Reviewing operational requirements for PSD2

Reviewing operational requirements for PSD2

By Peter Smith, Global Head of Industry Policy Liaison, TISA.

Peter, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I am currently Global Head of Industry Policy Liaison at TISA, the premier industry funded body working with the financial services industry, UK political parties, European Parliament, Treasury, HMRC, DWP, TPR, and the FCA, to enhance & improve the range, features, benefits, promotion and quality of savings & investment schemes to all UK citizens. TISA is a thought leader in the development of policies and industry initiatives that support the financial outcomes for UK consumers, UK Plc and thereby the interests of its membership. TISA is also increasingly the instigator or developer of new industry services.

My role at TISA covers the entire financial services industry, incorporating cross sector policy work with both ministers & regulators within the UK and EU, and cross industry. I am a member of the TISA Executive Team and lead on Financial Services Industry Liaison. His work covers policy matters across financial services distribution, platforms, technology innovation, FinTech and retirement as well as a number of project groups including Digital Identity, New Technology Innovation (FinTech, Reg Tech, Insur Tech & Pens Tech), FAMR, MiFID, PRiiPs, PSD2, GDPR, Brexit and other working groups. I recently sat on the steering committee for the Industry Sandbox consultation, which explored different models for a new industry-led accelerator aiming to speed up the process by which new financial services products are brought to market. I also represents UK Financial Services on the All Party Political Group for FinTech.

At the Payments Forum, you will be giving your insight regarding reviewing operational requirements for PSD2 and lessons learnt ahead of and post implementation, why do you believe this is currently a key talking point within the industry?

The industry is very alive and vibrant to the prospect of open banking & PSD2. The introduction of Open Banking legislation is designed to establish a more streamlined, customer-centric future for personal banking. Open Banking will offer consumers an unparalleled degree of control over their finances and data, whilst sparking a new wave of innovation and competition in the industry.

Regulation and where liability sits are the key current issues.

In your opinion, why are users of API’s in regards to customer data, a key talking point?

The real change to the status quo is the level of customer control. Under the current system, consumers are required to provide the access details for their banking information to third party financial services – which often risks breaching T&Cs. Under the new rules, the customer can permit third parties to access this information directly, without needing to negotiate with the bank.

Without the trust of consumers, third parties requiring consumer consent to use new rights of access to bank and payment account data will struggle to make an impact in the market.

That is the clear message from a survey carried out for Pinsent Masons and Innovate Finance of the views of a number of fintech businesses. Fintech business Fluidly believe that trust will be based on three elements: transparency of activity, security and their brand.

“If the first movers can establish themselves in those three areas they will attract a wave of early adopters who are willing to experiment for financial or other incentives, for example to avoid credit card fees from more traditional PIS providers,” Fluidly said. “Trust in AISPs are a little further along the adoption cycle for SMEs and sole traders as this functionality already exists for many of the accounting software packages that already offer bank feeds.”

  Without giving too much away, can you outline some of the main challenges of mitigating third party cyber risks?

The CMA Open Banking order requires the new open API standards to be developed by an industry body which 
it establishes, and to cover security, authorisation and authentication. The CMA has said that the open API standards must provide for “robust security arrangements and identity management to protect this far more sensitive information”. It has also indicated that customers must be “fully protected against privacy and security risks and fully informed of the potential benefits and risks of sharing their financial information with third parties”.

The CMA also notes that data and security standards will need to take account of the EU’s General Data Protection Regulations and the 4th Anti Money Laundering Directive. Understanding how these overlapping pieces of legislation
fit together therefore is essential. For example, as some commentators suggest, understanding where liability sits (both for data controllers and processors) in an increasingly networked ecosystem, alongside adhering to the principles of “informed consent”, and data minimisation, will be crucial to the smooth roll out of Open Banking.

How do you see the payments industry evolving over the next 6-12 months, particularly in relation to the current and upcoming political landscape?

Payments will actually evolve slowly as consumers will need to be encouraged to use OB and API’s. A lot of engagement at the moment digitally is consumers checking their balances not actually being fully engaged or saying where’s my API or my bank dashboard or app. Regulating API providers and keeping track of activity will be a key focus of regulators.