In an attempt to anticipate the future implementation of the Payment Service Directive 2 (PSD2), fintechs and startups are trying to disrupt the banking industry by providing customers with innovative and smart financial services using the latest technologies and deep learning algorithms. With these new financial services, end users will be able to track their expenses, switch from one account to another, compare the fees of their accounts and aggregate data of multiple accounts in one single screen. To provide these services, fintechs need access to payment accounts from banks. However, as these startups pose a competitive threat to established corporations, banks may try to find ways to prevent such access.
This is exemplified by the AFAS case (Rechtbank Midden-Nederland, 2014). The central issue of the case arose when AFAS Software asked the customers of ING Bank to enter their credentials on the website of AFAS to log on directly to ING’s secure online banking interface and initiate the transactions on their behalf. The Dutch bank claimed that its general terms and conditions do not allow customers to share or disclose their data (credentials…) to a third party and therefore denied AFAS access to this information. The bank also insisted on the security risk behind such a request. On the other hand, AFAS argued that it tried to anticipate the future implementation of PSD2 with all its implications in term of competition, single market, data privacy. The decision of the Dutch court was in favor of ING bank considering credentials as sensitive data that shouldn’t be disclosed for security purposes. It added that since PSD2 is not yet implemented in Netherlands, the argument of AFAS cannot be taken into consideration.
This post aims to explore the possible implications of the implementation of PSD2 on future litigations between Banks and startups/fintechs.
PSD2 in a nutshell:
As part of the Digital Single Market Strategy, all EU members will have to implement Directive 2015/2366/EU known as PSD2 ‘(Payment service directive 2) by January 13, 2018 (Payment services in the EU, 2016). The purpose of PSD2 is to amend the previous directive (PSD) that has been in place since 2007 to fix some open points such as the lack of security and standardization of payment solutions, the several generic exemptions in the directive, the lack of interoperability and the difference in transaction fees across the European Union.
The main objectives of PSD2 are:
- Secure the payment procedures
- Reduce the costs for customers
- Increase the efficiency of the processes through the standardization of infrastructures
- Unlock customer data by providing access to account information for fintechs (third parties)
- Increase the efficiency and integration of the European payment market
- Improve customer protection
For consumers, PSD2 will have mainly good repercussions as it will increase convenience (websites, mobile apps) and transparency, reduce considerably the vulnerabilities (breaches) of the system and diminish the costs of transactions/services. In addition, consumers would be able to consider offers from other countries which will strengthen their bargaining power.
Banks will have to share their customer data with third parties. Consequently, they will have to bear the cost of developing the necessary APIs and compete with new actors such as fintech and startups. As a result, the directive might promote innovation in the banking industry, reduce the architecture complexity in the IT department and simplify the scalability through European countries with the harmonization of the legal frameworks in the EU. European banks showed their skepticism towards this directive by the voice of the European Banking Federation (EBF). This federation which represents 32 national banking associations stated in 2015 that PSD2 “provides yesterday’s solutions for tomorrow’s problems” (The European Banking Federation, 2015).
The big winners seem to be fintechs and third parties who can improve their customer relationship and have access to APIs from banks without taking in charge the necessary cost of implementing protocols and IT tools.
The next two sections will discuss some arguments that the parties of the AFAS case could have used if the PSD2 was implemented (an analogy could be made for startups Vs Banks).
Arguments for AFAS (startups/fintechs)
a- Competition / Single market
In order to encourage competition, the Commission tried to modernize PSD by adding some amendments to it. As a result of PSD2, new players will have better opportunities to enter the banking market and propose innovative, cheaper and user friendly solutions to consumers. The statement made by the European Banking Federation (EBF) on payment service agreement is one of many initiatives made by big Banks to influence the national courts and their interpretation of the directives in this field. If TPPs cannot have access to the data of customers and initiate payments, it will limit their ability to compete with the established banks.
As the PSD2 seeks to improve competition in the Single Market, the court would probably have ruled in favor of AFAS if the PSD2 had been implemented.
b- Contracts / Unfair commercial Practices
One of the main arguments of ING bank was that its general terms and conditions do not allow their users to provide data to TPPs. Nowadays, customers are considered as responsible citizens who are supposed to be aware of the terms and conditions of a contract including electronic contracts (Trzaskowski, Savin, Lundqvist & Lindskoug, 2015). However, it is almost impossible for the “average consumer” – defined as reasonably well-informed and reasonably observant and circumspect (The European parliament and the Council of the EU, 2005) – to fully understand all the implications of the different points within these terms especially those which require technical background. Also, the annex of the COUNCIL DIRECTIVE 93/13/EEC states that a term may be regarded as unfair if it is (The Council of the European Communities, 1993) .
As a result, these contracts might be considered as unfair given that they contain unfair conditions that are used to “mislead” the customer. Accordingly, the violation of the terms and conditions argument becomes flawed.
c- Data protection
PSD2 aims to reduce the risk of fraud and protect confidentiality by securing the payment process. One of the fundamental notions to reach this goal is strong customer authentication. Basically, the idea here is to use at least two of the three types of security elements to validate any transaction:
- Knowledge( something known by the user, e.g. PIN code)
- Possession (something only the user possesses)
- Inherence (a proper characteristic of the user e.g. Voice recognition, fingerprint…)
Moreover, these providers will only have access to necessary data explicitly consented by the user under this new directive. The credentials will not be accessible to TPPs but will be transferred efficiently through a secure channel using APIs. Thus, the fears of banks concerning security become unsubstantiated and cannot be taken into consideration for the final judgment if PSD2 is implemented.
Arguments for ING Bank (banks)
a- Broad language leading to different interpretations
As a directive, PSD2 shall be implemented in all EU countries but not necessarily with the same wording. In fact, a directive is defined as a formal and usually mandatory executive order or official pronouncement on a policy or procedure. In that sense, countries have to implement it but they have the freedom to adapt it to their legal framework as long as the main objective behind the directive is fulfilled. This situation may lead to different interpretations of PSD2 due mainly to the broad language used in some parts. An example is the 58th article in which “all information” is not clear enough and the sources of data that should be disclosed are not enumerated. ING bank could exploit these ambiguities to push for the adoption of national laws in favor of banks thereby possibly affecting the outcome of similar cases.
b- Commercial practices / Conduct risks
Last year, one of the most interesting cases was the one involving Wells Fargo. The bank was asked to pay more than 185 million$ as fines after violating the Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) defined by the Dodd-Frank Act of 2010 (The 111th United States Congress, 2010) . The US bank created accounts for customers without their request.
This is an example of “conduct risk” that European banks have to take into consideration given the complexity of their ecosystem. With PSD2, many believe that banks will converge to an API-based architecture. Consequently, new conduct-related risks will emerge especially regarding financial operations (loan, deposit, investment products, mortgages…). Allowing TPPs to have access to their APIs would oblige EU banks to trust the judgement of TPPs when it comes to controlling the integrity of the transactions. This situation would raise ethical issues such as the possibility for gambling third parties to initiate loans for users using their app. The article 3(3) of the “Unfair Commercial Practices directive” (The European parliament and the Council of the EU, 2005) defines vulnerable consumers as a clearly identified group of consumers who are particularly vulnerable to the practice or the underlying product because of their mental or physical infirmity, age or credulity in a way which the trader could reasonably be expected to foresee. In this particular case, the simple consent of a “vulnerable consumer” shouldn’t be enough to permit the initiation of transactions. This risk can be used by ING bank to justify its position in the AFAS case.
We are entering a new era where all the cards are redistributed in the banking industry. We are likely to see new startups becoming the next big actors of payment services especially with the future implementation of PSD2. It appears that if this directive is implemented, the decision of the national Dutch court would have been in favor of AFAS as the arguments of ING bank are either not enough substantiated or not based on the “average consumer”.
Despite its position in this particular case, ING bank is already taking strategic choices and adapting its future business model and value proposition to this new paradigm by launching “ING Innovation Studio”; an accelerator to support fintechs; in an attempt to promote cooperation with innovative startups.
Payment services in the EU. (2016). Retrieved from http://eur-lex.europa.eu/legalcontent/EN
Rechtbank Midden-Nederland. (2014). ING BANK N.V. v. AFAS SOFTWARE B.V C/16/372291 / KG ZA 14-481.
The 111th United States Congress. (2010). Dodd–Frank Wall Street Reform and Consumer Protection Act.
The Council of the European Communities. (1993). COUNCIL DIRECTIVE 93/13/EEC. The European Banking Federation. (2015). EBF statement on EU payment services agreement. 1.
The European parliament and the Council of the EU. (2005). DIRECTIVE 2005/29/EC Unfair Commercial Practices Directive.
The European Parliament and the Council of the EU. (2015). DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. Official Journal of the European Union, 93.
Trzaskowski, Savin, Lundqvist & Lindskoug. (2015). Introduction to EU Internet Law.