Data exchange company Konsentus has summarised the European Banking Authority’s proposal on identifying and eliminating open banking risks, offering an ‘urgent warning’ to European financial institutions operating over increased levels of open banking fraud.
Last June, the EBA responded to a call made by the European Commission for advice after a review was made of the Payment Service Directive (PSD2).
What followed was an ‘Opinion and Report’ response, where the EBA identified some areas that need improving when it comes to regulatory permissions of third-party providers delivering open banking services.
As of now, open banking enjoys a widespread adoption throughout Europe thanks to the PSD2 directive that enables financial institutions to share customer information with authorised third-party providers (TPPs).
However, hefty fines might occur if data is provided to an unauthorised entity, which plays a big part in the Commission’s call for advice. As regulatory permissions around open banking services in the EEA can change at any time, banks could unknowingly breach GDPR laws by working with TPPs that do not have the correct regulatory status.
The EBA has made a total of 200 proposals and recommendations that suggest what action can be taken to introduce real-time TPP authentication.
However, lack of planning and insufficient knowledge on what to prioritise first could mean that several years can go by before any of the recommendations comes fully into effect.
As a result, Konsentus has highlighted nine key points that it says can reduce risk and enhance consumer protection for financial institutions immediately if implemented correctly.
- A Central Machine-Readable Database for all Payment Service Providers (PSPs) currently authorised to deliver Payment Initiation Services (PIS) and Account Information Services (AIS).
- Ongoing Checking to understand if a TPP is authorised to carry out services being requested at the time of a request.
- Going beyond eIDAS certificates to address “uncertainties” and understand the identity of a TPP and its authorisation status, the services it can provide and its passporting permissions.
- Harmonised data to avoid “discrepancies between the information contained on individual national registers and the EBA central register” to avoid error and misuse of personal data.
- Consistent data updates and a common deadline for updates to EBA and national registers so that data is made available immediately to avoid incorrect account access decisions.
- Reliable passporting information and a requirement for banks to check a TPP’s ‘home’ central authority.
- A duty of care which ensures banks bear liability for protecting customers’ data and funds to minimise financial and reputational damage.
- A complete picture provided by a single database which offers full visibility of all regulated fintech TPPs and credit institutions authorised to act as TPPs.
- Clarity on refusing access to address “uncertainties on the use and reliance of EiDAS certificates for the purpose of identification” to understand the identity of a TPP, its passporting status and the services it can provide.
Commenting on the potential withdrawals for open banking if financial institutions fail to recognise the EBA’s important call for action, Konsentus CCO Brendan Jones said: “Banks face genuinely frightening possibilities if they fail to check the identity and regulatory status of TPPs adequately. They are liable for both unauthorised access to data and fraudulent transactions, which could result in reputational damage and significant financial losses.
“The damage caused by high-profile regulatory action could dent confidence in the wider open banking ecosystem, potentially hurting all players and slowing down the pace of adoption across Europe.
“We welcome the EBA’s recommendations, but also warn banks that they must take action immediately to mitigate the risks. Legislation will take some time to come into force, so financial institutions must resolve the risk around identity and regulation themselves.”