Verouderde browser

U gebruikt een verouderde browser. DNB.nl werkt het beste met:

03 maart 2020 Algemeen

In his keynote speech at the 4th annual Conference on FinTech and Regulation, Olaf Sleijpen outlined the opportunities of data sharing. Looking back on lessons learned from the introduction of the revised Payment Services Directive (PSD2), he described what should be done to help unlock the evolution of open finance: standardized third-party access to consumers’ financial data; future-proof legislation, which carefully considers various public interests and legal jurisdictions; and building trust, so people know they are in full control of their own data.

Datum: 3 maart 2020
Locatie: 4th annual FinTech Conference, Brussels
Spreker: Olaf Sleijpen

It is a pleasure to be here at the 4th annual Conference on FinTech and Regulation. Today, I want to talk about the opportunities and challenges of open finance. Over the next few years, we will witness the rising importance of customers’ payment data in the financial sector. By making intelligent use of data, service providers will be able to develop new tailor-made financial services, improve risk assessments, and much, much more. We will also see that data sharing will not end with payments data. We have now entered a new era of open data, in which all sorts of data may be shared.

In the EU, we have taken an important first step into open finance with the introduction of the revised payment services directive. PSD2 allows trusted third party providers to access a customer’s payment account. They can then offer that customer account information or payment initiation services. They must of course first get their customers explicit consent to do so.

Open finance is a natural progression from PSD2, and that is what we will discuss in this session.
With open finance, third parties would also be able to access individual customer’s other financial data, like on how much money a customer puts on their savings account every month, in addition to data about their investments, their mortgage or their insurance.

Third parties can use these data, in combination or not, to come up with new services, possibly integrated with services from other parties. For instance, to bring other businesses to the customer’s attention. These businesses may deliver similar services to the customers’ current service provider, but offer better conditions or new insights.

Open finance could also result in combining account information and payment initiation services.
For example, service providers could also take financial decisions on behalf of customers. This could involve transferring funds from one savings account to another, to earn a better rate of interest. But it could even include making investments on behalf of customers. Or switching to an insurance policy provider with more favorable conditions. Everything is possible!

PSD2 and open finance are part of a much broader, social development: open data.
The door will soon be officially open for consumers and companies to share a variety of private data with third parties.

This has in practice already been going on for some time, although on an unregulated basis.
This is set to change with the recently published European Data Strategy. The Strategy is a roadmap for the single digital market for data and AI. The Commission says it will:

 “create a genuine single market for data, where personal and non-personal data, including confidential and sensitive data, are secure and where businesses and the public sector have easy access to huge amounts of high quality data to create and innovate.”

The data may include all kinds of public and private information, like telecoms activities, electricity consumption, geographical locations, legal and medical records, leisure activities, et cetera.
Open data is not only important for consumers, but is also very relevant for other companies,
like in logistics, industrial cooperation processes, health services and public services.

In countries like Australia they have already taken regulatory steps in this direction.
In 2017, the Australian Government announced the introduction of its Consumer Data Right (CDR). The CDR will give consumers in Australia greater access to and control over their data.
The CDR will come into force for the banking sector from mid-2020 onwards, followed by the energy sector, and probably the telecoms sector after that.

However, we all know that sharing private data does not happen automatically. Our experiences with PSD2 have taught us three important lessons. The first concerns the way data will be shared.
The organizations who store the data will need to provide standardized access to third parties to these data. This would help to avoid fragmentation in the market.

Our experiences with PSD2 thus far have shown that granting third parties access to data is complex. It has resulted in a rather fragmented market for PSD2 services. The tools that facilitate access, Application Programming Interfaces, or APIs, are not yet sufficiently standardized.
This makes it difficult for third parties to offer their services throughout Europe in a scalable way.

I realize that PSD2 is still in an early phase, and that the current fragmentation might merely reflect teething troubles endemic to a rapidly changing financial landscape. That is why I am glad to see there are market initiatives, like the Berlin Group’s NextGenPSD2 initiative, which works towards gradual API standardization. Furthermore, the entrance of so-called “integrators” into the market may curb market fragmentation, by acting as an intermediary between banks and the third parties.

Standardized third party access to data is vital for avoiding fragmentation. It is also vital that this access is efficient and secure. Only then, we will be able to reap the full benefits of open data as a society.

This means that a rule-based approach for data sharing — as is the intention of open banking in the UK— may be preferable to the principle-based approach applied in PSD2. It is also important to consider how we can provide the data storage organizations with adequate incentives to give third parties quick, easy and secure access to their customers' personal data.

According to PSD2, banks may not ask third parties for compensation for data-sharing. The question is whether this zero access price is optimal, given the large investments banks and other data-storing organizations have to make to achieve this. Furthermore, compensation may be needed to cover the costs incurred each time customers grant or revoke third party access to their data, and each time data is shared with a third party. Otherwise, we face the risk that the organizations that store the data won’t have sufficient resources to keep their data sharing infrastructure secure and up-to-date.

Now, I come to the second lesson. It is absolutely necessary that the legislator, regulators and public authorities involved in data sharing seek to engage in dialogue with one another. They should cooperate and coordinate their work when designing future-proof legislation and regulations for data-sharing. They should consider all public interests related to data sharing, as well as different international perspectives.

Let’s start with the international dimension. PSD2 has taught us that when legislation and enforcement are implemented differently across different jurisdictions, it can lead to undesirable situations.

Market players may start shopping around in different jurisdictions for loopholes, or lax enforcement regimes. Via European passporting or by outsourcing cloud services to businesses in other countries, any risks that arise in one country, can spread across the entire EU.

To mitigate these contagion risks, legislators, regulators and public authorities should cooperate as much as possible in drafting legislation and coordinate their work, at international level. The EBA has already taken up a role in this respect. For example, by stimulating convergence in supervision. It is currently also working on guidelines and regulatory technical standards. 

It is also crucial that the different public interests involved with data-sharing, like security, privacy, fair information and concentration risks are all well addressed and balanced against each other. The different interests are sometimes at odds with each other, and since the use of data and data analytics is a relatively new field, there is still little case law on how to best to balance all interests concerned.

As an example, the landmark ruling of the District Court of The Hague last month could have major implications. The Court declared that the so-called risk indication system – SyRi – is unlawful as it violates the right to privacy.

SyRI is a legal instrument that the Dutch government uses to combat fraud in social benefits and taxes. Perpetrator profiles have been drawn up, and data analytics are used to identify people who meet those profiles. These people were then monitored, purely because of their data profile.

In this case, the court weighed two public interests against each other, namely that of economic well-being of society as a whole through monitoring social benefits usage and tax paying behavior,
and that of the right to privacy. According to the court, the SyRI legislation does not meet the "fair balance" that the European Convention on Human Rights, a higher right, requires to be able to speak about a sufficiently justified violation of private life. The Syri legislation was found to be insufficiently transparent and verifiable, and therefore unlawful.

We can all learn a lot from such statements. But prevention is better than cure. In order to achieve that, the legislator, the different regulators and other public authorities who represent different public interests, should enter into dialogue with each other and coordinate their work.
These stakeholders include the central bank, the prudential supervisor and the financial conduct authority in case of financial data sharing as well as the competition authority and the data privacy authority. For data sharing in other fields, other public authorities also need to be involved.

Only if they work together, will it be possible to arrive at adequate legislation that meets all public goals. This is crucial as there are various public interests involved in data-sharing and data usage, such as privacy, fraud and concentration risk. These interests must all be taken into account and carefully weighed up against each other. This can be a challenge, as the Syri-case has shown.

With the evolution of PSD2 to open finance, third parties are provided with access to an increasing amount of sensitive financial data, and the impact of misuse or even abuse increases. Fraud risks need to be mitigated and adequate consumer protection is paramount. Otherwise, people will just refuse to share their data with third parties.

Legislators, regulators and other public authorities involved really must ensure that legislation on data-sharing and data usage by third parties is be future-proof. With strict access regulation, proper controls and adequate guarantees for all parties involved. The European Data Strategy is an important step in this direction.

The third lesson is about trust. Consumers must trust the third parties that want access to their data. If they don’t trust them, they will not give them their data and will not use their services. 

A recent study by De Nederlandsche Bank shows that most Dutch are not willing to share their payments data. Half of them only want to share it with their own bank. One in five is open to data sharing with other banks where they don’t have an account. However, less than 4 per cent are open to data-sharing with non-banks. 

The main reason the Dutch are not so keen on sharing data with these newcomers to the payment market is lack of trust. So it is important that newcomers work on building trust. After all, consumers need to feel secure in the knowledge that their personal banking or other data is in safe hands.

In that respect, it is also crucial that consumers know they are in control over their own data. They need to feel that they are in control. And they should be in control. That is why consumers should easily be able to gain insight into which parties have access to their data. Preferably at the source of their data, their own bank, or another data storing organization.

It is equally important that it is easy and secure for them to give a third party explicit consent to access and use their data. And it should be equally easy for them to revoke this consent whenever they wish. This should preferably be done at the bank or at another organization that stores their data.

So to sum up, I believe we can take full advantage of all the opportunities from data-sharing in the new financial ecosystem. Provided three conditions are fulfilled. First, the financial industry should manage to standardize how third parties can access people’s private financial data.

Second, the legislator, regulators, and other public authorities should design future-proof legislation on data-sharing. In doing so, they must adequately weigh up all the different public interests and international perspectives. And last but not least, we should ensure and let people know that they are in full control over their own data.

If we succeed in that, I can envisage a brave new financial ecosystem, where smart and secure data access and usage will spur innovation and competition. To the benefit of consumers and businesses!