Regulation is being actively discussed in the FinTech field in Europe. Regulators struggle to balance openness to innovation with protecting consumers and investors. While discussion on the right balance between enabling innovation and reducing risks is on-going, anyone involved in the financial services market should be interested in recent regulatory developments in the European Union (EU).
FinTech Regulatory Framework
To begin with, there is no “FinTech regulation” per se. Instead, the EU regulatory framework is highly fragmented and various regulations and directives apply to FinTech related businesses. It is therefore better to concentrate in specific areas such as payment services in order to understand the development. The key question is whether regulation can be seen as an enabler to growth and innovation for financial technology.
“The key question is whether regulation can be seen as an enabler to growth and innovation for financial technology.”
PSD2 as a Path for Innovation
One of the regulatory provisions most clearly focused on FinTech is the Directive (EU) 2015/2366 on payment services in the internal market (PSD2). PSD2 aims to promote the development of an efficient, secure and competitive payments area. It is a major change set to impact the innovation and security of payments across Europe and update payment services regulation in line with market developments.
PSD2 extends the scope of regulation to new types of payment service providers. These so-called Third Party Providers are divided in two types: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs are providers that can connect to bank accounts, retrieve information from them and offer multi-bank account details under single portal. PISPs are providers that initiate payment transactions and offer, for example, an alternative to the use of payment cards.
According to PSD2, banks are obliged to open up their infrastructure for payment initiations of PISPs as well as for requests for customer account information by AISPs. This means that banks must provide Third Party Providers with access to bank accounts of customers who explicitly give their consent thereto. Third party access will be implemented through open Application Programme Interfaces (APIs).
The opening of banks’ infrastructure to Third Party Providers is accompanied by strict security requirements. PSD2 requires Third Party Providers to apply strong customer authentication when a customer initiates an electronic payment transaction and accesses its payment account online. Banks must, however, be of assistance also in this respect and allow Third Party Providers to rely on the customer authentication procedures provided by the banks.
In terms of other changes, PSD2 includes, for example, new reporting obligations and provisions to protect consumers and distribute liability. The aim of PSD2 is also to strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft Regulatory Technical Standards (RTS).
To summarize, from a PSD2 perspective, the answer to the key question presented above is clear. Regulation can be seen as an enabler to growth and innovation. PSD2 in itself is even more – it is a significant regulatory improvement that together with financial technology can change the whole payment services market as we know it.
Follow these PSD2 issues
Market participants will have to examine the legislation of their country of incorporation, as there might be some deviations from PSD2 on local level. Furthermore, market participants will have to wait for some critical further information, as only the EBA’s RTS will give guidance on how some remaining security issues including strong customer authentication and standards for secure communication will be solved.
PSD2 must be transposed into national law no later than 13 January 2018. A different date of application is foreseen for the EBA’s RTS on strong customer authentication and secure communication, as the RTS will be applicable 18 months after its entry into force, i.e. the adoption of the RTS by the European Commission expected during spring 2017. This would suggest the earliest possible application date of the RTS to be at the end of 2018.
PSD2 is often seen as a challenge to banks and an opportunity for Third Party Providers and consumers. This is a simplified view of the future as, for example, many banks have started to re-think their business models and strategies, and PSD2 enables also businesses (and not just consumers) to use Third Party Providers to manage their finances. The next question is, therefore, with all the financial technology and new regulation, what kind of innovations will there be to satisfy everyone in market?