks under PSD2. Instead, under the EBA's final draft technical standards on strong customer authentication and secure communication, banks must offer at least one interface for TPPs to access payment account information. This may be the same interface as offered to and used by their customers (e.g. online banking) or, crucially, banks may provide a separate, dedicated interface for use by TPPs.
The EBA attempted to address TPPs' concerns about their ability to access to payment accounts where a dedicated interface does not work properly, by requiring that where banks choose to develop and offer a dedicated interface for use by TPPs, they must provide the same level of availability and performance, including contingency measures in case of unplanned unavailability, as the interface offered to and used by their customers.
So, what now?
A number of fintech firms offering account information and payment initiation services have argued that the EBA's attempts to ameliorate the access concerns do not go far enough. On 4 May, around 60 fintech companies wrote to EU policymakers and national legislators pushing back strongly against these proposed technical standards, arguing that banks will have too much control over their business models and setting out their concerns that the proposed technical standards will adversely impact innovation, competition and consumer choice.
As a result of this industry pushback, the Commission is considering draft amendments to the technical standards, including contingency measures for access to a dedicated interface "in the event of an inadequate performance, unplanned unavailability of the interface and systems breakdown", including where the dedicated interface is unavailable for "more than 30 seconds during a communication session". TPPs and banks would also be required to report to their national regulator instances where a dedicated interface falls short of expectations.
However, these proposed amendments are subject to change and they still stop short of the position previously put forward by TPPs that they should be able to directly access the same information as the banks' customers.