Open Banking : Don’t Believe the Hype! - BASDA€¦ · Delivers: Access for Payments initiation,...
Transcript of Open Banking : Don’t Believe the Hype! - BASDA€¦ · Delivers: Access for Payments initiation,...
BASDA Annual Summit 15th May 2018
Open Banking : Don’t Believe the Hype!
BASDA Annual Summit 15th May 2018
Open Banking: “Don’t Believe the Hype”
– Peter Davey: Director, and Legal & Regulatory and Finance & Risk Lead, Open Vector
Our next Speaker
BASDA Annual Summit 15th May 2018
• Intention of PSD2 to make merchant payments feasible without cards – Saves the merchant service charge – Has turned payments from a backwater into major area of Fintech activity and investment
• Data sharing: PSD2 and data portability under GDPR will lead to new services – And require clients, and you, to have better understanding and evidence of law and controls – Facebook & Data Analytica – Understanding data sharing, GDPR and infosec generally – Managing consent and revocation of consent – Authentication of actors and consumers
• Strategic implications in banking industry – Rationalisation of payment account providers – Account information services we haven’t even thought of – Global extensions of open banking gathering pace – GAFA / FATBAG
Why should you care?
BASDA Annual Summit 15th May 2018
• Open Banking became legally required 13 January and GDPR, including data portability becomes effective 25 May
• So what’s changed? • Not a lot:
– Payments initiation – ‘fire and forget’ – Account information – not especially functional – Few TPP licences – Redirection from one web browser to another
• Need to comply today – but security standards won’t be clear till Sept 2019! • Post Brexit – when not directly applicable in UK! • BUT, Roy Amara's 'law' that we tend to overestimate the impact of a new
technology in the short run, but underestimate it in the long run • Also, client’s problem is your opportunity
Current status
BASDA Annual Summit 15th May 2018
Legally effective 13 January 2018
Focussed on payments initiation following competition actions by Sofort
Delivers: Access for Payments initiation, account information, and ‘funds check’ (PISPs, AISPs, CBPIIPs)
Coverage: • EEA, European Economic Area • Euro & all other EEA currencies • Payment accounts • Retail: Turnover and balance sheet below euro 2 million, and employs less than 10 people
Other: • ASPSPs cannot refuse, charge, or require contracts with TPPs • UK has ‘transposed’ into local law, but not all European states have yet • Security features, esp SCA RTS and requirement for TPPs to identify selves to ASPSPs, effective Q3 2019 – post
Brexit • Issue with Screen scraping
Background: PSD2
BASDA Annual Summit 15th May 2018
Legally effective 13 January 2018
Designed to address perceived failure of current account switching: • ‘More likely to change your partner than your bank’
Delivers: Payments initiation access, account information access, “compliant with PSD2” • Account information to compare current accounts
• Focus more on account information. Thrust for inclusion in PSD2 came from UK
Coverage: • UK/GBP
• Current accounts, both personal and business
Other: • 6 out of 9 of CMA9 have had to request delay
• CMA has always been clearer that a move to APIs from SS is desirable
CMA Order
BASDA Annual Summit 15th May 2018
Legally effective 25 May 2018 Only concerned here with ‘data portability’ aspects Designed to permit ‘data subjects’ to better control access to their data
Delivers: Right to ‘port’ data from one Data Controller to another with explicit consent • But note the ‘legal basis of processing’ may be something else: i.e., Contract, Legal obligation, Vital interests, Public tasks,
Legitimate interests • ASPSPs currently have basis related to processing transactions • Cannot extend to commercial activities without additional Consent (database implications)
Coverage: All information about data subject based in EEA – in principle global coverage!
Other: • Method to be used only mandated to be ‘machine readable’ • Time frames are longer (month compared with real-time) • UK Information Commissioner's Office (ICO) very clear that it thinks OBIE should be vehicle for data portability • Banks less so
GDPR
BASDA Annual Summit 15th May 2018
• Overall
– Direction of travel of all three is the same
– But critical differences in details
– Notably between data protection law and PSD2 account access – see Holland
– Debate between FS regulators and DP regulators on status of ‘authorisation’
• ‘Nothing to see here’
– Always over-estimate speed of technology, and underestimate its impact over time
– Also selling (and explaining) supporting infrastructures – analogy of electricity
• Coverage
– Areas of debate in OBIE Roadmap – card and mortgage accounts
– Banks resisting move from ‘minimum compliant product’ – floodgates argument
– But can a MCP comply with purposive legislation?
PSD2, CMA Order & GDPR
BASDA Annual Summit 15th May 2018
… and opportunities for IT vendors? – SCAs (Regulatory Technical Standards re Strong Customer Authentication)
– EIDAS certificates
– Inability of payment initiation to ‘self-PISP’, i.e. initiate payments to itself (when its clear the ‘purpose’ was to introduce competition for card payments)
– Obstacles to payment initiation becoming a substitute for cards in e-commerce (forward dated payments, esp variable)
– Fourth party issue
– APIs • Compliance with standards – necessary but not sufficient
• Provision of own bespoke APIs, via ‘app store’ (e.g. Nordea) – but how to monetise?
• Act as TPP accessing other ASPSPs’ accounts
– But especially around consent management …
Technical issues for ecosystem …
BASDA Annual Summit 15th May 2018
Consent – Full explanation of the purpose and implications of the transaction – Between the TPP and the PSU
Authentication – SCA requires two out of:
• Knowledge, something only the PSU knows, like a password or PIN • Possession, something only the PSU possesses, like a device, and • Inherence: something you are, biometrics
– Dynamic linking (to payee and amount) – Exemptions – Under control of ASPSP
Authorisation – In domain of ASPSP – ‘Positive friction’ for PSU – So don’t pay by mistake, and know when process is about to complete – Ensure ASPSP has clarity its domain: otherwise allegations of non-authorisation unwieldy to investigate
Consent, Authentication, Authorisation
BASDA Annual Summit 15th May 2018
At least three different accesses, even using OB standards – Payments initiation access
– PSD2 account information access
– Data sharing beyond PSD2, presumably therefore under GDPR
– Note the ASPSP needs a legal basis for processing in releasing the PSU’s data. Easiest if it’s a Legal obligation or Public task. I.e. complying with law.
Implications for – Regulatory model (PISP & AISP): PII can only cover regulated activities
– Liability model (Only PISP under-written by ASPSP)
– Legal status of authorisation stage at ASPSP (different for each)
Consent, Authentication, Authorisation
BASDA Annual Summit 15th May 2018
Made more complex by the fact that – Simple transactions might combine all three accesses
– Parties may disagree on the legal status of the access
– Need to make it easy for a customer to consent (and equally easy to revoke), and yet
– Need the consumer to be able to access complete data on request re regulatory model, liabilities, legal status etc
OBIE UK uses a model based on: – Consent between PSU and TPP
– Authentication and Authorisation by PSU in domain of ASPSP
– Which implies a redirection model
– Works for all three types of access
– ASPSP can move immediately to SCA without waiting for RTS, and
– Without having to coordinate with other parties
Consent, Authentication, Authorisation
BASDA Annual Summit 15th May 2018
ERPB approach – Suggestion that a ‘dedicated interface’ needs to cater for more than redirection
– Embedded and/or De-coupled?
– Arguably there is a fourth that needs to be catered for as well, screen scraping
– How will SCA work?
– How will selection between alternatives work? Merchant / consumer ‘drive’?
IT Solutions need to be flexible for potential change – Compliant today
– Yet flexible as models and strategies change
– Standard APIs, bespoke APIs, SS
– Access methods: Redirection, Embedded, De-coupled
– Directories and digital certificates
Access models etc / need for flexibility
BASDA Annual Summit 15th May 2018
• Agree OB looks like all hype
• But would argue that it will lead to far-reaching changes
• Provides opportunities to help clients deal with difficult issues
• Will also impact your ability to manage your treasury
– To obtain information from banks
– And initiate payments
• Data sharing especially is a difficult area with risk and opportunity
• Perhaps better to be the seller of pickaxes etc than prospecting for gold
• Access to data will be more important than the ability to initiate payments
Conclusion