On the 14th of June, the Minister of Finance updated the Dutch Parliament on the implementation of PSD2 into local law.
The Netherlands, together with 11 other countries have not yet implemented PSD into local law, which had to be done by about 5 months ago already.
The Minister didn’t give an actual implementation date but he did reveal plans to make additional changes relating to privacy.
So, what’s new?
In my opinion, rather than creating the level playing field we expected from the PSD2 vision, the current discussions and concerns raised here in the Netherlands, that are delaying the implementation, only seem to be hurting small FinTechs.
Here’s why I think this is the case.
I’ll also put forward a counter-argument to some of the privacy concerns.
Going too far?
Just like PSPs under PSD1 a decade ago, FinTechs that wish to operate as TPP will be able to access transaction data under PSD2.
This has resulted in what I believe are unwarranted and exaggerated privacy concerns.
That’s not to say there are no privacy questions to address; privacy is terribly important. I do believe however that the Netherlands is taking things too far.
Will TPPs become unsupervised cowboys?
Far from it!
Like banks and PSPs, TPPs will become regulated entities with an extremely thorough licence application process. In the Netherlands, both AISP and PISP need to obtain a licence by the Dutch Central Bank.
And they certainly won’t be handing out these licences to just anybody.
The EBA authorisation guidelines show a long list of documents required such as an operations program, business plan, governance arrangements, internal control mechanisms, sensitive payment data process, business continuity plan and security policy.
And even if the authorities do grant a licence to a TPP, they will remain under ongoing supervision, just like any other licensed financial institution.
So, why the fuss about privacy?
Banks already have access to our data so why are we making such a big issue of granting certain access to TPPs, if the consumer allows it? Did I mention that these companies will have a license and be subject to ongoing supervision?
Ultimately, it’s the responsibility of the authorities to weed out any TPPs with bad intentions and to keep them under close supervision.
My feeling is; if a TPP is granted a licence by the authorities, they should enjoy the same level of trust as any other regulated company.
Do TPPs need to prove that they’re trustworthy?
Some experts argue that banks have earned their reputation for trust, that enables people trust them with their data.
But this viewpoint is effectively robbing TPPs of the chance to prove themselves trustworthy.
By raising privacy concerns at this stage, we’re giving these companies a tarnished reputation before they’ve even started, which isn’t fair.
During my panel discussion at the Dutch Payment Association, the COO of Volksbank confirmed that the privacy concerns were raised because of the risk that 10% of TPPs could be misusing data.
So why are the other 90% of TPPs being punished?
And if that’s the logic, why aren’t all banks being penalized for the Libor scandal?
These ‘what ifs” mean that TPPs are staring out on the back foot, fighting back against the industry and the public’s bad opinion.
Hang on, are the privacy concerns legitimate?
I’m not denying that there are privacy questions to be answered but let’s not allow such concerns to become exaggerated and further delay implementation.
Let’s look at the concerns one by one:
Concern 1: Facebook
The Minister of Finance has stated that the Facebook data scandal warrants a proper consideration of privacy with the implementation of PSD2. On the contrary, PSD2 is meant to open up the market for smaller players!
Facebook already has an e-money license in Ireland and PSD2 won’t change that. Yes, the way Facebook uses data should be addressed but is delaying PSD2 the way to do it?
I would actually argue that tech companies moving into the regulatory space may be a good thing. As long as companies stay outside regulatory reach, authorities cannot interfere with their practices.
Concern 2: After banks share data they can’t retrieve it
Why would this be necessary?
GDPR already requires companies to delete data after services have stopped or when consent is withdrawn.
Why do banks have to play a role here? See below my further views on Dutch bank’s current contributions to the discussions.
Concern 3: TPPs will use data for new service offerings and comparisons
I believe that TPPs using data in this way is what consumers want ultimately as it could make their life a lot easier.
It would give people useful information on their purchases, for example whether they could have been cheaper elsewhere. Isn’t that what we call progress?
I fail to see the issue here, as PSD2 explicitly stipulates that TPPs may not use, process or store the data for any other purpose than the TPP service that has been requested. The consumer will need to consent to the use of his/her data for this purpose anyway.
In any case, the authorities can act as gatekeeper, as during the license application process, TPPs must state what ancillary services they are intending to deliver alongside account information services, within the next three years.
If they intend to mistreat their data access, this will be flagged up either in their application or during ongoing supervision.
Concern 4: TPPs can determine how long they keep data
Again, there are existing data retention requirements under GDPR. Companies may not keep the data longer than necessary without good reason and data must be removed when consent is withdrawn or upon the consumer’s exercise of their ‘right to be forgotten.’
Concern 5: TPPs can decide how fast they will respond to complaints
This is not true!
PSD2 requires a distinct complaint handling procedure, which is checked as part of the license application.
Complaints must be addressed within 15 working days, with a possible extension in some circumstances (but never longer than 35 days).
These timelines will need to be followed by all companies that fall under PSD2. The authorities will have to designate an alternative dispute resolution authority to handle consumer complaints.
Concern 6: What if someone transferred money to a person that uses a TPP and they have not provided their consent?
Let’s face facts: how many times do you receive money in your bank account from family, friends or other individuals?
I’ve checked my statements and I only received money from another individual on two occasions in three months, so that is 2 out of a hundred transactions or so. All my other transactions are either retail purchases or paying bills (usually more of the latter!).
So, are we not exaggerating the amount of data a TPP will have access to without the third party’s consent?
And if so, what kind of data would they have; a name, a transaction amount and a bank account number?
Further, going back to my argument for all regulated entities to be treated fairly, why is it OK for banks to have access to this?
Are Dutch banks trying to be a consumer hero?
Dutch banks seem to have cast themselves in the role of consumer hero, protecting us mere mortals from scary TPPs.
They have even discussed facilitating an emergency button to retrieve data, and the Banking Association (NVB) has threatened to initiate legal proceedings against TPPs where needed.
They’ve also come up with the idea of some kind of ‘quality mark.’
The suggestion is that banks already have a reputation for customer service and duty of care and a quality mark for TPPs will give consumers the same confidence.
I don’t see any added value in this.
Isn’t the fact that a TPP has been granted a license already proof that they have been thoroughly vetted by authorities and can be trusted? Isn’t this just overstepping the authority of the regulatory supervisors?
More importantly, this quality mark could create an unlevelled playing field if one TPP received it and another didn’t, even if they both have a licence.
Who should be protecting the public?
Banks are not responsible for protecting the public; that is the duty of the authorities.
So let’s not assign any of this responsibility to commercial players who are in fact competing with the concerned parties. This will surely only lead to a conflict of interest or self-interest out of fear of loss of customers.
Let the judge be the judge.
Nadja van der Veer is a payments lawyer with over a decade of experience in the international Payments industry and a legal expert in rules and regulations involving PSD, AML and CDD and Card Schemes. Having worked for a PSP and an acquirer, she has a broad perspective on all legal and business aspects of (Card and Alternative) Payment processing in the global e-Commerce industry.