European banks have admitted they are unsure about how third-party access to non-payment accounts will be managed under incoming security rules, with fintechs insisting credential sharing is here to stay.
From September 14 next year, technical standards on security will introduce an unprecedented legal framework for account information and payment initiation service providers looking to plug into to accounts to provide innovative new offerings to customers.
But the standards, and the revised Payment Services Directive (PSD2) they accompany, only concern accounts “used for the execution of payment transactions”, meaning all others remain out of scope.
“The question is: what about all the other types of accounts?” said Kasper Sylvest Olsen, head of financial market infrastructures and sector collaboration at Danske Bank, at last week’s Digital Finance Europe event in Brussels.
“One of the goals with PSD2 is for account information services to provide the full overview of a customer’s financial situation,” Olsen said.
“You cannot do that if you only look at payment accounts. Most customers often have savings accounts, mortgage accounts, etc; that’s all part of the financial situation, and if we cannot aggregate that in one place then we are not anywhere.”
For Jacques Pütz, chief executive of application programming interface (API) specialist LUXHUB, banks feel the access issue is “quite special at the moment”.
“If [the third party] wants to access saving accounts he doesn’t care; there’s no regulation about it,” he said at the same event. “We have no law regarding this situation.”
Historically, in an unregulated market the method typically used by third-party providers has been credential sharing, often referred to as screen scraping.
In that model, the end user would provide their online banking login credentials to the third party, which would then log in on their behalf, allowing it to aggregate data and initiate credit transfers.
Under the incoming rules, that will only be possible if the third party is “identifiable” to the bank — and that stops being the case if the bank builds a dedicated access interface and has it approved by their national regulator.
“[Banks] are really blocking everything they can, because they don’t understand the new world,” said Clement Coeurdeuil, chief executive of Budget Insight. “The problem is the third-party providers cannot back down, they cannot, because it’s a matter of life and death.”
Danske Bank’s Olsen said he “really doesn’t like that screen scraping part” as it reduces the effectiveness of fraud mitigation software.
However, he stopped short of saying it would voluntarily make more information freely available through its API, suggesting that the possibility of a contractual arrangement “can always be discussed”.
The issue places banks in a difficult position. They could theoretically remove any incentive for third parties to rely on credential sharing by offering a free-to-use API across all financial products, but are understandably reluctant to do so for commercial reasons.
Scott McInnes, a partner at Bird & Bird, said there is no legal reason why wider access cannot be granted, but realistically it would only happen “if a bank feels generous”.
The other option would be to “talk about things like screen scraping still, or reverse engineering”, which remain undesirable for banks.
Representatives from the fintech sector are often sceptical about a harmonious relationship between banks and third parties, built on partnerships and collaboration.
“Why do you think I do screen scraping?” asked Clement Coeurdeuil, chief executive of Budget Insight, an API specialist and data aggregator based in Paris.
“Do you think I never went to the bank and asked if they have a way to connect, that is good for the user, and I have his consent to do so?
“They say, no, that’s not possible, I don’t want you to. To do a partnership you need to be two people; I wanted to do the partnership but they didn’t.”
Coeurdeuil referred to accusations, initially from third parties but later from the European Central Bank, that many banks have adopted a defensive strategy to third-party access under PSD2 — claims firmly rejected by the sector.
Banks “are really blocking everything they can, because they don’t understand the new world,” he said. “The problem is the third-party providers cannot back down, they cannot, because it’s a matter of life and death.”
For Coeurdeuil, the end result is that fintechs “are in the very strange situation where we are going to keep screen scraping”.
In effect, the stand-off means credential sharing will almost definitely continue after September next year as a means of access to non-payment accounts, regardless of the APIs put in place by banks.
Efforts to break the impasse at member state level have so far run into difficulties.
French senators suggested that the scope of the transposition law could be widened to cover other account types, although those suggestions were rebuffed by the country’s National Assembly on the grounds that the issue was better dealt with at the European level.