Out-Law / Your Daily Need-To-Know

EU open banking push 'needs revised PSD2'

Out-Law News | 27 Feb 2020 | 9:50 am | 2 min. read

EU payment services laws should be revised to provide for "consumer-friendly, open banking", according to a former European Commission official who worked on developing the current framework.

Jean Allix, who now works as a special advisor to the European Consumer Organisation (BEUC), said the body "accepts the idea of extending the scope of access to data from payment data to other financial data". However, he said "a very different mode" should be found to deliver those reforms after identifying problems with the existing legislation, the second Payment Services Directive (PSD2).

PSD2 took effect in early 2018. It sets out a framework for enabling third parties – account information service providers (AISPs) and payment initiation service providers (PISPs) – to access payment data held by banks and other account servicing payment service providers (ASPSPs) in an effort to promote greater competition and innovation in the payment services market.

Regulatory technical standards that build on the PSD2 provisions around access to data, which ultimately aim to enhance the security of payments and limit fraud by ensuring there is a secure mechanism for sharing payments data, came into force in September 2019. However, there have been regulator-sanctioned delays in the enforcement of those 'strong customer authentication' standards in certain contexts, including e-commerce, as industry has grappled with technical implementation.

According to Allix, new rules are needed to ensure the ethical use of data and that there is clarity over liability if things go wrong.

Allix, whose comments were published by the European Payments Council, also said consumers should "have a right to instruct their bank not to share their data with third parties", and that data should only be shared where the consumer has given their "explicit consent" – he said "nobody knows what explicit consent means in the context of PSD2" currently.

Revisions to PSD2 should also require banks to "maintain a list of all third parties that have access to the consumer’s financial data", and further ensure that consumers can grant access to their data on a granular basis.

"The consumer should be able to give his or her consent to certain types of data being shared but not all (for instance, a consumer may wish to share his or her savings account information but refuse to share payment account information)," Allix said. "When the consent is given by a consumer to a third party, the bank (as the guardian of the data) should be also informed as to which data the access agreement has been given and set up the access in conformity with the choice of the consumer."

Allix also said consumers should also have rights to cancel specific access agreements with third parties, and have their data deleted. The legal framework should ensure consumers can exercise their cancellation rights through their bank and not just directly with third parties, he said.

Payments law expert Lauren McCarthy of Pinsent Masons, the law firm behind Out-Law, said: "The Q&A highlights the ongoing tension between embracing the innovations of PSD2, and ensuring consumers are adequately serviced and protected. This tension is becoming more apparent as businesses in the finance sector increasingly embrace the potential of open banking, and as more consumers take advantage of these new services." 

"Strong customer authentication is just one layer to be grappled with. The ongoing challenge for firms is ensuring that they deliver consumer-friendly experiences, whilst also complying with the high bars set by the regulatory technical standards as well as related rules, such as data privacy laws," she said.