HEL Tech, a monthly tech meeting hosted in Helsinki by enthusiastic students, was once again held at Clarion Hotel on Monday 6 August 2018. The topic of the meet-up was open banking, and HEL Tech fittingly hosted many start-ups and tech companies, as well as established operators. With the theme being open banking, the new Payment Services Directive (“PSD2”) was one of the main discussion points of the meeting. PSD2 regulates the provision of payment services in the European Economic Area (the “EAA”), and the new rules recently introduced by it are expected to revolutionise the European payment services market.
PSD2 and New Service Providers
PSD2 became applicable in Finland on 13 January 2018 pursuant to the national implementation of PSD2 by amending the Act on Payment Services (290/2010) and the Act on Payment Institutions (297/2010). In a nutshell, the core change brought about by PSD2 is that customers, both consumers and businesses, can use third-party service providers to manage their finances. The goal is to increase competition and to bring players other than just traditional banks to the payment services markets by boosting and encouraging innovation, especially in the field of retail payments. This is made possible by compelling banks to open up their client account interfaces and information to third-party service providers, provided that the client has given their explicit consent to this.
The third-party service providers to which banks must provide access are categorised as Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”). Broadly speaking, payment initiation services (“PIS”) are online services accessing a customer’s payment account in order to initiate the transfer of funds on their behalf with the user’s consent and authentication. Account information services (“AIS”), in turn, refer to services that make it possible for the customer to get an overview of the accounts and their balances that are at their disposal.
Unlike under previous legislation, PISPs and AISPs are now considered payment service providers falling under the scope of the new PSD2 rules. PIS and AIS can be provided by fintechs and other tech companies, but also by traditional banks. PISPs must hold a payment institution license to carry out payment initiation services, but AIPSs enjoy of a more lightweight regime, as they only have to notify their services to the Finnish Financial Supervisory Authority, which then registers the AISP. AISPs (as well as PISPs) are, however, subject to certain regulatory requirements stemming from PSD2 and the General Data Protection Regulation (the “GDPR”), discussed in more detail below.
Traditional Banks and PSD2
Indeed, extending the scope of payment service legislation to PISPs and AISPs and compelling banks to open up their client account interfaces to third-party service providers inevitably leads to the emergence of new service providers and innovative ideas for new services for customers.
However, there has not been a flood of new services to the market yet, even though PSD2 entered into force more than six months ago. The deployment of PIS and AIS requires banks to build new interfaces enabling the services to access account information and initiate payments. Pursuant to PSD2, the Commission has adopted new regulatory technical standards (“RTS”) with safety requirements for these interfaces but they will not become applicable until 14 September 2019. During this transition period, although AISPs and PISPs could provide their services under the new regime, banks are not obligated to implement the required security measures, which are necessary to enable the provision of PIS and AIS, until mid-September 2019.
However, the current transitional period does not prevent banks from opening up interfaces already during the transitional period, and, for example, a few banks in Finland have already opened a beta version of their interface for the development of new services and cooperation. To sum up, a great deal of planning and development of new payment services is underway with fintech and other technology companies, and some new services and applications have already come out.
Ultimately, in the near future, we will see a tremendous change and new variety of available payment services. This may include new applications that can visualise the user’s account information in new user-friendly ways, allow users to make easier payments with more stable functionality, and monitor and make projections on personal spending. Although the third-party service provider using a bank’s interface can be another bank, it seems safe to say that the emergence of new operators with competitive new ideas for services will significantly alter the financial services industry. The change may weaken the superior position of traditional banks in handling payments and providing other payment services, especially if the new emerging service providers are able to provide top-notch services.
Still, it is unlikely that the role of banks would be diminished to that of maintaining accounts. Banks already have their own PIS and AIS that customers are using, such as the Pivo application in the case of OP Bank, which was represented in HEL Tech in August. All in all, joint efforts and cooperation between banks and fintech companies could be a viable option under the new legislation.
PSD2 and GDPR
New services and service providers will naturally have to consider the regulation and requirements imposed on them. The fact that account information is being opened to third-party service providers should, especially, catch the eye of those aware of the essential requirements of GDPR on the privacy of bank clients. Although the balancing and coordination of GDPR and PSD2 have been conducted when drafting the relevant laws, some interesting points have been made about their overlapping features.
Both instruments aim to keep information safe and secure, and they promote customers’ control of their own data. According to GDPR, the processing of a bank’s customer’s personal data must always have a legal basis, which can, for example, be consent, a legitimate interest, or a legal obligation. Despite the choice of the legal basis under GDPR, PSD2 requires that there must be explicit consent from the customer for giving access to third-party service providers.
Furthermore, service providers should note that both regimes impose separate obligations of reporting incidents to customers and authorities: GDPR requires reporting personal data breaches and PSD2 imposes an obligation to report operational or security incidents. Both sets of reporting obligations must be met by banks as well as third-party service providers, i.e. PISPs and AISPs.
Hannes Snellman and Open Banking
The August HEL Tech meeting and this article merely scratch the surface of the revolution going on in the field of open banking. The PSD2 regime should be viewed as an opportunity for all operators, including traditional banks, technology companies, and consumers alike. Our IP & Technology and Finance teams at Hannes Snellman regularly assist different types of operators in matters relating to technology (including fintech), GDPR, and PSD2. Do not hesitate to contact us!
Hannes Snellman is HEL Tech’s main co-operation partner in 2018.
Associate Trainee at Hannes Snellman
Associate at Hannes Snellman