ACHTUNG: Access to bank data!
Digitization in accordance with the Second Payment Services Directive (PSD2)
In light of PSD2’s implementation, credit institutions must provide payment service providers with access to dedicated interface (APIs), which allows for access to the account and thus, personal data, contact information, and account details.
In the course of the development of demand-oriented digitisation and the implementation of the Second Payment Services Directive (EU) 2015/2366 ("PSD2"), transparency and information obligations are increasingly taking on key roles in the financial industry, particularly with a view to consumer protection-driven European competition.
This is reflected, among other things, in the fact that account-providing payment service providers (including all credit institutions) must set up at least one dedicated interface in accordance with Article 98 of the PSD2 and to the technical regulatory standards under (EU) 2018/389 (“RTS”) for account information service providers (AISP) and payment initiation service providers (PISP) as well as for payment service providers issuing card-based payment instruments. These interfaces allow qualified third parties to access individual accounts of payment service provider's customers.
Obligation to provide APIs
Since March 14th 2019, account-keeping payment service providers, who intend to launch their products when the regulation enters into force, have been required to provide their interfaces in a test environment and to undergo qualification testing in accordance with the requirements of Art. 30 RTS. The incentive for rapid implementation when interfaces are unreliable is the continuation of the (expensive) "Screen Scraping" procedure. Screen Scraping means calling and triggering transactions via the customer's access data and the automated reading of the page content and insertion of data.
Taking into account the importance and confidentiality of the data transmitted, the formal and material security requirements to be met in order to comply with these obligations and to protect operators, in particular consumers, are not surprising.
In order to provide the Q-WAC-secured interface, credit institutions must demonstrate PSD2-compliance for personalized security features. Alternatively, they may offer strong customer authentication in accordance with RTS requirements. Transaction and interaction monitoring, by identifying the individual communication sessions and strong customer authentication, are particularly relevant for implementation, whereby the required strength of the authentication must be weighed up. The technical explanations of the interface in the RTS remain vague, which is why banks, whose systems are currently designed precisely to prevent external access, are increasingly resorting to ready-made software solutions in order to meet the regulatory requirements.
Regulatory requirements for FinTechs
But even FinTechs, which want to benefit from the development of said infrastructure, must first meet regulatory requirements. Payment initiation service providers (PISP) and account information service providers (AISP) are subject to authorization/registration and require qualified website certificates (QWAC) to secure communications between them and credit institutions. While PISPs require a permit from the German Federal Financial Supervisory Authority ("BaFin"), AISPs only need to be registered with the BaFin. It is therefore important to pay particular attention to which procedure is relevant when filing an application. However, it is crucial and necessary that FinTechs' product service offerings meet the requirements of PSD2, and that the necessary groundwork has taken place before obtaining a license or registration. Consequently, the chance to build up a strategic risk and compliance management to fulfil these requirements helps to ensure adequate data protection.
Impact on the financial services sector
With the opening of access (the so-called Open Access Principle) to account transaction data, previously reserved for banks only, the PSD2 is developing its full innovative potential. However, the retrieval and use of personal customer data poses a challenge for payment service providers, credit institutions and other FinTechs. They have to develop an understanding of the scope of the data protection consent requirement under the provisions of the PSD2 (Art. 94 Para. 2 PSD2 and § 59 German Payment Services Supervision Act (ZAG)), but also to implement the legal and essential data protection provisions of the GDPR (e.g. purpose limitation) for legitimate data processing.
This development has driven modernizing pressures on all market participants, as only new technologies - especially cloud solutions and standard solutions - can meet regulatory requirements and the expectation of a seamless customer experience at reasonable cost. For outsourcing, § 25b German Banking Act (KWG) in connection with AT 9 Minimum Requirements for Risk Management (MaRisk) and the Supervisory Requirements for IT in Financial Institutions (BAIT) impose underlying regulatory requirements on credit institutions; § 26 ZAG imposes such requirements on payment service providers. In light of the new cooperative framework, a solid understanding of the territorial scope of the General Data Protection Regulation (GDPR) (the market place principle), as well as a determination of the responsibilities of the actors, especially with regard to the use of cloud computing, remain essential.