Let's Talk: Payment Services Directive
Q. What is the EU’s second Payment Services Directive?
Angelos Deftereos: The EU’s second Payment Services Directive – known as PSD2 – came into force in January and effectively switches ownership of personal data from the bank to the consumer. In the UK, PSD2 has been introduced as part of a wider drive towards so-called “Open Banking”, which is aimed at putting consumers in greater control of their finances. At the consumer’s behest, a bank must provide access to that consumer’s data to an authorised third party – which might be a fintech start-up, a telecommunications provider or a retailer, among others. And under PSD2, permission for access to that data has to be renewed every 90 days, and it is the bank’s responsibility to ensure those permissions remain in place and are renewed. As part of Open Banking, the same data must be made accessible through a standardised interface, which should facilitate the development of innovative new banking products. The rules also will transform the payments industry and enable merchant businesses to retrieve payment details without the cumbersome data re-entry sometimes required.
Q. What risk management steps will these third parties need to take?
Angelos Deftereos: The European Banking Authority, in close collaboration with the European Central Bank, issued guidelines that require payment initiation service providers (PISPs) to have a risk management framework that focuses on measures to mitigate operational and security risks and is fully integrated into the PISP’s overall risk processes. In the UK, when the Financial Conduct Authority authorises payment and e-money institutions, it will require details of business continuity plans and how those plans will be tested and reviewed, for example.
Q. What are the data security and liability implications of the move towards Open Banking?
James Tuplin: The transfer of data should be reasonably secure – client’s personal data is subject to data protection law and claimants will be able to complain to the Information Commissioner’s Office. As part of Open Banking, account information service providers (AISPs) and payment initiation service providers (PISPs) are regulated, for the first time. But this does throw up some liability questions, which are, as yet, untested. However robust the security systems in place, there will be payments that go wrong. A PISP might – unintentionally – make an unauthorised payment on behalf of one of its customers, for example. For AISPs, a cyber breach could lead to fraud or identity theft, which could result in large financial – and reputational – losses. In the case of a data breach, businesses involved will need to show that they have met the data security requirements under PSD2 and, where the data is personal data, also under the General Data Protection Regulation (GDPR), which comes into force on May 25 and brings with it strict data breach requirements and the looming possibility of substantial fines.
Q. What is the picture in terms of cyber exposure?
James Tuplin: Nobody knows quite yet how PSD2 and the GDPR interact with each other – if, indeed, they do. It will take time, some test cases – and potential losses – for the answers to these questions to become clearer. Meanwhile, the development of artificial intelligence and blockchain mechanisms continue apace, with companies in all sectors testing the potential efficiencies these technological advances could bring. All of these factors are pushing cyber security even further up the C-Suite agenda. And as cyber underwriters, we are following this with great interest, naturally. Customer trust will be key to the development of an open banking system. It’ll take robust security and sound risk management.