The revised Payment Services Directive (PSD2)

07 November 2017

From 1 January 2018, the revised Payment Services Directive (PSD2) will apply in the EU, including the UK. This provides the legal framework for what is known as ‘open banking’, by which payment account providers are required to provide third party access to customer account data. In this bulletin we consider the impact of open banking and the associated insurance requirements.

Open banking is intended to encourage competition in the retail banking sector, enabling customers to consent to allowing third parties safe and secure access to their current accounts to either gather transaction data or initiate payments on the customer’s behalf. 

What will change?

Adapting to this will require a lot of investment by the industry, but PSD2 is anticipated to lead to big changes for consumers. In particular: 

  • Retailers like Amazon will be able to make a payment for customers, without needing to redirect them to another party (e.g. Visa, Paypal) – these retailers are known as Payment Initiation Service Providers (PISPs) 
  • Where customers have multiple bank accounts, businesses (either banks or retailers) will be able to display all their account information in one place – these are known as ‘Account Information Service Providers’ (AISPs). 

This in turn gives rise to significant opportunities for first-movers in the market. The direct connection between retailers and banks will be enabled using Application Programming Interfaces (APIs), with opportunities for fintech companies to develop customised applications. Similarly, the consolidation of current account information offers lucrative cross-selling opportunities for retailers and non-traditional banks, and a means to grab market share.

It also provides opportunities for wealth managers and independent financial advisers, if they are willing to invest. For the first time, as an AISP they will be able to operate as a true ‘one stop shop’ for personal financial management, with a clear understanding of customers’ personal positions and increasingly regular client contact. This improved customer experience will be important given that the big retail banks have all been involved recently in project with the FCA’s advice unit, indicating that they intend to use PSD2 as a route back into the advice market themselves.

What's the downside?

Balanced against this opportunity is the increased regulatory and administrative burden placed on all parties, particularly the retail banks. Access to more secure personal financial data by third parties other than traditional banks is a real concern for consumers, and AISPs and PISPs will need to bear that in mind. 

Key points will be: 

  • Banks are required to make information on their interfaces publicly available and will need to ensure that those interfaces are both appropriately secure and operationally reliable. Changes need to be advertised three months in advance 
  • Banks must also implement fraud prevention mechanisms before a payment is authorised by a PISP 
  • PISPs and AISPs can only act with explicit customer consent. AISPs must ensure that personalised customer data is not accessible to third parties, and that they do not access any other information beyond current account details. PISPs must similarly ensure that the customer authentication procedure is secure.

Where does Insurance fit into this?

Providing access by third parties to highly confidential personal data and/ or payment services obviously increases the risks of that data being misused. For retail banks, PISPs and AISPs, the commercial opportunities are balanced against risks of reputational damage and consumer class actions (whether under the General Data Protection Regulation or existing law).

Acknowledging that risk, PSD2 introduces an obligation for PISPs and AISPs to hold professional indemnity insurance (PII) that covers:

  • For PISPs, potential liability for unauthorised payment transactions, and non-execution or defective execution of transactions; and
  • For AISPs, potential liability resulting from unauthorised or fraudulent access to or use of payment account information.

The minimum monetary amount of PII cover required is based on European Banking Authority guidelines, but when seen in the context of the cover already held by most companies is not overly material.

Nonetheless, given those requirements and the generally increased risks associated with use of customer data, companies involved in PSD2 should carefully review their current policies to ensure that any potential exposures are covered. Those exposures are themselves rapidly developing (witness the rise of blockchain and increased use of biometrics in customer authentication) and so policies in the retail banking sphere will need to keep pace.

Download Technical & Legal Bulletin

For more information contact John Greene, Partner on +44 (0)20 7558 3312 or email john_greene@jltgroup.com