When the European Union’s Payment Service Directive 2 (PSD2) comes into force in January 2018, two third-party payment services, Payment Initiation Services (PIS) and Account Information Services (AIS), will be made subject to regulation for the first time.
Jörg Howein, chief product officer at solarisBank sat down with Frank Müller, partner at law firm Aderhold and co-founder of the blog PayTechLaw, for a fireside chat to discuss the implications of the new regulations.
With PSD2 coming into force in January 2018, can you talk a bit about what will change in terms of the services that will be regulated?
Eight payment services are regulated in the sense that, if you provide them, you must have a license. The account information service and the payment initiation service are the two new ones that have been added. And the blueprint, the reason for regulation — and this is in the legislation documentation — were actually SOFORT and iDEAL.
Right, the Dutch payment platform, iDEAL, and the German payment method, SOFORT, which are increasingly popular in Europe. Under PSD2, is there a level of regulation of payment initiation services that is different than before?
Well, the framework is basically the same. That is, the same provisions apply to all eight payment services, with some exceptions. Under civil law, there are of course different rules for the individual payment services, but the regulatory framework is basically the same. This means that — whether you apply for a license as a money remittance service provider, or as a payment initiation service — the seven payment services, with one exception, the account information service, require that you apply for a license. The account information service “only” requires registration.
Do the new services also have to be compliant with anti-money-laundering measures? Are they subject to the Money Laundering Act?
According to the current situation, it appears that, if nothing is changed, they do fall under these requirements. Why? Because all financial institutions are required to be compliant with the Money Laundering Act, and accordingly, obligated to carry out KYC processes. And account information services and payment initiation services are now also defined as payment services, and therefore also obligated to be compliant with the Money Laundering Act. Whether that makes sense is a topic of heated discussion.
You mentioned account information services — that’s actually ancient. When I think back to during my studies, StarMoney and similar software was really a type of account information service.
Yes, the two new players SOFORT and iDEAL — their numbers simply grew. Just as with all of the other payment services that were originally monitored by PDS1, regulators simply saw that, oh, something’s going on here. This SOFORT service was a real success story. It closed a gap in the market, and was a tremendous success. And the time was right — here again consumer protection is brought into the equation — because, as we know, they don’t handle any funds. A payment initiation service merely says: Look, give me your user credentials, I will submit them, and then I will monitor it. And then I say: Look, merchant, I noticed that he made a payment order, the credit transfer is on its way, you can already dispatch the package. That’s what they did. They don’t handle any funds — but of course they have access to sensitive data.
This was why the regulators made it part of the PSD2?
They saw that this had become huge. Sensitive data was being passed around, other data, too, and the need arose: Wow, we have to monitor these guys, too. The same thing with account information.
Are there regulations on the protection of this data that the providers have to adhere to?
There are many rules, especially the European General Data Protection Regulation. There are many, many issues, where we currently have no idea how we are going to solve them, because there are lots of contradictions between the PSD2 and the General Data Protection Regulation that haven’t yet been solved.
Regarding this topic of data protection in the context of account information services and payment initiation services: There was a recent article in Germany’s BILD newspaper with a big headline: “PSD2: Dangerous! Data gets lost!”
That was of course a very sensational headline. It caused a huge panic reaction, which was completely beside the point, in my opinion. Because we are constantly dealing with the question: Who does this data actually belong to? If I am your customer at your bank, does this data belong to you? Or, after all, don’t I have data sovereignty? After all, this is my data. And if the customer says: I actually want a payment initiation service to get my data, because your payment product is not actually what I was looking for — he can do that. And PSD2 has now created the framework for this.
The debates about the account information service providers and the payment initiation service providers are really dragging out. What issue is at stake here?
The issue here is the Regulatory Technical Standards for strong customer authentication. The background is: PSD2 created certain rules that in particular introduced the annoying two-factor authentication process for payment service providers. The European Banking Authority was given the task of developing these standards. They should have clarified this by 13 January 2017. What happened? There were various disputes, but the main point of dissension was that the EBA prohibited so-call “screen scraping” in these Regulatory Technical Standards.
Can you talk about screen scraping in a bit more detail?
Basically, this is a technical process that gives me access to the account, so to speak, without having to go through a dedicated interface, an API. The service providers, of course, depend on it. And they wouldn’t be allowed to do it anymore. And why is this a problem? The banks must provide “access to account.” The EBA then said: Screen-scraping is dead. That is of course good for the banks, because they say that screen scraping is also probably risky, from a technical point of view. Accordingly, it is riskier than if I do it using an interface. At least that’s what they say.
Why is it such a big issue?
If something goes wrong for this service, at the payment initiation service, the bank is initially liable. It can still take recourse against the payment initiation service, but initially they are primarily in line of fire. And they then say: Great! Now I have to open up my interface for somebody and I don’t even have any control over him. Thanks a lot, regulators! And then I get to be liable afterwards, when something goes wrong. And then the other side says: I need a bit of transition time, so I can program my interfaces. So I can adapt my processes. And if they aren’t operational, because the interface happens to be on the blink, then I at least need a fallback solution so I can do screen scraping in such a case. That’s the dispute.
And how is it being dealt with?
A compromise has been reached that screen scraping will be permitted for a while yet. The payment initiation services have a bit of time, on the one hand, to implement this whole thing technically, and may screen scrape, and the banks have time to attain this standard. In practice, of course, this doesn’t solve any problems, because who will monitor this? Who will check that they have these interfaces, this standard? Who monitors that the institute still has this standard in three or four months? Accordingly, there are many issues that are still unresolved.
What will change in terms of account information that is accessible to third parties?
Users no longer have only one account; rather they can have several, at either one or several financial institutions. And I can get consolidated information about the account. There are all sorts of data in there, including personal data, also data subject to data protection provisions that naturally give me certain information on the individual. That is, give the information to whoever is providing the service, in this case the account information service provider. And, again, consumer protection authorities enter the picture. They say: Wow, they know quite a bit! If the provider knows about three or four of the user’s accounts, it can deduce a fair amount from that information. There is also a relatively large chance of data abuse, and that’s why we have to rein them in a little bit, and create a regulatory framework.
This interview has been edited and condensed for clarity.