Konsentus, a global SaaS company enabling safe and secure data exchange, has issued an urgent warning about the serious risks facing European financial institutions operating in the open banking ecosystem resulting from the increased levels of open banking fraud.
On 23 June 2022, the European Banking Authority (EBA) published an Opinion and Report in response to the European Commission’s Call for Advice (CfA) on the review of the Payment Services Directive (PSD2).
The report identifies significant issues and dangers around proving the identity and current regulatory permissions of Third-Party Providers (TPPs) that deliver open banking services.
Among the EBA’s 200 proposals are nine proposals for legislative change which will reduce risk and enhance consumer protection by determining the identity and current regulatory permissions of TPPs in real-time.
It may be several years until any recommendations come into effect, meaning that banks will be exposed to the risks identified by the EBA for some time.
PSD2 enables open banking by requiring financial institutions to share their customers’ accounts with authorised third parties and fintechs. Open banking is now a major phenomenon, with billions of transactions in Europe each month and an expected 63.8 million users by 2024.
When data is shared, banks must ensure that they are giving information to the correct entities and are liable for any data given to unauthorised third parties.
However, the regulatory permissions which allow TPPs to deliver open banking services across the EEA can change at any time. If banks continue to share data with TPPs which do not have the correct regulatory status, they could face regulatory fines and be in breach of GDPR.
Brendan Jones, CCO, Konsentus, said: “Banks face genuinely frightening possibilities if they fail to check the identity and regulatory status of TPPs adequately. They are liable for both unauthorised access to data and fraudulent transactions, which could result in reputational damage and significant financial losses.
“The damage caused by high-profile regulatory action could dent confidence in the wider open banking ecosystem, potentially hurting all players and slowing down the pace of adoption across Europe.
“We welcome the EBA’s recommendations, but also warn banks that they must take action immediately to mitigate the risks. Legislation will take some time to come into force, so financial institutions must resolve the risk around identity and regulation themselves.”
Konsentus has produced a summary of the EBA’s nine key proposals:
- A central machine-readable database for all payment service providers (PSPs) currently authorised to deliver payment initiation services (PIS) and account information services (AIS).
- Ongoing checking to understand if a TPP is authorised to carry out services being requested at the time of a request.
- Going beyond eIDAS certificates to address “uncertainties” and understand the identity of a TPP and its authorisation status, the services it can provide and its passporting permissions.
- Harmonised data to avoid “discrepancies between the information contained on individual national registers and the EBA central register” to avoid error and misuse of personal data.
- Consistent data updates and a common deadline for updates to EBA and national registers so that data is made available immediately to avoid incorrect account access decisions.
- Reliable passporting information and a requirement for banks to check a TPP’s ‘home’ central authority.
- A duty of care which ensures banks bear liability for protecting customers’ data and funds to minimise financial and reputational damage.
- A complete picture provided by a single database which offers full visibility of all regulated fintech TPPs and credit institutions authorised to act as TPPs.
- Clarity on refusing access to address “uncertainties on the use and reliance of eIDAS certificates for the purpose of identification” to understand the identity of a TPP, its passporting status and the services it can provide.
Konsentus helps financial institutions make informed, real-time decisions on data sharing and API transaction requests by providing them with consolidated data sourced directly from registers operated by the EBA and National Competent Authorities (NCAs) in European nations. This ensures that data is never handed out to unauthorised third parties, thus avoiding any PSD2 or GDPR non-compliance fines.