Interview with Jose Manuel Campa, European Banking Authority, Chairman.
This interview took place at the Paris Fintech Forum, January 2020. It was moderated by David Parker, Polymath Consulting. With special thanks to Laurent Nizri. Founder & CEO Paris Fintech forum.
Read the full transcript below:
DP: Let’s talk about PSD2 Open Banking. The EBA database has a disclaimer on the front of it. It doesn’t cover Credit Institutions. What’s the purpose of the EBA database? We’ve seen a lot of stuff out there saying you only need to check the eIDAS certificate; other people are saying you only need to check the EBA database; other people are saying you need to check source data. What was the purpose of the EBA database and what’s the role?
JC: The EBA database – First of all it’s a mandate that we have from the legislation, from PSD2. We had to create a database. It’s a database and what it does is provide information, as you said, it provides information on payment institutions. Not on all of them, because the banks, credit institutions – are a different registry for banks – which is also on the EBA.
Second, which I think is also important, is that we aggregate the information. The ones that are responsible for collecting the information, keeping the information updated and up to date, are the National Competent Authorities of the 28 countries of the Union – so, that’s where the disclaimer comes from. The disclaimer comes mainly from that part and from that fact that, (you know), – what we do. We have […] an effective system in that they report to us and that we publish it all aggregated at the EBA database.
As of today, most National Competent Authorities report it automatically, but not all of them. Some of them report it manually, with a frequency that for the manual ones is daily, but in that sense it’s not really an on-time database and I think it’s important to clarify that it’s not a commercial service. We don’t offer this on a commercial basis. It’s to fill a mandate on transparency which I think was important for the legislators.
JC: No. It’s not a commercial offering, it’s an information provider and, as I say, we are even just adding in information. The real reliable information is at the NCAs.
DP: So, just repeat back what you said. The really reliable information is at the source NCAs. And is that what banks, what ASPSPs should be relying on – the source data?
JC: Well, I think that in general yes, because that’s the legal requirement. They are the ones that have the updated data. As I say, we have a system that is very efficient in the sense that, all of them report to us but not all of them automatically. And, to the extent that their databases are correct, then our database will be accurate if it’s reported automatically. But the responsibility for being accurate relies on them. And, as I say again, for a number of them, as of today it’s still reported manually on a daily basis so it’s not in real-time.
JC: I think that’s an important aspect. Regulation is by definition things that people are expected to comply with, and they’re required to comply with to operate in business. If not they are subject obviously to fines of different kinds or even more [severe] actions. Reputation is an issue that has to be managed by organisations as they engage in business with their customers and with their stakeholders. Of course, part of that reputation, a very important part is fulfilling regulatory requirements. It’s a must to be in business but not the only part of the reputational aspect.
JC: Well, that’s fair to say, but let’s keep track on this okay. PSD2, a big component of what it was doing was trying to provide adequate access, security, and faster innovation. And those are the three basic pieces of the PSD. At the time the PSD was put forward, it was important to make sure that there was adequate access, so that the Third-Party Providers could have adequate access and some of these mechanisms are built to enhance that adequate access. But that’s not the only mechanism that’s in place, there are other mechanisms that need to be in work as well, which is security and adequate customer relationships. So, the two things that you’re pointing to, the eiDAS and the database, are to provide information to facilitate access. But it’s not the only pieces of regulatory compliance to start with and it’s not the only pieces in which business should be engaging with as I said, there are other reputational aspects that are very important for them.
DP: Okay, and you raise a very interesting point about security, risk. Fraudsters are good business people aren’t they?
JC: Well, they’re very good at their business unfortunately for many of us and I think that’s something that we need to be concerned about. And it’s not just on the payments world, but broadly speaking. At the EBA we have been very much engaged and very much concerned about the interaction between technology, changes in the landscape of players. If I might say, the difficulty of identifying boundaries, both cross-border clearly, cross-sectoral as well, sometimes here within the value-added chains. The value-added chains are breaking, so there’s outsourcing out of that. For us broadly speaking there are three fundamental concerns which [are]: operational resilience of the system, crime prevention, and financial instability. And those are three aspects in which we want to make sure that, as we move towards a new landscape or new framework for innovation for activities for performance services to clients, those three things are preserved.
DP: I’d like to move a little bit on because PSD2 Open Banking officially kicked off September 14th last year. Except for the FCA in the UK said we’re not going to enforce it for six months. The Danish regulator said, no you’ve got to start it straight away and we haven’t really heard a lot from the rest of the NCAs around Europe. It seems to me that no-ones really enforcing PSD2 Open Banking and I’m going to say, as an environment, a lot of people are saying ‘well do you know what, it’s coming but, who’s enforcing it? No-one’s going to be checking on us.
JC: Well I think that’s absolutely wrong, if I may say so. I think that what’s absolutely right, and you were right is two things:
1) Is in that the regulation came into effect September 14th, so from the legal point of view there is absolutely no doubt – the regulation is in place and it needs to be complied with.
It is also true that in particular aspects of the implementation of PSD2, you know, one of the ones that you’re referring to, another one, for instance, is the SCA, which given the solid granularity of the implementation of this across the board and the challenges that were put forward, we are still going through a little bit of a transition period in which National Competent Authorities, as they are slowly trying to make sure that we preserve something that is very important with the PSD2 which is the trust by customers in the ability of the existing technology and the existing regulation to provide payment services that are reliable, secure, massively so, that they would use it.
So, the alternative is to generate the perception that they are not secure, not reliable, and not cost-effective and we end up having no official payment services.
So in that process, it is true that National Competent Authorities, and we’ve been looking at them and we’ve been working with them, to make sure that they look very carefully at the transition plans, you know that they balance this possibility that some people, some providers, in the NCAs, in some particular industries or merchants may have difficulties in implementing 100% but those sort of plans have to be in effect, have to be effective on the Third Party Providers.
My expectation is by the end of the first quarter all this transition should be finished. In the NCA we issued an opinion saying no transition plans should go beyond the end of this year. But, of course, our expectation is that the National Authorities will look into this carefully, will enforce it, and will be checking that they do it.
DP: Just repeat back to be clear. Your expectation is that the end of this quarter, local NCAs should be starting to enforce PSD2 Open Banking and are you checking that yourselves and what the NCAs are doing?
JC: We will be working with NCAs to identify gaps. We have powers, we have tools we have mechanisms to ensure enforcement. The enforcement, first of all of course, is on the obligated entities, whoever is the payment service, or the Third-Party Provider or whoever it is. After the obligated entities, the NCAs have the obligation to make sure that the obligated entities comply and they follow actions to make sure they comply with any remediation plans and we have the mandate to make sure, to work with the NCAs, that compliance is effective, the way that compliance is effective across the 28 markets of the European Union.
DP: So, by Q2 you would expect NCAs to start to be active, in actually making sure that we’re moving ahead with PSD2 Open Banking?
JC: I would say I expect them to be already active on that, making sure that we are moving ahead. Now, I expect that I understand, that some of them have indicated that they’re following very closely the transitional plans of those entities that are still are not able to comply and those transitional plans will be done by March, so that by March everybody should be able to comply and if they are not complying I would say the honeymoon period is over, yes.
JC: On that part, yes. On SCA, we indicated because the technology challenges there are different, the peculiarity of all general sectors of the economy, we indicated that the transitional aspect will continue until year end.
DP: Ok, I think that you couldn’t be clearer on that. I think that was really useful to get us a clear statement on that. In terms of hindsight though, I’m going to ask you a little cheeky question here. You published the Regulatory Technical Standards; they weren’t technical and they weren’t a standard. Should they have been more of a technical standard?
JC: I appreciate your play on words. If I may answer from my perspective, they were quite technical. I am really not sure I understand them! And the issue of the word ‘Standard’ or not, I think this is……
DP: Well we have nine standards in Europe now…..
JC: But that’s fine, that’s absolutely true, I mean, if I was going to have to pick a standard as a regulator I’d be totally killed, probably because more often than not I would pick the wrong standard! You know, so the question is, it’s not the role of regulators to pick standards, unless in those cases where there are issues as I have said before that are of fundamental or financial instability, or lack of competition or some kind of safety.
DP: So should it be….
JC: Let me just finish. There are many instances in regulation which will have different standards cooperating and it’s part of the market dynamics and I actually take it to be positive, the fact that we didn’t set a standard or as you say it’s ‘non-standard’.
We did set minimum requirements that the standard should work with. And we have interacted with some of these operators and we see that there are a number of them operating right now and I am happy that that happens. I think that that’s a desire. When we talk about regulatory, we always talk about desirable outcomes and non-desirable outcomes. In this part, I would put it in the category of desirable outcomes.
JC: As long – exactly… because the guidance [is] not prescriptive on a unique standard. They require certain standards – certain requirements, if I may say – certain requirements that any standard should comply with.
DP: So multiple operating standards in Europe is a desirable outcome of the market interpreting the guidance?
JC: Well, I think that it’s important. You ask me who should set Open Banking. I also have the same question. I should ask you that question. What is Open Banking?
DP: I think that’s really helpful. In terms of many people have said PSD2 Open Banking hasn’t really taken off yet, it’s growing but it’s not really [.… ]. Who do you see has the role of promoting and explaining to the end users what Open Banking is? Is it the regulators? Is it the end fintech providers? Is it the Banks? One of the people say to me, when we launched contactless cards, the schemes put a lot of money into explaining it. Now it’s a very fragmented value chain and therefore there’s no-one to really drive the explanation, other than the EBA who’s ultimately created it.
JC: What data?
DP: What is Open Banking? [It’s] the ability to access data
JC: Which data? I mean, I think that the PSD2 has helped us and has clarified what Open Banking means in the area of payments which is that we have the ability to access transaction data – that’s fine. That is what we are responsible for, that is what we’ve done. In that part, I think that Open Banking has progressed. I know it takes time to implement it. I think that for accessing other sorts of data, then the regulatory framework is not there.
DP: Right
JC: At least at the European Union level, the national authorities that have been working on maybe providing more access to that types of data. I could go as far as you want – I could talk about demographics data, the finance industry has demographics data, has transaction data, has investor data, has rich profiling data, has many other kinds of information. So far, the regulation at the European level has gone to transaction data – for payments. That’s the part in which PSD2 has progress, where we have responsibilities. That’s the part I think in which we’ve made some progress, I hope – and we’re in a discussion as other areas maybe become part of the discussion, towards this idea of Open Banking, then other regulatory frameworks may come forward, there could be other authorities that may be engaged in this process and that they benefit from our experience as we go through the transaction data provision, that would be helpful.
But in the end, as I say, when we talk about Open Banking, I think that part of the challenge that we have is that no clarity of what it is exactly that people mean when they think about Open Banking. So far from the regulatory point of view within Europe, it’s transaction data.
DP: Customers’ data
JC: Well a couple of years in a regulatory framework is a short timeframe. In innovation, I understand it’s a lot, it’s a very long timeframe.
But basically, for me, the key component will be PSD2 as an application. You know, this first part of our conversation about making sure that people have clarity on how to comply, what to comply, what the requirements are – that should be out of the picture. We should have absolutely no doubt on what PSD2 means, and that means in terms of compliance.
As we go through the process, I am hoping that three other things can be accomplished at the same time:
That we maintain the level of trust and usefulness that people have on how well our payment systems work. That’s priority number one. Because if we don’t get that one, we’ll not get a payments industry.
The second one is that we maintain an environment in which we can be comfortable that there [are] competitive dynamics that are constructed so as to make sure that they provide adequate services to the customers, wherever the technology, wherever the player is – adequate service to the customer at [much better terms] as we go ahead. That’s the second aspect.
The third aspect is that as we go through this process and we develop technologies, we develop new ways of interacting, we develop new players, we’re not hampering on the three aspects that I mentioned before which is: operational resilience – operational resilient states – that we have safety in the system and that we’re avoiding loopholes that foster financial crime. Particularly AML or aspects of crime.
DP: So, looking ahead a couple of years, which isn’t that far away. Forget five/ten years away, just a couple of years. What would your vision be, or what do you believe we’ll be seeing out in the marketplace around PSD2 Open Banking, and in particular, payments, because this is the payments stream? So, how would you see PSD2 Open Banking affecting payments over the next couple of years?
JC: Thank you very much for inviting me. It’s a real pleasure.
DP: And with that, I’m very conscious of your time. Thank you very much for your time, Sir.
