The European Commission (EC) will close a consultation on Tuesday (July 5) about open finance in what can be seen as a first step to regulate this space, although the Commission won’t be legally bound by the results of the consultation.
Even before analyzing all the feedback from stakeholders, the EC already knows that it can count on the support of the European Banking Authority (EBA), although with some limits.
The commission defines open finance as third-party service providers’ access to business and consumer data held by financial sector intermediaries to provide a wide range of financial and information services.
Currently, under the Payment Service Directive 2 (PSD2), third-party service providers only have access to certain business and consumer data, namely bank accounts. This consultation seeks feedback about whether to extend that access to more customer data. New laws proposed or adopted by the EU, such as the Data Act or the Data Governance Act, don’t provide any new data access rights in the financial sector.
If the EU were to extend data access rights, according to the consultation, the banking, payments, insurance, asset management, securities trading, brokerage and pensions sectors could be affected. The commission is seeking feedback on issues related to the extension of these data access rights, such as who should be obliged to provide data, how much data and whether companies holding the data should be compensated for providing this data.
The EBA has already provided answers to some of these questions in a recent report published on June 23, which was issued in response to the Commission’s call for advice on the review of the Payment Services Directive.
In the 126-page report, the EBA devoted one section to the merits of open finance and how the expansion from access to payment accounts data toward access to other types of financial data (such as savings, investments and insurance data) “has the potential to further spur innovations in the financial sector, to the benefit of consumers and the overall financial ecosystem.”
The regulator noted that expanding access to other types of financial data will also come with challenges and risks. For instance, in terms of security requirements to ensure the safety of consumers’ data and reduce the risk of fraud and scams, the EBA recommends expanding the requirements on Strong Customer Authentication (SCA) under PSD2 to access to other type of account data.
Learning from the experience with PSD2 in terms of interfaces to share data, the EBA proposed that the EC assesses the viability of a single EU application programming interface (API) standard that would provide the foundation for open finance.
The EBA said it believes this standard API should be developed by the industry and with a mechanism for competent authorities to provide guidance in the development of the standard. Additionally, the EBA doesn’t close the door to the possibility of compensating data holders for providing data, but leaves it to the industry to decide how much, if any, this compensation should be.
But where the EBA made strong emphasis is in giving users the ability to easily revoke their consent at any time and to make sure that the companies have a good understanding of how to comply with the General Data Protection Regulation (GDPR).
In the past, there has been friction between the PSD2 and the GDPR, in part because both laws were adopted at similar times, and their implementation brought some issues that were not originally foreseen. The EBA proposed to conduct a thorough analysis of the implications of open finance for customers’ data and how companies should handle this data.