February - 2018


BY: ANNE-SOLÈNE GAY

The opening of bank data to Fintechs

The Directive n°2015/2366 of 25 November 2015 on payment services in the internal market known as "PSD2" came into effect on 13 January 2018. This Directive which aims to develop innovative payment services has been implemented into French law by the order n°2017-1252 of 9 August 2017.

In addition to measures to improve payments security, the Directive PSD2 sets up a new right for new providers as the technology financial companies (Fintechs) to access, by a secure communication channel, to customers' accounts data held by the banks. Thus, when their clients have expressly given their consent, the banks are now obliged to give access to certain third parties to data relating to their payment accounts. Two types of third parties are granted such access right:

-       payment initiation service providers (PISP) and

-       account information service providers (AISP), more commonly known as aggregators.

To this end, the banks have to adapt their bank interfaces (API) or create specific APIs allowing the new market players to access to these data under secure conditions. The banks will develop these APIs in conformity with the regulatory technical standards (RTS) adopted by the European Commission on 27 November 2017. Except if the European Counsel and the European Parliament express an objection within three months following this adoption, these regulatory technical standards shall be applied eighteen months from their publication in the Official Journal of the European Union. The banks will then have until September 2019 to comply with these rules. Before this date, Fintechs will be able to use the banks' APIs when the banks make them available.

To this day, the payment initiation service providers and the aggregators can already access to the clients' data through the "screen-scraping" technic which consists in using the clients' identifiers. However, this technic is strongly criticized by the banks because it is not secured, which is why it was critical to find a compromise allowing the banks and Fintechs to collaborate.

The PSD2 represents a real chance for Fintechs, thanks to APIs and subject to the obtaining of necessary approvals, as they will be able to have access to more information with regard to clients' accounts than the one they obtain with the “screen-scraping" technic.

Nevertheless, the PSD2 contains limitations since it allows Fintechs to access only to payment data and not to savings accounts or credit data. To access to these data, Fintechs will probably be tempted to continue using the "screen-scraping" method.

In order to prevent this, certain banks are considering broadening their APIs to others data and not only to payment data.


Tags:
Juris Initiative, Anne-Solène Gay, Behring, Directive n°2015/2366 of 25 November 2015 on payment services in internal market, PSD2, PSIC, AISP, order n°2017-1252 of 9 August 2017, Fintech, screen-scraping, API, bank data, payment data, saving data