Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, issued the warning in light of clarifications made by the European Banking Authority (EBA) on the obligations third parties face when accessing payment account data held by banks and other payments institutions under the second Payment Services Directive (PSD2).
Under PSD2, AISPs and PISPs were given new rights to access payment accounts, like current accounts, and statement details, as well as other account information, held by banks and other account servicing payment service providers (ASPSPs) where customers consent to such access.
The detailed requirements on third party access are contained in regulatory technical standards (RTS) on ‘strong customer authentication and common and secure open standards of communication’. ASPSPs must either enable third party access to the data through the customer's normal online banking websites, or if one is available, through a new 'dedicated interface' (API) for that purpose. Those requirements, though, do not apply until 14 September this year.
A recent paper published by the EBA highlighted, though, that AISPs and PISPs often wish to access non-payments account data too using means other than APIs, such as through 'screen scraping', and that this can lead to them inadvertently accessing payments account data at the same time.
The EBA explained that, from 14 September, AISPs and PISPs will not be able to access payments account data through other means than those provided for under PSD2 and the RTS. The EU authority said that it will be the responsibility of AISPs, not banks, to ensure "that they do not ‘use, access or store’ data that is not necessary for performing the AIS/PIS requested by the payment service user". It further highlighted the obligations both banks and third party fintechs face under the General Data Protection Regulation (GDPR) in respect of the processing of personal data.
McFadyen said: "It can be difficult for third parties to distinguish between where the information they are accessing is payment account data or other types of account information held by major financial institutions. In this context, one member of the EBA's API working group requested that the PSD2 rules be interpreted loosely to permit non-payment account data to be accessed for identification and deletion purposes. This pragmatic, but likely optimistic, recommendation has been rejected by the EBA. This will make it harder for these services to operate, which is not what PSD2 was about."
"PSD2 will have the unintended consequence of restricting fintech practices in other areas of financial services beyond its scope. This at a time when industry, policy makers and regulators are looking ahead to a potential future of open finance where data held by institutions across the financial services sector is liberated for use by upcoming tech-driven challengers. It is difficult to see how a truly open finance era can emerge if existing legislation and regulatory policy provides justification for new barriers being put up," he said.