open banking : don’t believe the hype! - basda€¦ · delivers: access for payments initiation,...

BASDA Annual Summit 15th May 2018

Open Banking : Don’t Believe the Hype!


Open Banking: “Don’t Believe the Hype”

– Peter Davey: Director, and Legal & Regulatory and Finance & Risk Lead, Open Vector

Our next Speaker


• Intention of PSD2 to make merchant payments feasible without cards – Saves the merchant service charge – Has turned payments from a backwater into major area of Fintech activity and investment

• Data sharing: PSD2 and data portability under GDPR will lead to new services – And require clients, and you, to have better understanding and evidence of law and controls – Facebook & Data Analytica – Understanding data sharing, GDPR and infosec generally – Managing consent and revocation of consent – Authentication of actors and consumers

• Strategic implications in banking industry – Rationalisation of payment account providers – Account information services we haven’t even thought of – Global extensions of open banking gathering pace – GAFA / FATBAG

Why should you care?


• Open Banking became legally required 13 January and GDPR, including data portability becomes effective 25 May

• So what’s changed? • Not a lot:

– Payments initiation – ‘fire and forget’ – Account information – not especially functional – Few TPP licences – Redirection from one web browser to another

• Need to comply today – but security standards won’t be clear till Sept 2019! • Post Brexit – when not directly applicable in UK! • BUT, Roy Amara's 'law' that we tend to overestimate the impact of a new

technology in the short run, but underestimate it in the long run • Also, client’s problem is your opportunity

Current status


Legally effective 13 January 2018

Focussed on payments initiation following competition actions by Sofort

Delivers: Access for Payments initiation, account information, and ‘funds check’ (PISPs, AISPs, CBPIIPs)

Coverage: • EEA, European Economic Area • Euro & all other EEA currencies • Payment accounts • Retail: Turnover and balance sheet below euro 2 million, and employs less than 10 people

Other: • ASPSPs cannot refuse, charge, or require contracts with TPPs • UK has ‘transposed’ into local law, but not all European states have yet • Security features, esp SCA RTS and requirement for TPPs to identify selves to ASPSPs, effective Q3 2019 – post

Brexit • Issue with Screen scraping

Background: PSD2


Legally effective 13 January 2018

Designed to address perceived failure of current account switching: • ‘More likely to change your partner than your bank’

Delivers: Payments initiation access, account information access, “compliant with PSD2” • Account information to compare current accounts

• Focus more on account information. Thrust for inclusion in PSD2 came from UK

Coverage: • UK/GBP

• Current accounts, both personal and business

Other: • 6 out of 9 of CMA9 have had to request delay

• CMA has always been clearer that a move to APIs from SS is desirable

CMA Order


Legally effective 25 May 2018 Only concerned here with ‘data portability’ aspects Designed to permit ‘data subjects’ to better control access to their data

Delivers: Right to ‘port’ data from one Data Controller to another with explicit consent • But note the ‘legal basis of processing’ may be something else: i.e., Contract, Legal obligation, Vital interests, Public tasks,

Legitimate interests • ASPSPs currently have basis related to processing transactions • Cannot extend to commercial activities without additional Consent (database implications)

Coverage: All information about data subject based in EEA – in principle global coverage!

Other: • Method to be used only mandated to be ‘machine readable’ • Time frames are longer (month compared with real-time) • UK Information Commissioner's Office (ICO) very clear that it thinks OBIE should be vehicle for data portability • Banks less so

GDPR


• Overall

– Direction of travel of all three is the same

– But critical differences in details

– Notably between data protection law and PSD2 account access – see Holland

– Debate between FS regulators and DP regulators on status of ‘authorisation’

• ‘Nothing to see here’

– Always over-estimate speed of technology, and underestimate its impact over time

– Also selling (and explaining) supporting infrastructures – analogy of electricity

• Coverage

– Areas of debate in OBIE Roadmap – card and mortgage accounts

– Banks resisting move from ‘minimum compliant product’ – floodgates argument

– But can a MCP comply with purposive legislation?

PSD2, CMA Order & GDPR


… and opportunities for IT vendors? – SCAs (Regulatory Technical Standards re Strong Customer Authentication)

– EIDAS certificates

– Inability of payment initiation to ‘self-PISP’, i.e. initiate payments to itself (when its clear the ‘purpose’ was to introduce competition for card payments)

– Obstacles to payment initiation becoming a substitute for cards in e-commerce (forward dated payments, esp variable)

– Fourth party issue

– APIs • Compliance with standards – necessary but not sufficient

• Provision of own bespoke APIs, via ‘app store’ (e.g. Nordea) – but how to monetise?

• Act as TPP accessing other ASPSPs’ accounts

– But especially around consent management …

Technical issues for ecosystem …


Consent – Full explanation of the purpose and implications of the transaction – Between the TPP and the PSU

Authentication – SCA requires two out of:

• Knowledge, something only the PSU knows, like a password or PIN • Possession, something only the PSU possesses, like a device, and • Inherence: something you are, biometrics

– Dynamic linking (to payee and amount) – Exemptions – Under control of ASPSP

Authorisation – In domain of ASPSP – ‘Positive friction’ for PSU – So don’t pay by mistake, and know when process is about to complete – Ensure ASPSP has clarity its domain: otherwise allegations of non-authorisation unwieldy to investigate

Consent, Authentication, Authorisation


At least three different accesses, even using OB standards – Payments initiation access

– PSD2 account information access

– Data sharing beyond PSD2, presumably therefore under GDPR

– Note the ASPSP needs a legal basis for processing in releasing the PSU’s data. Easiest if it’s a Legal obligation or Public task. I.e. complying with law.

Implications for – Regulatory model (PISP & AISP): PII can only cover regulated activities

– Liability model (Only PISP under-written by ASPSP)

– Legal status of authorisation stage at ASPSP (different for each)



Made more complex by the fact that – Simple transactions might combine all three accesses

– Parties may disagree on the legal status of the access

– Need to make it easy for a customer to consent (and equally easy to revoke), and yet

– Need the consumer to be able to access complete data on request re regulatory model, liabilities, legal status etc

OBIE UK uses a model based on: – Consent between PSU and TPP

– Authentication and Authorisation by PSU in domain of ASPSP

– Which implies a redirection model

– Works for all three types of access

– ASPSP can move immediately to SCA without waiting for RTS, and

– Without having to coordinate with other parties



ERPB approach – Suggestion that a ‘dedicated interface’ needs to cater for more than redirection

– Embedded and/or De-coupled?

– Arguably there is a fourth that needs to be catered for as well, screen scraping

– How will SCA work?

– How will selection between alternatives work? Merchant / consumer ‘drive’?

IT Solutions need to be flexible for potential change – Compliant today

– Yet flexible as models and strategies change

– Standard APIs, bespoke APIs, SS

– Access methods: Redirection, Embedded, De-coupled

– Directories and digital certificates

Access models etc / need for flexibility


• Agree OB looks like all hype

• But would argue that it will lead to far-reaching changes

• Provides opportunities to help clients deal with difficult issues

• Will also impact your ability to manage your treasury

– To obtain information from banks

– And initiate payments

• Data sharing especially is a difficult area with risk and opportunity

• Perhaps better to be the seller of pickaxes etc than prospecting for gold

• Access to data will be more important than the ability to initiate payments

Conclusion

open banking : don’t believe the hype! - basda€¦ · delivers: access for payments initiation,...

Documents