Several fintech players and innovative banks are looking closely to the potential scope of data they might have easier access to after PSD2 enters into force in 2018. They are building up use cases, business scenarios and business cases for new services they want to market utilizing those data sets. The market players are waiting to clearly see the regulatory expectations they have to perform.
In this article we are going to touch the issue of the data access obligation (called: XS2A, or Access-to-Account) from several aspects, like scope and period of the data, aggregation and processing, the definition of the “explicit consent”.
PSD2 is a regulation of great importance and a represents a very innovative and forward looking regulatory approach, but the details will determine its success of failure. Data access, especially the scope and usability of the data accessed is probably the most important, most decisive issue. It will determine what services on what CEX level could be provided.
The scope of data that the traditional financial service providers will have to provide access to under PSD2 is not yet clear. On the other hand, the General Data Protection Regulation (GDPR) will also have recommendations to the data sharing, data usability, processing methodology of personal data which – obviously – will affect the scope and means of the data access required by PSD2. PSD2 and GDPR recommendations and requirements shall be harmonized. Great help for the market players – and also for the regulators who will implement the directives – is the work of the Open Banking Working Group (OBWG). It issued its recommendations in the form of an Open Banking Standard to guide how open banking data should be created, shared and used by its owners and those who access it.
These 3 initiatives will together set the playground and will shape the business cases for the digital financial services in the next coming years. In the following part of the article we outline – without being exhaustive – how we read these with regard to data scope, usability and also what issues we see still open to be answered.
1. “Explicit consent” in practice:
PSD2 Article 49 says that payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the customer. Explicit consent means that the customers had been informed on the fact of accessing their data and also on the purpose of its use before giving it. The consent shall be given for a certain purpose, for a certain time, it cannot be endless. And, what could make some headaches for the service providers – the consent shall be acquired at every occasion when the service is provided and also, the Service Provider has to prove that it has the consent at any time.
EBA, and OBWG will define what explicit consent means in practice. This definition is crucial, since it defines the procedures how – on what means and in which cases the service providers shall “contact” the customers for their consent.
How and for how long need the SPS to prove that it acquired the consent of the customer? This means processes, storage requirement, compliance questions – altogether, cost factor and also it could harm the smoothness and easyness of the services.
2. Data scope and time-frame
New service providers – leveraging their cutting-edge technology knowledge and capacities – will have the right to provide value added services to the customers such as financial analytics – including predictive analytics, investment and savings advice or offers for alternative credit arrangements. These services will help the customers to make better financial decisions by giving them easily understandable analysis on their payments, financial records. The new service providers have different approach than banks, their services are be based on existing or future life situations – they might foresee situations due to their analytics and prediction capabilities. What they need is wide scope of valid data and the right to use those data to be processed together with publicly available other relevant data.
Open Banking Standard guideline says that third parties should be able to access both unique customer payment and transaction data and also aggregated customer and transaction data the banks have via using APIs through technical “protocols” still to be agreed.
PSD2 on the other hand states that the scope of data requested is restricted to the purpose of it – does it mean, that for each and every new service feature which needs further data acquisition, a new consent shall be acquired? If yes, that could harm customer relations, customer experience, besides would cause further workprocesses.
These are just examples of the issues or questions which needs to be answered on a harmonized way from the side of the regulators.
What is the reasonable time-frame of the data SPs can request? It should be long enough to make good analytics, but should not put excessive obligation on the banks. (OBS sets it as 25 months for customer transaction data – that is a good base. )
3. Data aggregation
At this time, we haven’t seen explicit regulatory standpoint on how the data accessed on the basis of PSD2 could be aggregated and analyzed, stored, processed.
Open Banking Initiative in the UK brings us closer to the answers and helps to get ready for the new challenges. OBS thinks further than PSD2 and GDPR. OBS defines data categories and also covers personal current account data sharing issues.
Setting the rules, the obligations, liabilities, defining the procedures, standards, etc. are very important from the service provisioning side. However, the customers, the potential users shall be ready and able to use these new services. This can be achieved only with close cooperation of the regulator and the market players.
There are many issues, questions the answers to which still have to be worked out in order to be able to develop business modells, business cases.
This is like a puzzle or a magic cube, where all the pieces have to match to the others . This case, EBA, OBWG are the major players on the regulator’s side to watch.
We look forward to see the developments…
FinTechGroup: “Creating a Brave New Financial World!”