With the implementation of the Payment Services Directive 2 (PSD2) Access to Accounts (Open Banking) in September 2019, many Financial Institutions have been working towards compliance with the regulation. They are also attempting to navigate the complexities of the new eco-system and understand the opportunities and associated risks of Open Banking.
One particular area of complexity, and significant risk for Financial Institutions, is the identification of the newly regulated entities, commonly referred to as Third-Party Providers (TPPs), with whom no contractual relationship exists. TPPs with the customer’s consent, can access their account(s) at Financial Institutions to collect transactional account information and execute payment transactions (push payments).
This significantly increases a Financial Institution’s exposure to fraud, risk and reputational impact. They must be able to positively verify the identity of the TPP and know their regulated status at the time of the account being accessed, or payments initiated. In order to mitigate these business risks, Financial Institutions need to be able to access the most up to date information on a TPP’s regulatory status from the legal systems of record, maintained and operated by the 31 National Competent Authorities (NCA) across the European Economic Area (EEA).
A Financial Institution solely relying on the EBA Register to verify the regulatory status of TPPs will have significant and far reaching consequences. The EBA Register has been set up solely on the basis of information provided by the 31 NCAs. Therefore, unlike NCA Registers under PSD2, the EBA Register has no legal significance and confers no rights in law. Indeed, the EBA Register does not include Credit Institutions (i.e. banks) who act in the capacity of a TPP.
By using incorrect or out of date information, an unauthorised or fraudulent TPP could be given access to a Payment Service User’s (PSUs) accounts, financial data or be able to execute payment transactions. Conversely, an authorised TPP could be declined access, or be unable to execute payment transactions, thereby denying the PSU with the legal right to access services via a regulated entity. Both these scenarios have business ramifications.
The impacts on the organisation would include some or all of the following; financial losses (direct and indirect), loss of customer confidentially, confidence and reputational and brand damage. From a regulatory perspective, Financial Institutions not only have to comply with PSD2, but also GDPR and other financial services duties of care. Needless to say, in these scenarios the Regulators would not look favourably on the negative customer impact.
This paper discusses the data held in the EBA Registers, the issues and inconsistences encountered and how Konsentus Verify addresses these problems.