Opening the Vaults to FinTech: The PSD2 in Context
In the early 90’s, Bill Gates declared that ‘[while] banking is necessary, banks are not’; little did we know that the world’s richest man’s then exaggerated statement would become a perfectly viable assertion by today, the year 2017. After several past breaking points in the banking sector such as the emergence of first low-capital banks upon the start of the new millennium or the profound banking reforms in the wake of the financial crisis, in January 2018 the EU/EEA Member States will have to put into action a norm which could overhaul the banking market as we know it once again: Reference is made to the Revised Payment Services Directive (the “PSD2” or the “Directive”) which, once implemented, has the potential to disturb banks’ monopoly over payment account access and open the gates to FinTech companies all over Europe. The article to follow aims to provide guidance as to the Directive’s impact on FinTech companies and, reciprocally, traditional financial institutions.
The PSD2 is set to replace the current Payment Services Directive (PSD) which has been implemented throughout the EU/EEA since 1 November 2009. As much needed a step towards a unified payment regime as the PSD was (note e.g. the SEPA system it laid a legal framework for), its provisions proved to be out-of-date soon after its enforcement due to – amongst other things – the rise of new players operating outside the PSD’s regulatory reach. The new players at issue are commonly active in the FinTech business; they combine the payment services hitherto only performed by banks and other traditional payment institutions with clever software to create user-centred services such as personalised budget management or payment initiation via paygates and similar platforms.
On the one hand, the Commission welcomes such new competition in an otherwise quasi-monopolistic market, inasmuch as it seeks to foster innovative internet payment services. Simultaneously, however, the fact that the new players have in various instances gained access to and, to some extent, control of sensitive client information (e.g. account balance and movements), without being subjected to the same regulation as ‘payment service providers’ within the meaning of the PSD, raises serious security questions. Moreover, even in the absence of direct regulation by the PSD, the use of various FinTech applications can imaginably still lead to legal ‘friction’ with the law as it stands, at the least: For example, the entering of one’s online banking login details into a money management app will, without more, almost invariably violate the respective bank’s terms & conditions and/or the applicable statute.
It therefore does not come as much of a surprise that the Commission has introduced a response to the new challenges. The PSD2, to be transposed into each EU/EEA national legal system with effect on 13 January 2018, aims to facilitate market entry to those providing innovative payment services on the one hand, but also to level the regulatory playing field between the (so far unsupervised) new players and traditional payment institutions such as licensed banks on the other, having particular regard to consumer protection and overall data security.
The Directive is ground-breaking in that it obliges all ‘account servicing payment service providers’ (which we will for the sake of simplicity call “banks”) to grant newly recognised types of market players (see further below) access to customer accounts – all this, of course, subject to the customer’s express consent as well as due authorisation by the competent supervision authority. The new players at issue, now included in the definition of ‘payment service providers’, are divided into two groups, namely—
(i) the so-called ‘payment initiation service providers’ (the “PISPs”); and
(ii) the so-called ‘account information service providers’ (the “AISPs”)
…to whom we will henceforth refer collectively as the “New Providers”.
The Swedish FinTech start-up Trustly, offering a service whereby the user may, for instance, carry out an instant payment directly from their bank account without ever having to leave an e-shop, is a prime example of what the Directive deems a ‘PISP’: PISPs offer online services by virtue of which the user may, subject to the expression of their explicit consent, trigger a payment from their bank account using the platform operated by a PISP (think: a paygate), rather than by direct interaction with the bank. Once the user has given a payment order via the PISP, the bank will have to perform the payment as though the order had been given directly via the bank’s own platform – i.e. with no discrimination as to priority or the conditions for acceptance and refusal, and without the need for any contractual relationship to subsist between the bank and the PISP at question. To guarantee the user’s protection, PISPs will be able to neither actually possess the funds being transferred at any given time, nor will they be entitled to store and/or process any of the sensitive data regarding the payments being carried out. The user’s account access details, too, will be protected in that they may only ever be shared with the bank which issued them in the first place, and the user themselves.
The AISPs, on the other hand, perform online services which, subject to the user’s express consent, enable the user to micromanage their budget by relaying to the user the balance and/or movements on their bank account in a lucid and structured manner (often complemented by various statistics and/or analysis functions). Such services are provided e.g. by Czech start-up BudgetBakers via its Wallet app. Not unlike the PISPs, banks shall have to treat data enquiries made by AISPs on behalf of the user identically to information requests made by the user directly. More specifically, pursuant to the Draft Regulatory Technical Standards (the “RTS”) issued by the European Banking Authority (EBA), account information must either be granted to AISPs (a) whenever the user is actively requesting such information, or (b) on a passive (‘background’) basis, but no more than four times in a 24-hour period, unless a higher frequency is stipulated by all parties involved.
The manner in which the transfer of information between banks on the one side and the New Providers on the other is to transpire is outlined in Art. 27 RTS. Namely, the banks must implement an open interface which will enable the New Providers to (i) identify themselves towards the bank, (ii) communicate securely to request and receive information on designated payment accounts and (iii) initiate payment orders. In practice, this will be achieved using a so-called ‘Application Programming Interface (API)’ which, in simple terms, constitutes a set of building blocks for creating software applications that are to be compatible with the respective bank’s own software. As per the RTS, API specifications will have to be provided to the New Providers on demand (at least) and their summary published on the banks’ webpage.
New Regulatory Challenges
Amidst all the (however legitimate) excitement surrounding the EU’s promotion of FinTech, it perhaps deserves to be highlighted that the PSD2 does not simply warrant the New Providers free, unrestrained access to payment accounts forthwith while having other institutions do the ‘heavy lifting’. Indeed, PISPs are now clearly defined to be payment service providing ‘payment institutions’, and – save for certain exceptions – AISPs are to be treated as such for the purposes of the Directive. This implies that the New Providers will now have to apply for authorisation with the competent financial supervision authority before their activities are permitted and the entitlement to payment account access granted.
Pursuant to Art. 5 of the Directive such authorisation application will, in the case of both PISPs and AISPs, need to comprise a programme of operations, a business and budget plan for the next three years, descriptions of the applicant’s governance and risk management systems as well as security procedures and policies, the applicant’s internal structure, as well as details of the directors and other members of management, including evidence of their good repute and sufficient skill and experience for the conduct of the payment services applied for. Finally, a complete application is also qualified by the arrangement of a professional indemnity insurance (or an equivalent guarantee), the exact value/calculation of which is left to be determined by the EBA in the near future.
The PISPs, being payment institutions proper (unlike AISPs), will have to fulfil some additional requirements, as well. Most notably, PISPs must pay up and maintain a minimum capital of EUR 50,000 (given the provision of no other payment services is contemplated), submit the identities of persons with qualifying holdings in the applicant (incl. descriptions of such holdings) and adduce evidence of such persons’ suitability for ‘sound and prudent management’ of the PISP. When assessing the application, the competent authorities may moreover scrutinise, inter alia, the effect of the applicant’s secondary business activities (if any) on the soundness and reliability of the payment services for which authorisation is sought.
The good news for the New Providers is, nevertheless, that once authorisation has been granted by the competent authority of the New Provider’s home Member State, they may expand their payment services further throughout the EU/EEA without the need to obtain authorisation from authorities in other Member States. Much rather will it suffice if the New Provider has registered an agent or a branch for such other Member States in a public register kept by the home authority. What is more, it is the home authority which decides whether or not such representation in other Member States may be established – the competent authority in the other Member State where the relevant payment service is to be provided may, nevertheless, present to the home authority its formal opinion on whether authorisation should be awarded.
Going Forward: Tradition vs. Innovation?
In a time when global FinTech investment has far exceeded USD 20bn, it is only appropriate that FinTech companies be awarded a substantive title to access the market they have started to tap. Thanks to the Directive, the investment in FinTech will not only be supported officially, but also relieved of risk in that it is no longer accompanied by regulatory uncertainty. Perhaps as a partial consequence, the volume of global FinTech investment has been predicted to surpass USD 150bn within the next 3-5 years. Yet, the new authorisation requirements might pose somewhat of a challenge to newcomers and thus the more advanced of start-ups will be at an advantage: How, for example, will an entrepreneurial IT student wishing to market a money management app prove he possesses sufficient skill and experience for the performance of payment services? Will they be able to afford appropriate insurance cover? Only practice and further guidance by the EBA (expected by 13 July 2017) will show. In any event, all those qualifying as PISPs or AISPs seeking to expand their services abroad should benefit from the Directive – a single authorisation acquired in the home Member State will suffice, whereby resources otherwise expended on administrative and compliance procedures will be able to be allocated more wisely.
The ‘traditional’ payment institutions such as mainstream banks – still shaken from the last financial crisis – are faced with the difficult task of containing risk all the while having to embrace what is often untested technologies in order to retain custom and avoid excessive business disturbances by ambitious start-ups. This will foreseeably leave them no choice but to engage in cooperation with and/or acquisitions of FinTechs as, after all, many have already done. Finally, the implementation of innovative payment services will undoubtedly entail increased expenses in the field of IT, primarily for the purposes of API development and the improvement of cyber-security measures. The key, it seems, is for banks to use their first-mover advantage before the PSD2 takes effect: while various FinTechs (i.e. the New Providers) will only be granted access to customer accounts after January 2018, banks – currently exercising exclusive control over said accounts – get a head-start.
Ultimately, the fact remains that banks and FinTech businesses are inherently interdependent in that each party holds something the other needs to stay afloat – traditional banks administer accounts and possess the custom without which FinTechs would have nothing to exploit, while FinTechs, if willing to cooperate, can offer to banks the modern impulse they need to retain a whole new generation of tech-savvy clients. Therefore, market logic has it that what we will be witnessing over the next years is not a sudden tug of war between banks and new market entrants, but – as utopian as it may sound – both groups engaging in common ventures to make the most of their mutual synergies. Perhaps Bill Gates was wrong after all…