FinTech versus Banks, Round One: PSD2

I got a very interesting heads-up yesterday to a campaign the European FinTech start-ups have kicked off to try and stop the big, nasty banks screwing them with their version of PSD2.  I’ve previously blogged that the banks will implement non-standard APIs to make it difficult to access their services without writing code to work with each bank’s API’s.  This issue goes further than that.  Here’s what they have to say:

ABSTRACT

European political leadership has set a world class example with recent consumer-focused legislative actions, such as PSD2 and the General Data Protection Regulation. These legislative acts foster innovation and drive both competition and choice in the market. They also ensure that the highest standards of consumer protection are upheld and empower all European citizens with the ownership of their data.  We are now at a crucial moment in the finalisation of the technical standards of PSD2.

We strongly believe that if some of the proposed standards are adopted, specifically those in relation to how fintechs communicate with banks on behalf of the consumer, they will have a severe adverse impact.

They will have a negative impact on competition, they will jeopardise consumer control over their own financial data, and they will have a critical negative impact on the future trajectory of innovation in Europe. The proposed regulatory standards are inconsistent with PSD2 and will make fintechs technologically dependent on banks and therefore grant incumbents a gatekeeper role on the fintech sector.

FULL STATEMENT

We come together as 65 companies and associations operating across all EU Member States and at a global level in the financial services space, including:

• European Fintech companies and associations
• Providers of account information services(AIS) and payment initiation services (PIS) collectively called Third Party Payment Service Providers (TPPs)
• Banks and Financial Institutions
• Other companies using TPP technologies (e.g. accountants, Start-ups etc.…)

We welcome the adoption of the amended Payment Services Directive (PSD2) that seeks to improve competition by opening payment markets to new entrants, thus fostering greater efficiency and cost-reduction.

We recall, that the decision to modernise PSD in 2013 was in order to take into account new types of payment services, which had brought innovation and competition, providing more, and often cheaper, alternatives for internet payments; but were previously unregulated. Bringing them within the scope of the PSD2 will boost transparency, innovation and security in the single market and aims to create a level playing field between different payment service providers.

In March 2017, the European Banking Authority (EBA) published the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and common and secure communication (SC) under PSD2 which touch the very fundamentals of the Directive. However, the choices taken by the EBA have the potential to negatively impact our businesses models, thus reversing what has been achieved by Fintech companies over the last years at the EU level.

We believe that the EBA’s RTS, not only do not reflect the principles laid down in PSD2, but are distorting them by banning a secure proven technology such as Direct Access via the bank’s existing – and well maintained – customer-facing online banking interface (sometimes derogatively referred to as screen scraping). We, therefore, urge policymakers to align the RTS with the PSD2 text, so that it no longer forecloses specific technologies, such as Direct Access, and preserves technology neutrality in the payments space.

If the RTS articles on the communication interface were to be adopted in their current form, Europe’s successful and growing Fintech industry would be severely hampered. Banks would be given technological control over Fintech businesses and would be able to ring-fence consumers’ data. This will inevitably result in the very opposite of the political intentions behind PSD2: instead of enhancing competition, fostering innovation and giving consumers more choice, innovation will be banned, competition will decrease and consumer choice will be significantly diminished.

Until today, innovation in the financial services sector has been largely based on Direct Access technology, with European Fintech companies being world leaders in this field. This comprises a rare example of European companies that have been able to take market share from mainly US-based incumbents.

PIS, on one hand, have contributed to open the retail payments market by making it easier and less costly to make online payments for consumers and companies alike. AIS, on the other hand, have facilitated the booming of personal finance management services and significantly opened financial choice to consumers. The growth in the PIS and the AIS sector has boosted considerably, despite significant obstructions carried out by the Banks. Such obstructions, despite the entry into force of PSD2, have continued until this day, across many Member States, a situation that should not be overlooked by policy makers when deciding on the future of the RTS.

The provision of PIS and AIS in PSD2 must not be put at the mercy of the Bank’s (Account Servicing Payment Service Providers or ASPSPs in PSD2) willingness to provide a quality service for their competitors. Nonetheless, the RTS is doing exactly that by outlawing Direct Access, the only proven technology used by all European independent TPPs.

Our mutual concerns and suggestions are the following:

1. Direct Access is secure and can be PSD2 compliant

Direct Access is a secure technology that has been used for the last 15 years by both European Fintechs and Banks to provide AIS and PIS services to millions of consumers. With several hundreds of millions of successfully initiated payment and aggregation services provided, there hasn’t been, until this day, one single documented incident of data fraud or compromise of personal credentials.

Hence, there is no factual basis or empirical data to support EBA’s decision to ban Direct Access technology. In fact, Direct Access (using screen scraping) is a well-established technology that has been used and leveraged by other industries, of which we would highlight the following:

• Banks & Wealth managers: Bank aggregation and transfer integration to enhance client experience and improve advice relevancy
• Online travel: Search and provision of travel options from multiple different providers through one interface
• Accounting firms: Improve and digitize traditional processes mostly related to bank statement reconciliation in combination with payment functionalities

Moreover, PSD2 requires that TPPs identify themselves vis-a-vis Banks (ASPSPs) when providing their services. By using the exact same identification mechanism, as the one requested for the dedicated interface in the RTS, Direct Access becomes Secure Authenticated Direct Access (screen scraping combined with TPP identification) and therefore, fully compliant with PSD2.

2. Technology neutrality, competition and equal playing field

PSD2 has the main objectives of promoting competition and ensuring a level playing field in the European payments services market, as stated in Recitals 32, 33 and 93. We strongly believe that Secure Authenticated Direct Access achieves both principles and that such well-functioning technology has stood the test of time.

However, if the RTS were adopted as they currently stand, then the mandatory use of newly developed, proprietary dedicated interfaces would inevitably give Banks (ASPSPs) full control regarding any future innovation on the financial services space. Each new functionality would have to be approved by each single Bank (ASPSP), which would lead to 3 fragmented markets at various levels.

Moreover, well-functioning and always up-to-date dedicated interfaces only exist as a hypothesis so far. They have not yet been developed or tested, and they have yet to become a reality. Therefore, the only way to ensure that Banks (ASPSPs) have the right incentives to provide and maintain a well-functioning dedicated interface and that competition and innovation continue to grow, is to make them optional. It will be only through real and direct competition that we will be able to ensure that PSD2 objectives are achieved. To make a non-proven technology mandatory and to try to enforce “functionality”, “availability” and “performance” will lead to multiple interpretations and legal disputes between TPPs and Banks (ASPSPs), which PSD2 is supposed to curtail.

3. Consumer data ownership, control and portability

As enshrined in the General Data Protection Regulation (GDPR), individuals are the only owners of their data. Such principle codifies two fundamental rights:

1. Data ownership and control - The users (data subjects) shall have control of their own personal data, including right of access, the right of use etc.
2. Data portability - The user shall have the right to transmit and transport his/her data to another controller without hindrance from the controller to which the personal data have been provided.

The GDPR has a broader definition than PSD2 on what kind of data a data subject must be able to transmit in a data portability request. PSD2 makes clear that TPPs always need explicit user consent and must not process consumer data other than what is necessary for the very services they provide.

As licensed entities, TPPs will be under the supervision of the competent national authorities, which will be able to audit compliance with these requirements, just as they are able to audit compliance by entities holding a bank license. Hence TPPs will not be at liberty to do what they want. The data they can handle will be limited by what consumers consent to and what supervisors agree on.

The PSD2 RTS however restricts the consumer right to use software to access and share his/her own data ex ante and as such violates not only the spirit and wording of PSD2, but also the fundamental data ownership principles in the GDPR and grants Banks the possibility to monopolise the consumers’ data.

Secure Authenticated Direct Access would not only uphold the principles of data ownership, but also provide an easy and secure way for Banks (ASPSP) to be compliant both with the access to account rule in PSD2 and also with the right to data portability and direct transmission between data controllers in GDPR.

4. Solution: Secure Authenticated Direct Access

The core argument used by the EBA for enforcing TPP access via a dedicated interface or via an amended customer-facing online banking interface is that Direct Access is not a secure technology.

However, as already demonstrated above, Direct Access has an outstanding security record which together with the required authentication vis-a-vis the ASPSP is further enhancing security and allows the ASPSP to see exactly what actions the TPP perform.

Secure Authenticated Direct Access (screen scraping combined with TPP identification) is fully PSD2 compliant, which implies:

• TPPs identify themselves towards the ASPSP at their customer-facing online banking interface
• TPPs communicate securely with the ASPSP
• TPPs secure the use, access or storage of the payment service user’s data with at least the same level of security as any dedicated communications interface

The Bank´s (ASPSP) freedom of choice (to offer a dedicated interface or not) must be reciprocated by the TPP‘s freedom of choice (to use the dedicated interface or not). The only functioning technology used for bank-independent PIS and AIS must not be foreclosed.

Therefore, we request for the RTS to be amended so that TPPs can identify themselves at the customer-facing online banking interface and use Secure Authenticated Direct Access even if the Bank (ASPSP) provides a dedicated interface.

This amendment is also justified by the recitals 32 and 93 PSD2.

(32) “... An ASPSP which provides a mechanism for indirect access should also allow direct access for the payment initiation service providers.”

and (93) “... PIS and AIS can provide their services with the consent of the account holder without being required by the account servicing payment service provider to use a particular business model, whether based on direct or indirect access, for the provision of those types of services.”, “Those  regulatory technical standards should be compatible with the different technological solutions available.”.

The right to opt for the indirect or direct access shall be on the side of PIS and AIS providers.

Since the extent of the amendment of the customer-facing online banking interface proposed by the EBA for the Banks that opt not to have a dedicated interface has not been detailed, it can be that the modification for the RTS is as simple as making the amended interface available to TPPs at all times, regardless of the existence of a dedicated interface. The PSD2 RTS are absolutely critical for the future of Fintech companies in Europe, for the future of online commerce and in order to boost consumer choice and ensure the right of the consumer to control its own data. A properly nurtured and regulated European Fintech industry will continue to be a success story; an engine of growth, a job creator and a guarantor of a truly competitive retail payments landscape, giving merchants and consumers the choice they want.

The undersigned 65 European Fintech companies and associations, Providers of account information services and payment initiation services, Banks and Financial Institutions and other companies using TPP technologies.

1. 2getherbank (www.2getherbank.co)
2. AFAS Software (www.afas.nl)
3. Aplázame (www.aplazame.com)
4. Asociación Española Fintech e Insurtech  (www.asociacionfintech.es)
5. Avanza (www.avanza.se)
6. Bankin (www.bankin.com)
7. Besepa (www.besepa.com)
8. Bnext (www.bnext.es)
9. Bolsa.com (www.bolsa.com)
10. Brokalia (www.brokalia.com)
11. Budget Insight (www.budget-insight.com)
12. Cardlay (www.cardlay.com)
13. Checkit Bancario (www.checkitbancario.com)
14. Clearhaus (www.clearhaus.com)
15. Collector Bank (www.collector.se)
16. Crealsa (www.crealsa.es)
17. Ernit (www.ernit.com)
18. Eurobits (www.eurobits.com)
19. European Fintech Alliance (www.fintech-alliance.eu)
20. Figo (www.figo.io)
21. Financial Codex (www.financialcodex.com)
22. Finance Innovation (www.finance-innovation.org)
23. Finapi (www.finapi.io)
24. Finect (www.finect.com)
25. Fintonic (www.fintonic.com)
26. FintecSystems GmbH (www.fintecsystems.com)
27. FlexFunding (www.flexfunding.com)
28. France Fintech (www.francefintech.org)
29. IESA (www.iesa.es)
30. Inbonis (www.inbonis.es)
31. INCWO (www.incwo.com)
32. Instantor (www.instantor.com)
33. Klarna / SOFORT (www.klarna.com)
34. Kontomatik (www.kontomatik.com)
35. La finBox (www.lafinbox.fr)
36. Lendify (www.lendify.se)
37. Lendrock (www.lendrock.es)
38. L‘expert (www.l-expert-comptable.com)
39. Linxo (www.linxo.com)
40. Meniga (www.meniga.com)
41. Mooverang (www.mooverang.es)
42. MyBanker (www.mybanker.dk)
43. MyMonii (www.mymonii.com)
44. Opti (www.opti.se)
45. OutBank (www.outbankapp.com)
46. Pagatelia (www.pagatelia.com)
47. PaySera (www.paysera.com)
48. Pensumo (www.pensumo.es)
49. PPRO (www.ppro.com)
50. Safello (www.safello.com)
51. Savso (www.savso.com)
52. Setpay (www.getsetpay.com)
53. Solidi Ltd (www.solidi.co)
54. Spiir (www.spiir.dk)
55. Strands (www.strands.com)
56. Subhub (www.subhub.com)
57. Swedish Fintech Association
58. Teller (www.teller.io)
59. Tink (www.tink.se)
60. TrueLayer (www.truelayer.com)
61. Trustly (www.trustly.com)
62. Trustpay (www.trustpay.com )
63. Web Financial Group (www.webfinancialgroup.com)
64. Wiquot (www.wiquot.com)
65. ZignSEC (www.zignsec.com)