Following extensive growth in recent years of online banking services and online payments, consumers face a new variety of challenges, such as how to optimise management offunds, incomes and expenses, mortgages and other banking and payments services provided on-line by different online providers.
The development of the online payments market and online banking services is widely accepted worldwide. As was recently published by South China Morning Post, more than half of Hong Kong consumers are willing to share their financial data with third parties other than their banks, in order to gain control of their funds, and in order to improve the service they receive based on an intelligent comparison between different bank services providers – see here: https://bit.ly/2MRoucT
In the EU: The European Parliament has adopted the approach that it shall regulate open banking in the EU, by provisions specified in the Payments Services Directive 2015/2366 (PSD2), Article 66 of which relates to Payment Initiation Services and Article 67 of which relates to Account Information Services. The regulation mentioned above, also known as “XS2A” provisions. The approach by the EU regulators can be summarised as follows:
ASPSP – Account Servicing Payment Services Provider – banks
AISP – Account Information Service Provider entities;
PISP – Payment Initiation Service Provider entities
AISPs and PISPs together are defined as TPPs – i.e. Third Party service Providers
The access to bank API-s via PISPs or AISPs in the EU is limited to payment accounts that are accessible online.
In addition, it has been made clear that the provision of services by AISPs and PISPs to account holders shall not be dependent on the contractual relationship between the TPPs and ASPSPs. Meaning that, even if there is no contract between the bank and any specific AISP or PISP, the bank shall allow the provision of the service and access to account via such AISP or PISP appointed by the account holder himself.
In the EU, the Open Banking API standards will enter into force on 14 September, 2019 in the EU, the date from which the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Secure Open Standards of Communication will apply (see the RTS published European Commission here: https://bit.ly/2RIRtQS
The review of security measures under Article 3 of the RTS and dynamic linking requirement relating to Strong Customer Authentication measures under Article 5 of the RTS will apply in the EU from 14 March, 2019.
To summarize, in the EU regulators recognise the existing need of consumers and are willing to provide the regulatory tools to achieve harmonisation and competitiveness between different banking services providers. The European Commission understands that account information services will provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus will be able to have an overall view of its financial situation immediately, at any given moment.
In addition, the European Commission recognised the important role of payment initiation services that enable the PISPs to provide comfort to a payee that the payment has been initiated, in order to provide an incentive to the payee to release the goods or to deliver the service without undue delay. The European Commission recognised that such services offer a low-cost solution for both merchants and consumers, and provide consumers with the option of shopping online, even if they do not hold a payment card of a specific kind.
Therefore, the European Commission decided to cover these types of service in PSD2, to provide consumers with adequate protection for their payment and account data, as well as legal certainty about the status of AISPs and PISPs.
In the USA:Regulation in the field of open banking is still under consideration. The U.S. Department of the Treasury recently published a report entitled ‘A Financial System that Creates Economic Opportunities: Nonbank Financials, Fintech and Innovation’, relating specifically to consumer access to financial account and transaction data. The report recommended that the Bureau of Consumer Financial Protection affirm that third parties properly authorised by consumers, including data aggregators and consumer fintech application providers, fall within the definition of “consumer” under the Dodd-Frank Wall Street Reform and Consumer Protection Act and be permitted to access financial account and transaction data. (see here: https://bit.ly/2wyiyxJ)
The current approach in the USA does not obligate banking services providers and financial services companies to open their APIs to designated Third Parties, as is accepted in the EU, but rather prefers that the private sector will resolve the matter, as seen in the following recommendation:
“Treasury sees a need to remove legal and regulatory uncertainties currently holding back financial services companies and data aggregators from establishing data sharing agreements that effectively move firms away from screen-scraping to more secure and efficient methods of data access. Treasury believes that the U.S. market would be best served by a solution developed by the private sector, with appropriate involvement of federal and state financial regulators. A potential solution should address data sharing, security, and liability. Any solution should explore efforts to mitigate implementation costs for community banks and smaller financial services companies with more limited resources to invest in technology.”
We face a time of regulatory change in the EU, change that will be closely reviewed by the rest of the world as other countries consider whether or not to adopt a similar approach and to enter into a regulated world of open banking.