New payment services must gain consumer trust through sound data security practices to succeed

Out-Law Analysis | 07 Dec 2017 | 5:14 pm | 5 min. read

ANALYSIS: Without the trust of consumers, third parties requiring consumer consent to use new rights of access to bank and payment account data will struggle to make an impact in the market.

That is the clear message from a survey carried out for Pinsent Masons and Innovate Finance of the views of a number of fintech businesses. Fluidly believe that trust will be based on three elements: transparency of activity, security and their brand.

"If the first movers can establish themselves in those three areas they will attract a wave of early adopters who are willing to experiment for financial or other incentives, for example to avoid credit card fees from more traditional PIS providers," Fluidly said. "Trust in AISPs (account information service providers) are a little further along the adoption cycle for SMEs and sole traders as this functionality already exists for many of the accounting software packages already offer bank feeds."

While initial research suggests consumer sentiment towards AISPs and PISPs (payment initiation service providers) is one on distrust, CurrencyCloud counters this: "How would you have responded if 10 years ago you were asked if you would entrust an app on your phone to do your online banking, arrange a date for you or order a meal? The answer would have been 'what's an app?'"

"The question of whether consumers trust AIPS or PIS is in the abstract - consumers can’t relate to questions like these in theory. What will be interesting to see is adoption rates once there are live AISP and PISP enabled products in the marketplace. Most people are apathetic to things they can’t see or touch, like risk, so my personal view is that we'll see take up of these products."

Education will also play an important role in generating trust. According to a recent survey carried out by Which? 92% of the public haven’t heard of Open Banking. Payment Components notes that this is important: “Breaking free from the routine of accessing your banking information, solely from within the 'gated community' environment, of your own bank’s applications, will inevitably require a mental leap from consumers. This is why education and raising awareness regarding what PSD2 is, how it works and what kind of built-in provisions it has to enforce security, is a major step in the path towards wide adoption of third party providers and PSD2.”

Bud, which is collaborating with HSBC, believes its approach of collaborating with banks will help address customer security concerns.

"We believe our model, supplying the AISP experience via the bank's existing channels, will be the most successful adoption method," Bud said. "Customers will be in an app they trust with a brand that they habitually use to manage money. It will be minimal effort for customers to experience the new norm in finance."

Priviti has taken the view that existing trusted brands stand to gain most when the PSD2 reforms first take effect.

"Consumers are likely to quickly adopt AISP-enabled business models if they are offered by proven and trusted consumer brands," Priviti said. "AISP-enabled business models that combine bank data with other highly relevant data to produce innovative new services are probably likely to be more successful than offerings that just try to improve the presentation and analysis of bank data."

There is optimism within the fintech community that consumers will be willing to embrace new services.

According to Token: "New companies will need to gain consumer trust, but many challenger banks and retailers are already paving the way for this. Solutions that do not rely on screen scraping have a critical role to play here in terms of partnering with banks, retailers and payments processors, to create a secure pipeline through which information is shared."

According to Leveris: "Consumers will trust PISP’s for the simple reason that the average customer doesn’t know or care how their transaction is processed, they don’t actually know that this is revolutionary and that this process disintermediates payment processing removing the card rails, scheme and merchant acquirer."

Innovative new services, that deliver benefits to consumers, will help to win consumers' trust in those brands and alleviate concerns on security, according to some in the industry.

"As third parties give consumers more options in terms of access to products, better or faster service, discounts or incentives, we will start to see an increase in trust," said Token. "The winners who gain consumer trust will be those who deliver a truly frictionless user experience without sharing usernames, passwords, account details, or any other ‘shared secrets'."

What do consumers think?

Consumer sentiment similarly indicates the need for robust security practices to be adhered to and communicated to the market. A survey by Pinsent Masons and Innovate Finance has found that 72% of adults in Britain would be worried about their personal details being stored by a payment company that is not their bank. More than twice as many consumers also said they would trust an existing payment company like PayPal to handle their transaction data (26%) over a large technology company like Amazon (10%). This data indicates how important having a trusted brand and a strong track record, whether a bank or fintech, will be in making Open Banking a success for consumers.

Although the initial consumer data remains a concern, we will have to wait to see how consumers react once Open Banking comes into play. In the same way that people say they do not trust strangers, and then get into an Uber or rent their house out on Airbnb, what consumers say now may not be how they act when presented with the opportunity to use financial products and services that add real value to their day to day lives. In this respect, ensuring issues around liability, security and consent are adequately addressed, may go some ways towards alleviating some of these initial concerns.

Legal requirements

Sound data protection and security will of course be vital and the importance of these measures is highlighted in PSD2 and in the CMA's Open Banking order.

The PSD2 'recitals' suggest that "potential security risks" exist in "the payment chain" of some models used in the market because of shortcomings in existing payment services regulation. They state that those risks have increased in the intervening years between the original Payment Services Directive and PSD2 coming into force as e-payments have become more complex, voluminous and new types have emerged.

PSD2 stresses the importance of protecting customer credentials and says that personal data processed in the provision of payment services must accord with EU data protection rules. According to the PSD2 recitals, data protection by design and data protection by default should be "embedded in all data processing systems" in the context of payment services.

Payment service providers are obliged to deploy security measures that are "proportionate to the security risks concerned", and are required to adopt measures that involve encryption and authentication codes. PSD2 also requires regulated businesses to establish "a framework to mitigate risks and maintain effective incident management procedures", and requires the reporting of major security incidents without undue delay to regulators.

The CMA Open Banking order requires the new open API standards, to be developed by an industry body which it establishes, and to cover security, authorisation and authentication. The CMA has said that the open API standards must provide for "robust security arrangements and identity management to protect this far more sensitive information". It has also indicated that customers must be "fully protected against privacy and security risks and fully informed of the potential benefits and risks of sharing their financial information with third parties".

The CMA also notes that data and security standards will need to take account of the EU's General Data Protection Regulation and the 4th Anti Money Laundering Directive. Understanding how these overlapping pieces of legislation fit together therefore is essential. For example, as some commentators suggest, understanding where liability sits (both for data controllers and processors) in an increasingly networked ecosystem, alongside adhering to the principles of 'informed consent', and data minimisation, will be crucial to the smooth roll out of Open Banking.

Luke Scanlon and Yvonne Dunn are experts in financial services and technology law at Pinsent Masons, the law firm behind