Update of previous blog of 18 July 2018
The strong rise of financial technology companies – also referred to as Fintechs – is leading to a "revolution" in the financial sector. Thanks to smart innovations in areas such as artificial intelligence, machine learning, blockchain, mobile payment and access management, these companies are able to provide services relatively cheap, easy and fast. In order to stimulate competition between traditional banks and Fintechs in the field of alternative and innovative payment services, revised European legislation aims to (further) regulate the traditional "banking infrastructure". This blog discusses the expansion of economic regulation of retail payments and associated data, and the application of the new regulatory framework by national competition authorities.
The rise of Fintechs
The IPO of the Dutch payment processor Adyen shows that Fintechs play an increasingly prominent role in the financial landscape. The established financial institutions, such as large banks, insurers and pension funds are aware of this development. Collaboration with Fintech startups is increasingly being sought by traditional banks and banks set up their own initiatives as well. A few examples of these are the launch of three startups – Franx, New10 and Prospery – by ABN Amro, the founding of Peaks by Rabobank and the introduction of Kandoor by Pensioenfonds APG. The major banks have also jointly launched Payconiq, an alternative to iDeal.
Despite the explosive growth of Fintech companies, newcomers to financial services sector often experience barriers when entering the market. Banks are not required to share their customers' payment account data with third parties on the basis of existing financial regulations. In various studies, the Netherlands Authority for Consumers and Markets ("ACM") analysed the possibilities to increase Fintech's contribution to competition and warned against the risks of foreclosure of Fintechs.
The European legal framework for retail payments has recently been revised with the adoption of the Payment Service Directive 2 (the "PSD2"). This directive focuses on opening up the banking infrastructure for third parties, also known as "open banking". By developing standards for the exchange of data and guaranteeing access to existing systems, the European legislator aims to increase competition in the market for (alternative) payment services.
Scope of PSD2
While Fintech companies did not initially fall under the scope of "payment service provider" as included in the PSD1, this definition has been extended in the PSD2 by two new non-banking players. The two new categories of payment service providers are;
- Account information service providers: at the request of an (online) account holder, they aggregate information from different payment accounts (at different banks) belonging to the account holder. An example of this is the US-based company Mint.com, part of accounting software company Intuit. By combining information of different bank accounts, the account holder gets immediate insight into its overall financial position and will be able to check whether the balance on his bank account is sufficient to execute a certain payment order.
- Payment initiation service providers: after explicit consent by private or business account holders, they initiate payments from the respective holders’ (online) accounts. (including freely available savings accounts). A well-known example of this is Tikkie, an app launched by ABN Amro. The initiation of payments by a third party is subject to strict customer authentication requirements.
Parties that want to provide these services must register and apply for a license from a central bank, for example De Nederlandsche Bank ("DNB"). Parties that solely provide account information services are exempt from this license obligation (Article 33 PSD2).
Access conditions for third parties
Pursuant to Article 35 PSD2, banks must grant authorised or registered payment service providers access to their online payment systems. Access must be granted on an objective, proportional and non-discriminatory basis and may not be more restricted than necessary. In addition, payment institutions, including payment initiation service providers, should have access to payment account services of credit institutions (Article 36 PSD2).
The rules concerning the access to and the use of (data relating to) online payment accounts are further elaborated on in Articles 66 and 67 PSD2. For example, payment service users must explicitly authorise the use of their payment account (data) by third parties. Third parties, the payment service providers, must inter alia identify themselves to users and may not request or store payment data other than directly necessary for the execution of the specific payment service. Banks must in turn cooperate, without delay, on payment orders and information requests from third parties and may not, for instance, make access to payment accounts (data) dependent on the existence of a contractual relationship between the bank and the third party.
The PSD2 imposes a non-discrimination obligation on banks. Banks may not treat third parties differently – for example in terms of time, costs and priority – from a similar request for information or a service made by a customer. Access to (the data of) online payment accounts can only be denied on the basis of objective reasons (Article 68 PSD2). A bank that denies access must report this to the competent authority that will assess it and, if necessary, take appropriate measures.
The Regulatory Technical Standards ("RTS") of the European Commission further specify the PSD2-rules. For example, the European Commission has determined that banks may be compensated for no more than the efficient costs they have to incur in order to grant access to third parties. However, the PSD2 leaves room for different interpretations of how access should be granted. Recently, the Berlin Group, an European initiative by financial institutions, has developed an Access to Account Framework consisting of an interoperable data exchange system. Ultimately, the exact access conditions will only be clarified once the directive has been implemented in national legislation and the national legal framework has been further defined.
Implementation of the directive
After repeated postponement and political discussions about privacy issues, the PSD2-directive was implemented in Dutch legislation by the end of 2018. The Implementation of the Revised Payment Services Directive Act embedded Articles 35, 36 and 68 of the PSD2-directive in Articles 5:88 (access to payment systems) and 5:88a (access to payment account services) of the Dutch Financial Supervision Act (“Wft”)
After entry into force, Fintech companies as well as large American and Chinese tech companies, are able to apply for a license at DNB and gain access to payment account details of banks. This is expected to have major consequences for innovation in payment systems and competition between traditional banks, Fintechs and tech giants. Fintechs argue that traditional banks benefit from a competitive advantage as they already have the necessary data to offer alternative payment services. In contrast, traditional banks have expressed concerns about unfair competition due to the lack of regulation of Fintechs and tech giants. The latter are currently not bound by the same rules on customer protection, security, liabilities etcetera as banks. In addition, banks and some politicians fear that large technology companies such as Google, Amazon and Alibaba will engage in the provision of payment services to collect banking data on a large scale.
Supervision and enforcement by the ACM
In addition to DNB, the Netherlands Authority for Financial Markets (“AFM”) and the Dutch Data Protection Authority (“AP”), the ACM is also responsible for monitoring compliance with the PSD2-rules. According to Article 1:25a Wft, ACM is tasked with the supervision of Article 5:88 and 5:88a Wft. At the end of 2018, the ACM stressed in several speeches that the technical standards banks will develop in relation to PSD2 should not lead to foreclosure of certain third parties. The ACM expressed its intention to actively assist Fintechs in removing possible barriers to entry in the coming months.
The ACM is able to give its views on the (justified) grounds for refusal of access and take enforcement activities in certain cases. For example, in case of an infringement of the access provisions, the ACM can issue a binding instruction on the basis of Article 1:25a of the Wft (Articles 1:59 and 1:75 Wft). The ACM is bound to request the AFM and DNB to provide their views (Articles 1:25a (3) jo 1:47 (1) Wft), so as to allow the ACM to take into account sector-specific knowledge from other regulators. Conversely, the AFM must provide confidential data and information to the ACM insofar as necessary for the execution of ACM’s supervisory tasks (see Article 1:93c Wft and Article 3.3 Enforcement Consumer Protection Law Act).
The extension of ACM's supervisory tasks based on the Wft does not alter the possibilities for the ACM to apply enforcement tools on the basis of competition law. The ACM announced in its study on Fintechs in the payment system of December 2017 that it would be proactive in investigating whether the Dutch Competition Act ("Mw") is being violated. The ACM can, for instance, impose fines on the basis of Article 24 Mw if dominant companies refuse to provide essential information to Fintechs without justified reasons. The ACM can also impose an administrative fine or a cease and desist order in case of non-compliance with the PSD2 access provisions.
New regulatory trend?
The banking sector does not appear to be the only sector where regulation of data aims to contribute to competition. In May 2018, for example, the ACM issued an advisory report on the regulation of the public transport payment market in which the ACM described the possibility of granting access to travel data and passenger information from public transport companies to mobility service providers in a similar way as PSD2. The digital economy may unleash a new trend in competition supervision whereby access to inputs and networks is increasingly enforced with ex ante regulation.
This blog has been co-written by Mr B. Braeken (who, as of 15 July 2019, no longer works at Maverick Advocaten).