EU data access plans promote open finance amidst PSD3 reforms

The draft new regulation on financial data access (54-page / 457KB PDF) builds on existing data access rights that apply in the payment services market and, more generally, under data protection laws. Specific reforms to EU payment services legislation have also been put forward by the Commission in a legislative package being referred to as ‘PSD3’.

Under PSD2, banks, building societies and other payments account holding institutions are obliged to enable third party 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, at those customers' request, to allow the businesses to provide the customers with their services. Regulatory technical standards were developed under the PSD2 regime to govern customer authentication and data access.

The proposed new framework for financial data access essentially enhances the data access rights that apply under PSD2 and extends the rights and obligations to a wider range of financial services firms. It provides for industry-led financial data sharing schemes to govern access to the customer data, with scope for scheme rules to address the charges ‘data holders’ will be able to levy ‘data users’ for facilitating access to the data as well as other matters such as contractual liability and dispute resolution.

Insurers, investment firms, crowdfunding providers, credit rating agencies and cryptoasset service providers are among the businesses that would be classed as data holders – and therefore obliged to make customer data available for access – under the proposed new regime. Those businesses would, subject to customers’ permission, also have rights of access to customer data held by other data holders, as data users.

A wide-range of data is within scope of the draft framework. It includes customer data on mortgage credit agreements, loans and accounts – including data on balance, conditions and transactions – as well as on savings and investments, cryptoassets, real estate and other related financial assets. Customer data on pension rights, some non-life insurance products, and data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating, is also within scope of the proposed new regulation.

The European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA) would be obliged to develop guidelines on certain data processing activities provided for under the draft regulation.

Data holders also would need to provide customers with a permissions dashboard that they could refer to, to monitor the permissions they grant in relation to data user access. For ongoing permissions, the dashboard would need to display the name of the data user to which access has been granted, the customer account, financial product or financial service to which access has been granted, the purpose of the permission, the categories of data being shared, and the period of validity of the permission. Customers would also have to be able to exercise a right to withdraw permissions via the dashboard.

The new PSD3 package includes a proposed new payment services regulation (128-page / 1.21MB PDF) and a separate draft directive (68-page / 684KB PDF), the latter of which consolidates rules specific to e-money institutions with those applicable to payment services.

On third party data access rights in the payment services market, the proposed regulation does away with existing obligations account servicing payment service providers are under to maintain a permanent fall-back interface to the main dedicated interface they provide for facilitating account information and payment initiation service providers’ access to account data.

However, where an outage of other issue renders dedicated interfaces unavailable, payment initiation service providers and account information service providers will be able to ask regulators to grant them rights of secure access to the interface the account servicing payment service providers use for authentication and communication with their users for payment account data access.

The proposed regulation also contains a raft of draft new anti-fraud measures, including provisions that promote fraud data sharing between payment institutions and others that require payments to be verified by reference to payees’ unique International Bank Account Number (IBAN).

As part of the process for gaining authorisation to provide payment services provided for under the draft new directive, payment institutions would also be obliged to provide national regulators within the EU with a raft of information – including a description of their procedure for handling security incidents and a description of their ICT business continuity plans and ICT response and recovery plans.

Luke Scanlon of Pinsent Masons, who specialises in technology law and contracts in financial services, said: “The new framework sets out a number of ways in which the relationship between third party providers and financial institutions will need to change. The consent dashboard, greater ability for third party providers to rely on their own strong customer authentication processes, the access to IBAN checks and the strengthened requirements for creating and maintaining a dedicated interface are all areas which will need to be looked at closely to ensure the relationship works as intended for both parties in practice and ultimately for businesses and consumers who use third party provider services.”

Mairead McGuinness, the EU commissioner for financial services, financial stability and capital markets union, said: “In the EU’s growing data economy, every interaction in finance creates new data. It is therefore vital that European consumers remain the ones in control of their payments and they decide with whom to share this data so that they can avail of new and innovative products.”