Clare Haskins, SVP Commercial, Konsentus, discusses the key issues that have caused customer data to be shared with third parties who lack (or have lost) the required permissions as well as third parties whose access requests have been denied in error – despite the required permissions being held. Clare talks through some best-practice measures to safeguard customer data minimising risk and disruption to the customer experience.
Hello, I’m Clare Haskins from the Konsentus group, and under PSD2 Open banking regulation, I’m going to talk about when compliance simply isn’t enough.
So let’s start with talking about what it means to be compliant. The first thing is that every Third Party Provider requesting access – the TPP – needs to be identified, and the mechanism for that identification is a certificate. The certificate standard is an X509, and the name that is used across Europe is the eIDAS certificate. Together, those provide a simple and straightforward mechanism for identification, but at the same time, a financial institution has some obligations that they’re not allowed to deliver.
So they mustn’t create any obstacles or friction or delay in the user experience journey. In fact, it has to be as seamless and quick as a consumer connecting to their banking apps. And critically, they are not allowed to refuse access unless they are absolutely sure and can evidence that that third party is either unauthorised or fraudulent. Quite a challenging job!
Recently, the EBA provided a number of recommendations. The European Banking Authority (EBA) was asked to review the regulation and the legislation of PSD2 and to see how it was getting on – that was at the request of the European Commission – and they’ve identified a number of gaps or issues that can be improved in order to close that risk and that business exposure that’s been created.
So across Europe, there are over 115 databases – National Competent Authority (NCA) records. That’s more than one per country, of course, and that brings huge complexity in terms of harmonised data – so consistency, data labels, formats. It also provides issues in the consistency of updates. There are no rules or standards for how often or what information has to be updated, so there is no single central record that can be relied on.
Very importantly, particularly across Europe, the reliability of passporting information. So the certificate – the eIDAS – holds a number of permissions. Firstly, they’re only good at the point of issue, but secondly, they are only relevant to the domestic market. And we see that permissions are very often different across the various markets of the EAA. So going back to the home register of that third party for their passporting information is really key.
As we said before, you have to be absolutely crystal clear to refuse access, so the evidence to give access is just as important as the evidence to refuse access. And this is all because those financial institutions hold that duty of care – the responsibility for data control, and the liability of payment transactions. So understanding a truly complete picture that’s current and relevant, that covers all of the information that they require and includes not -only those fintech TPPs, but also the credit institutions that are operating across the same footprint, is really important. This all comes back to frequency of updates and being able to access this information from its official system of record in real-time. So protection without obstacles is about verifying identity and current authorisation through machine-readable – automated systems – in-real time and possibly through a central mechanism to achieve that.
So in summary, some of the best practices steps…
A number of financial institutions have felt the need to introduce an onboarding process and registration, in order to capture the additional data that they need for comfort. Closing those gaps will remove the need and therefore take away that illegal or non-conformant onboarding. Critically, separate the concept of identity from permission and use certificates – of course, very valuable – for identification and securing communication channels between the TPP and the financial institution stacks, because remember, this is all an automated systemic process. And only ever take permission of status for authorisation from the official system of record and in real-time. Together, that means no friction or delay, maximum accuracy and therefore minimum risk for the financial institutions liability, and always the appropriate level of evidence in the event that they need to deny access either through inappropriate permissions or indeed a fraudulent attempt.
Thank you for listening.
Interested in hearing from other industry experts as they examine the topic of ‘The Power and Pitfalls of Certificates in Open Banking’?