When the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication came into force in September 2019, the ecosystem was easy to navigate. There were less than 200 regulated fintech third party providers (TPPs) and transaction volumes were low.
Today, just over three years later, the landscape is very different. The number of fintech TPPs has risen to over 550 and we’re seeing an increasing number of credit institutions choosing to act in the capacity of TPPs to remain competitive.
However, there are also many organisations, outside of the PSD2 regulatory umbrella, who, through their relationships with regulated TPPs, can access consumer data and funds (with the customer’s explicit consent).
The most well-known sub-set of these unregulated entities is called ‘agents’ and they sit between the consumer and the TPP. To access bank APIs, and therefore end-user data, they rent licences (digital identities) from TPPs.
PSD2 does lay out certain requirements for these organisations, but gaps in the legislation leave those interacting with them in the data supply chain somewhat exposed.
TPPs must provide information on the agents they are contracting with to their National Competent Authority. They should issue a separate certificate to each agent they’re working with and take responsibility for all acts and services provided by each agent. Agents in turn should make it clear to the consumer that they are contracting with an agent and should not infer that they are themselves a TPP.
Take for example a TPP that has had its regulatory permissions withdrawn. The TPP is responsible for ensuring that any certificates it had issued to its associated agents are no longer being used. But in practice, how is this managed and how does the end user know that the agent providing them with services no longer has the connected rights to perform them?
Agents themselves do not have to adhere to the regulation. It is up to each TPP to make sure that the companies it does business with are complying with the right rules and regulations. Without standardised checking processes in place, there are bound to be variances in how strictly these rules are adhered to.
Then, we come to the question of ‘passporting’. An agent may be commercially active across multiple markets but should only be providing Open Banking services in the markets for which the TPP has the requisite permissions. Identifying each part of the supply chain is, therefore, crucial to determine whether access to end-user data should be given.
The risks associated with agents have recently been identified by the European Banking Authority in their response to the call for advice on the review of PSD2, submitted to the European Commission. The EBA makes several recommendations on how to reduce some of these risks, including adding additional mandatory information on agents on the National Competent Authority Registers. This would include their registration and de-registration dates and the payment services they are authorised to perform.
‘Agents’ however are only part of the picture. There are ‘other parties’ that can be the ultimate recipient of consumer data. These are commercial customers of API aggregators. They are not regulated but can receive consumer data that ultimately comes from the banks – the data providers – through their relationships with regulated entities. The main difference from agents is that these organisations are not listed on regulatory registers and TPPs do not have to publicly disclose commercial customer names.
The wider ecosystem is now extremely complex to understand and there are many more players in the data supply chain than are accounted for in the current regulation.
These different types of unregulated entities make it extremely difficult to identify who is attempting to access the bank’s APIs and who is going to be the ultimate recipient of the payment service user’s data.
Currently, there is no way for a bank to know if the Open Banking service it is providing is initiated by a regulated TPP. An agent could be using the certificate of a TPP or a TPP could be getting data on behalf of an agent or ‘other party’.
The ultimate recipient of the data could be listed on the NCA register or not. A TPP, directly or via an agent, could be passing the data to any other non-regulated organisation.
In the current regulatory framework, this is impossible to know. To improve the visibility of onward data sharing, any recipient of data provided by a bank needs to be regulated by the appropriate regulatory body, with the bank being made aware of the recipient in the transaction details. This would enable the bank to make an informed decision as to whether allow or deny account access.
We are now likely to see regulation catching up with innovation. PSD2 set out the framework for a competitive and level playing field – it is now up to the regulators to investigate and control the expanding environment and supply chains to maintain a trusted and secure ecosystem.
In the meantime, banks can complete a comprehensive check on the presenting TPP to control and mitigate the risk as much as possible, so they continue to be the trusted guardians of their customers’ data.
This article has first been published in the Open Banking and Open Finance Report 2022. Click here to download the report.
Mike’s leadership career spans retail, banking, and technology. He was an Executive Director at Natwest Bank and RBS, heading up a group of 1,000 colleagues. Previously, he was Founder and CEO at Aconite, a global payments technology software company.
Konsentus enables financial institutions to successfully navigate changing ecosystems to deliver safe and secure data exchange in a consistent, automated, and reliable way. Our trusted data allows our 500 clients across Europe and other international markets to make informed decisions when identifying and validating those requesting access to customer accounts.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now