PSD2 Open Banking - Is being compliant enough to protect your customers?

Mar 13, 2020
Posted by: Brendan Jones


As the Financial Conduct Authority (FCA) stated in their recent bulletin, the 14th March is the final date by which United Kingdom Financial Institutions (ASPSPs) must ensure their systems are compliant with Article 31 of the SCA-RTS.  This means that they must have in place a PSD2 compliant way to provide TPPs with access to account data and payment functionality.  This can either be through a dedicated API or a Modified Customer Interface.

The requirements also include an obligation to ensure that TPPs can identify themselves using their eIDAS certificate.

Whilst these obligations focus on the compliance elements of the regulation and potential enforcement action that might be taken, what’s perhaps more important to highlight is the access to financial data that TPPs are being given and what steps Financial Institutions are taking to ensure they protect their customers.

What we have seen through the Konsentus TPP tracker is that TPPs are approved to operate in all 31 EEA countries.  Double digit growth in TPPs being approved for services was seen between November and January and again from January to March. This is surely set to continue as consumer demand for frictionless, secure payment experiences continue.

For Financial Institutions to ensure they are they are only passing on customer data to known and regulated TPPs, manual checking is not an option and, with TPPs operating across multiple borders, knowing how to interpret the latest available source data is paramount. In the UK, there were over 321 million Open Banking transactions in January – an average month on month increase of over 30%.  With ‘Open Finance’ and ‘Open Data’ becoming a common discussion tread, surely the upward trajectory we are seeing in the UK will soon be replicated across the rest of the EEA.

So how can Financial Institutions make sure they are doing more than being just “compliant’ and ensure they aren’t exposing their customers to unnecessary risk and potential fraud?  It’s not easy. The “Tricky Encounter”, written in conjunction with Norfico, highlights the complexities of the interactions between the various players in the ecosystem. 

Being able to identity a TPP at the time of a transaction request and confirm its current regulatory status is paramount to protecting customer data.  There are 31 NCAs across Europe with 115+ registers containing information on TPPs’ regulatory status, over 70 QTSPs who can issue eIDAS certificates and of course the EBA registers.  It’s only by having a complete picture of the latest information across all these data sources, and knowing how to interpret the information presented, that Financial Institutions can be confident that they can make informed risk management decisions.  

The ‘Tricky Encounter’ takes a deep dive into the interactions between the players in the ecosystem highlighting potential issues and concerns.  The quick checklist however identifies the top 5 issues Financial Institutions need to consider when protecting themselves from potential fraud and financial and reputational risk.

 

  1. Ensure communication is secure. All communication between the TPP and the ASPSP should be encrypted using Mutually authenticated Transport Layer Security (MTLS) based on eIDAS QWACs.

 

  1. Check the identity of the TPP. Check that the TPP identity corresponds with the information given in the eIDAS certificate and that the eIDAS certificate is current. In addition, check that the certificate has been issued by an approved PSD2 Qualified Trust Service Provider (QTSP). 

 

  1. Check the regulated status of the TPP who wants to communicate with them. Use the authorisation number of the TPP from the eIDAS certificate to verify the regulated status of the TPP on its home NCA register. There are 31 NCAs and each NCA might have multiple registers (e.g. credit institution register, EMI register, Payment Institution register), all of which contain information of entities acting in the capacity of a TPP. There are over 117 different registers across the EEA. Check the TPP is on the register, what its current regulatory status is and the payment services it’s authorised to provide.

 

  1. Check the function/action the TPP is requesting is consistent with their regulated permissions. Is the service the TPP is requesting (e.g. access to account data or initiate a payment) consistent with the payment services they have been authorised to provide, e.g. Account Information Services (AIS) or Payment Initiation Services (PIS)?

 

  1. Validate the TPP has got the customer’s explicit consent to access the account or initiate payments on their behalf. Check directly with the customer that the function the TPP is asking to perform has been explicitly consented to by the customer using Strong Customer Authentication (SCA) mechanisms. 

 

Whilst the compliance obligations should not be ignored, surely the stakes are much higher when it comes to customer data and preserving brand reputation?

Read more about the about the connections between Financial Institutions and Third Party Providers under PSD2