Online TPPs – assumption or design?
How PSD2 might be blocking Third-Party Providers and disadvantaging customers
I confess I enjoy looking for unintended consequences in legislation. Particularly so in the case of in the EU’s General Data Protection Regulation (GDPR) and second Payment Services Directive (PSD2). I was therefore surprised by an assumption which I, and I suspect many other practitioners in the field, had made about third-party providers. The assumption is in the way can customers access account information or payment initiation services?
For those coming new to this, third-party providers are regulated entities which area allowed to access account data and/or payment services of customers. A TPP is defined under PSD2 as authorised Provider of Account Information Services (AIS) and/or Payment Initiation Services (PIS); these provider terms are normally abbreviated to AISP or PISP. Under the terms of PSD2 the other parties are the Payment Service User – the person or legal entity which owns the account – and the Account Servicing Payment Service Provider (ASPSP) – the provider of the account. How these parties communicate is governed by the Regulatory Technical Standard (RTS) on Strong Customer Authentication and Common, Secure and Open Standards of Communication, developed by the European Banking Authority and taken over by the European Commission in the current, final draft. So this defines how the regulated entities exchange information, but not how customers will use it.
The assumption is that businesses will sign up customers – including consumers, SMEs and corporates – to their services and allow them to manage their payment accounts. The widely used term is “open banking” or “access to accounts”/XS2A and it was at an OpenID Foundation event yesterday concerning the UK’s Open Banking initiative in compliance with PSD2, that the realisation hit me: we have assumed how these AIS and PIS providers will communicate with their customers, and that has a huge implication for security.
The assumption we make is that both AIS and PIS are accessible only via some electronic means: an app, a website or piece of software. Many customers (PSUs) use services from their current PSP which allow them to make payments through a non-electronic mechanism, or to access their statements either in-branch or through telephone channels. In many cases this is through issues with disability, disadvantage, unfamiliarity, or simply access to technology. In these cases people may be impeded from taking up new services and further reinforce the digital divide.
Finally, whether payment service users can instruct their PIS provider via an offline channel has significant implications for the discouragement of “redirection to the account servicing payment service provider’s authentication or other functions” (RTS on SCA and CSC November 2017 draft Article 32.3) as it’s not clear what “redirection” means in the context of a telephone payment order, if such an order results in an electronic payment.
Back to basics: what does the law say?
If you’re not a fan of the text of legislation feel free to skip to the conclusion at the end; perhaps it’s TL;DR.
PSD2 Legal Text
In these cases I like to go back to the legal text to see what it actually says. The definitions in PSD2 of AIS and PIS are quite clear, but seem quite arbitrary in what can be provided face-to-face or over the telephone:
“(18) ‘payment initiation service provider’ means a payment service provider pursuing business activities as referred to in point (7) of Annex I;
(19) ‘account information service provider’ means a payment service provider pursuing business activities as referred to in point (8) of Annex I;”
PSD2 – Second Payment Services Directive (EU) 2015/2366, Article 4 – Definitions
So for Payment Initiation Services, that may happen over any channel, but Account Information Services must be provided online, giving vulnerable consumers a reason to stay with their existing ASPSPs. It seems quite odd that AIS are “online” whereas PIS may be through any channel – I’m not sure that this was intended. Whilst I’m not clear what the definition of “online” is in this context, I think we can probably take a good guess at it meaning “on the Internet”.
So, if I wanted to phone up and listen to a list of recent transactions on my account, I cannot, as worded here, use an AIS to do it; I have to go back to my Payment Service Provider and their existing telephone banking service. In fact, many of the telephone banking or account management services seem to be purely in the domain of the ASPSP.
I am not questioning that the services provided by the ASPSP should be online and ideally, API-based but the key question is – what interfaces are allowed between AIS or PIS provider and the Payment Service User. This is a key question when it comes to the Regulatory Technical Standard on SCA and CSC.
So I then trawled through the text of PSD2 looking to find other explicit references to AIS or PIS being provided “online”. Article 66 outlines the rules of access by PIS providers and doesn’t discuss the channel to the PSU. Article 67 outlines the rules on access to an account by an AIS provider and is silent on the interface. The only reference I could find is to the obligation on the EBA to come up with a standard on secure communications. So that’s where I went next.
Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication
The RTS is meant to specify common and secure communications protocols and procedures to protect PSPs, customers and AIS/PIS providers from financial or other crime. From the November 2017 Draft from the European Commission, with regard to “regulatory technical standards for strong customer authentication and common and secure open standards of communication”
“This Regulation establishes the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:
d) establish common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services in application of Title IV of Directive (EU) 2015/2366.”
PSD2 RTS on Strong Customer Authentication and Common Secure and Open Standards for Communication – Article 1 – Subject Matter
This establishes the mandate given to the EBA/Commission on establishing standards. Note that not all parties will communicate using these protocols, for example payer and payee may simply talk to one another and communication rarely if ever happens between PIS provider and payee and presumably never between AIS provider and payee.
While the obligation on ASPSPs to provide an interface applies to “payment account that is accessible online” (Article 30.1), it is certainly debatable whether AIS or PIS should similarly be restricted to “online”.
Article 29 on traceability seems to assume that the communication between the AIS or PIS provider and payment service user are online, although it is not explicitly stated that it is an electronic communication:
“For the purpose of paragraph 1, payment service providers shall ensure that any communication session established with the payment services user, other payment service providers and other entities, including merchants, relies on each of the following:
(a) a unique identifier of the session;
(b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;
(c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.”
PSD2 RTS on Strong Customer Authentication and Common Secure and Open Standards for Communication – Article 29
Whilst this article does assume some form of web-browser or app interface, it’s not clear that this works only for internet-based communications. Similarly Article 30.2 b) states
“(b) communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned shall be established and maintained throughout the authentication;”
PSD2 RTS on Strong Customer Authentication and Common Secure and Open Standards for Communication – Article 30.2
which again does not seem to dictate internet communications, or that the payment service user is part of the communication.
Summary of legal text analysis
For Account Information Services, it seems clear, but odd, that these services must be provided online; for Payment Initiation Services, there is no definition of it as an “online” service only in any part of the legal text. Whilst the legal text seems to make some assumptions, there is nothing which is critical to preventing PIS providers offering telephone, face-to-face or paper-based services to initiate payments..
Can AIS and PIS providers offer non-“online” servicer? No and yes. It seems clear that, while this may have been considered in early drafts of PSD2, it was forgotten or changes were made for other reasons which conflict with the original intention.
As stated before the ban on obstacles in the RTS, which may include “redirection to the account servicing payment service provider’s authentication or other functions” makes this assumption important for the design models of authentication used by APSPs and API design groups such as the Nordea, the Berlin Group and the UK’s Open Banking Limited.
In the PSD2 recitals, it does state:
“93) It is necessary to set up a clear legal framework which sets out the conditions under which payment initiation service providers and account information service providers can provide their services with the consent of the account holder without being required by the account servicing payment service provider to use a particular business model, whether based on direct or indirect access, for the provision of those types of services.”.
PSD2 – Second Payment Services Directive (EU) 2015/2366
It is not clear that this “Internet only” assumption doesn’t impose a restriction on the business model of PIS providers (and arguable AIS providers). Surely if the goal of PSD2 is to open up competition and innovation to the banking sector, this should equally apply to those who are blind or partially-sighted, impoverished, or prefer to deal over the telephone or on paper.
The assumptions in PSD2 about the nature of payment initiation and account information services reduces its general applicability. Surely regulators will act to make the benefits of open banking available to vulnerable and disadvantaged groups?