The strong rise of financial technology companies – also referred to as Fintechs – is leading to a "revolution" in the financial sector. Thanks to smart innovations in areas such as artificial intelligence, machine learning, blockchain, mobile payment and access management, these companies are able to provide services relatively cheap, easy and fast. In order to stimulate competition between traditional banks and Fintechs in the field of alternative and innovative payment services, revised European legislation aims to (further) regulate the traditional "banking infrastructure". This blog discusses the expansion of economic regulation of retail payments and associated data, and the application of the new regulatory framework by national competition authorities.
The rise of Fintechs
The IPO of the Dutch payment processor Adyen shows that Fintechs play an increasingly prominent role in the financial landscape. The established financial institutions, such as large banks, insurers and pension funds are aware of this development. Collaboration with Fintech startups is increasingly being sought by traditional banks and banks set up their own initiatives as well. A few examples of these are the launch of three startups – Franx, New10 and Prospery – by ABN Amro, the founding of Peaks by Rabobank and the introduction of Kandoor by Pensioenfonds APG. The major banks have also jointly launched Payconiq, an alternative to iDeal.
Despite the explosive growth of Fintech companies, newcomers to financial services sector often experience barriers when entering the market. Banks are not required to share their customers' payment account data with third parties on the basis of existing financial regulations. In various studies, the Netherlands Authority for Consumers and Markets ("ACM") analysed the possibilities to increase Fintech's contribution to competition and warned against the risks of foreclosure of Fintechs.
The European legal framework for retail payments has recently been revised with the adoption of the Payment Service Directive 2 (the "PSD2"). This directive focuses on opening up the banking infrastructure for third parties, also known as "open banking". By developing standards for the exchange of data and guaranteeing access to existing systems, the European legislator aims to increase competition in the market for (alternative) payment services.
Scope of PSD2
While Fintech companies did not initially fall under the scope of "payment service provider" as included in the PSD1, this definition has been extended in the PSD2 by two new non-banking players. The two new categories of payment service providers are;
- Account information service providers: at the request of an (online) account holder, they aggregate information from different payment accounts (at different banks) belonging to the account holder. An example of this is the US-based company Mint.com, part of accounting software company Intuit. By combining information of different bank accounts, the account holder gets immediate insight into its overall financial position and will be able to check whether the balance on his bank account is sufficient to execute a certain payment order.
- Payment initiation service providers: after explicit consent by private or business account holders, they initiate payments from the respective holders’ (online) accounts. A well-known example of this is Tikkie, an app launched by ABN Amro.
Parties that want to provide these services must register and apply for a license from a central bank, for example De Nederlandsche Bank ("DNB"). Parties that solely provide account information services are exempt from this license obligation (Article 33 PSD2).
Access conditions for third parties
Pursuant to Article 35 PSD2, banks must grant authorised or registered payment service providers access to their online payment systems. Access must be granted on an objective, proportional and non-discriminatory basis and may not be more restricted than necessary. In addition, payment institutions, including payment initiation service providers, should have access to payment account services of credit institutions (Article 36 PSD2).
The rules concerning the access to and the use of (data relating to) online payment accounts are further elaborated on in Articles 66 and 67 PSD2. For example, payment service users must explicitly authorise the use of their payment account (data) by third parties. Third parties, the payment service providers, must inter alia identify themselves to users and may not request or store payment data other than directly necessary for the execution of the specific payment service. Banks must in turn cooperate, without delay, on payment orders and information requests from third parties and may not, for instance, make access to payment accounts (data) dependent on the existence of a contractual relationship between the bank and the third party.
The PSD2 imposes a non-discrimination obligation on banks. Banks may not treat third parties differently – for example in terms of time, costs and priority – from a similar request for information or a service made by a customer. Access to (the data of) online payment accounts can only be denied on the basis of objective reasons (Article 68 PSD2). A bank that denies access must report this to the competent authority that will assess it and, if necessary, take appropriate measures.
The Regulatory Technical Standards ("RTS") of the European Commission further specify the PSD2-rules. For example, the European Commission has determined that banks may be compensated for no more than the efficient costs they have to incur in order to grant access to third parties. However, the PSD2 leaves room for different interpretations of how access should be granted. Recently, the Berlin Group, an European initiative by financial institutions, has developed an Access to Account Framework consisting of an interoperable data exchange system. Ultimately, the exact access conditions will only be clarified once the directive has been implemented in national legislation and the national legal framework has been further defined.
Delayed implementation of the directive
The implementation of the PSD2 has been postponed several times compared to the prescribed implementation date of 13 January 2018. It is expected that the directive will be implemented in Dutch legislation by the end of 2018 at the earliest. In the legislative proposal, which is currently being discussed by the House of Representatives, Articles 35, 36 and 68 of the PSD2 have been implemented in Articles 5:88 (access to payment systems) and 5: 88a (access to payment account services) of the Dutch Financial Supervision Act ("Wft").
The PSD2 has no direct effect, meaning that Fintech companies can not yet apply for a license due to the delayed implementation, nor can they force access to bank accounts and related data. Therefore, Fintechs argue that traditional banks benefit from a competitive advantage as they already have the necessary data to offer alternative payment services. In contrast, traditional banks state that the lack of regulation of Fintechs creates a competitive advantage for Fintechs. They are currently not bound by the same rules on customer protection, security, liabilities etcetera as banks. In short, both banks and Fintechs are pushing for quick implementation of the PSD2. Until then, some market players started to share payment account data on their own initiative.
Delaying the implementation of European legislation is not without struggles. The European Commission can give the Netherlands a notice of default and start an infringement procedure that can eventually lead to the imposition of a fine by the Court of Justice.
Supervision and enforcement by the ACM
In addition to DNB, the Netherlands Authority for Financial Markets ("AFM") and the Dutch Data Protection Authority ("AP"), the ACM is also responsible for monitoring compliance with the PSD2-rules. The ACM announced in its study into Fintechs in the payment system in December 2017 that it would be proactive to investigate whether there are violations of the Dutch Competition Act ("Mw").
The ACM can take enforcement action in certain cases. In contrast to ex ante regulation in other sectors (telecom, energy, healthcare, etc.) the ACM did not receive additional instruments in relation to PSD2. The regulator can enforce enforcement on the basis of Article 24 Mw if dominant companies refuse to provide essential information to Fintechs on the basis of unjustified reasons. Pursuant to Articles 5:88 and 5: 88a Wft (new), the ACM will be given the opportunity to offer its position on the (justified) grounds for refusal of access. The ACM can also impose an administrative fine or a cease and desist order in case of non-compliance with these access provisions or give a binding instruction on the basis of 1:59 and 1:75 Wft. In such case,, the ACM however has the obligation to request the AFM and DNB to give their opinion (Articles 1: 25a (3) in conjunction with 1:47 (1) Wft) so that the ACM can take account of sector-specific knowledge from DNB and the AFM. The exact distribution of supervisory tasks between the various authorities will still have to crystallise in the coming months during the parliamentary debate on the PSD2-implementation act.
New regulatory trend?
The banking sector does not appear to be the only sector where regulation of data aims to contribute to competition. In May 2018, for example, the ACM issued an advisory report on the regulation of the public transport payment market in which the ACM described the possibility of granting access to travel data and passenger information from public transport companies to mobility service providers in a similar way as PSD2. The digital economy may unleash a new trend in competition supervision whereby access to inputs and networks is increasingly enforced with ex ante regulation.