Mar 13, 2020
Posted by: Brendan Jones
As the Financial Conduct Authority (FCA) stated in their recent bulletin, the 14th March is the final date by which United Kingdom Financial Institutions (ASPSPs) must ensure their systems are compliant with Article 31 of the SCA-RTS. This means that they must have in place a PSD2 compliant way to provide TPPs with access to account data and payment functionality. This can either be through a dedicated API or a Modified Customer Interface.
The requirements also include an obligation to ensure that TPPs can identify themselves using their eIDAS certificate.
Whilst these obligations focus on the compliance elements of the regulation and potential enforcement action that might be taken, what’s perhaps more important to highlight is the access to financial data that TPPs are being given and what steps Financial Institutions are taking to ensure they protect their customers.
What we have seen through the Konsentus TPP tracker is that TPPs are approved to operate in all 31 EEA countries. Double digit growth in TPPs being approved for services was seen between November and January and again from January to March. This is surely set to continue as consumer demand for frictionless, secure payment experiences continue.
For Financial Institutions to ensure they are they are only passing on customer data to known and regulated TPPs, manual checking is not an option and, with TPPs operating across multiple borders, knowing how to interpret the latest available source data is paramount. In the UK, there were over 321 million Open Banking transactions in January – an average month on month increase of over 30%. With ‘Open Finance’ and ‘Open Data’ becoming a common discussion tread, surely the upward trajectory we are seeing in the UK will soon be replicated across the rest of the EEA.
So how can Financial Institutions make sure they are doing more than being just “compliant’ and ensure they aren’t exposing their customers to unnecessary risk and potential fraud? It’s not easy. The “Tricky Encounter”, written in conjunction with Norfico, highlights the complexities of the interactions between the various players in the ecosystem.
Being able to identity a TPP at the time of a transaction request and confirm its current regulatory status is paramount to protecting customer data. There are 31 NCAs across Europe with 115+ registers containing information on TPPs’ regulatory status, over 70 QTSPs who can issue eIDAS certificates and of course the EBA registers. It’s only by having a complete picture of the latest information across all these data sources, and knowing how to interpret the information presented, that Financial Institutions can be confident that they can make informed risk management decisions.
The ‘Tricky Encounter’ takes a deep dive into the interactions between the players in the ecosystem highlighting potential issues and concerns. The quick checklist however identifies the top 5 issues Financial Institutions need to consider when protecting themselves from potential fraud and financial and reputational risk.
Whilst the compliance obligations should not be ignored, surely the stakes are much higher when it comes to customer data and preserving brand reputation?
Read more about the about the connections between Financial Institutions and Third Party Providers under PSD2,