Legal Perspective of the Open Banking and Banking as a Service (BaaS) under EU and UK Laws

María Victoria Díaz Pérez

A. Introduction

Due to the large surging number of new banking and fintech business models emerging in the EU and UK, and given that they have become an integral part of the financial ecosystem, EU and UK regulators are aimed at helping these businesses implementing technological developments and regulatory initiatives to reduce entry barriers for new services and providers and establishing whether they need to be separately authorized or registered to provide banking and financial services in the EU and UK.

The opening up of the market brought the Open Banking, Banking as a Service and other payment services options to the third-parties service providers, so that the regulators implemented a set of regulations that states all the requirements and procedures to do so through secure online channels and with strict security requirements in order to reduce the risk of fraud or other abuses.

This memorandum shall cover a legal analysis of the Open Banking and Banking as a Service (BaaS) under EU and UK Laws and regulations.

B. Legal Analysis

1. General Background

In a first step, it is required to define some key concepts and difference between Open Banking, Banking as a Service and Digital Banking.

Open Banking often refers to the way banks can share or grant access to a customer’s data or financial information to third-parties service providers (“TPPs”), upon the request and authorization of the data owner, using Application Programming Interfaces (“APIs”). Thus, the data owner will be able to have, in a single system, all their banking and financial data, even when the data are from different banking entities, which allows to have a broader view of their finances and reach a bigger range of financial products and services.

On the other side, Banking as a Service (“BaaS”), allows banks to open their infrastructure to TPPs through APIs in order to perform standards banking operations on behalf of their costumers. In this sense, TPPs, as well known as, “interface developers” can provide new products and services to its customers and digital banking services, such as mobile bank accounts, debit cards, loans and other payment services, without needing to acquire a banking license of their own.

Digital Banking means the way through which you can access to the banking platform and features, whether through the bank’s website from a computer or through an app using mobile devices. In many countries digital banks are required to get license from the regulatory body and especially licenses are limited with only serving to consumer clients (SME clients can also be allowed)

2. EU and UK Laws Perspective

2.1. EU Law Perspective

On January 13, 2018, the EU’s Second Payment Service Directive (“PSD2”) came into effect for the EU countries. The PSD2 provides the legal scope and development for electronic payments within the EU bringing innovation for the existing and new providers of payment services. Although the PSD2 does not explicitly mention the term “Open Banking”, the regulation includes the Account Information Services. These services are probably the most common use of Open Banking currently available.

According to the Account Information Services, a Payment Service User (“PSU”)[1] can have an overview of their financial situation at any time, through an online service that provides consolidated information and a overall view of the customer financial situation on one or more payment accounts held by the PSU with one or more Payment Service Providers (“PSP”) via online interfaces, such as APIs, of the Account Servicing Payment Service Provider (“ASP”)[2], which is often a Bank institution.

Article 67.4 of the PSD2 states that Account Information Services shall not be dependent on the existence of a contractual relationship between the Account Information Service Provider (“AISP”) and the ASP for that purpose.

Additionally, within the opening up of the EU market was included another payment service called “Payment Initiation Services”. These payment services play a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer’s ASPSP in order to initiate online payments and be able to provide banking and financial services. Although there is also no explicit mention of the “BaaS”, the execution of Payment Initiation Services is done using the BaaS.

In the light of Preamble 49 of the PSD2, is essential for any PSP to be able to access the services of technical infrastructures of payment systems. Such access should, however, be subject to appropriate requirements in order to ensure integrity and stability of those systems. Thus, any PSP competing in the internal market is able to use the services of the technical infrastructures of those payment ystems under the same conditions and in a non-discriminatory way.

Both Account Information Services and Payment Initiation Services are considered as “Payment Services”, thus both are provided by a PSP. Apart from the provisions of payment services, Payment Institutions should be entitled to engaged the following activities: (i) provision of operational and closely related ancillary services, such as ensuring the execution of payment transactions foreign exchange services, safekeeping activities, and the storage and processing of data; (ii) operation of payment systems; and (iii) business activities different than payment services[3].

The Payment Institutions can also grant credits relating to payment services only when following conditions are met: (i) the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction; (ii), the credit granted shall be repaid within a short period which shall in no case exceed 12 months; (iii) such credit shall not be granted from the funds received or held for the purpose of executing a payment transaction; (iv) the own funds of the payment institution shall at all times and to the satisfaction of the supervisory authorities be appropriate in view of the overall amount of credit granted[4].

The PSD2 states that a PSP “means a body referred to in Article 1(1) or a natural person benetifing from an exemption pursuant Article 32 or 33”. In this sense, the categories of PSP are: (i) credit institutions; (ii) electronic money institutions; (iii) post office giro institutions; (iv) payment institutions; and (v) the EBC and central banks.

Article 33 states that a natural or legal person that only provides an ‘Account Information Services’ shall be treated as “Payment Institution” which means “a legal person that has been granted authorization in accordance to Article 11 to provide and execute payment services throughout the Union” [5].

However, even though the services provided by “ technical service providers” are excluded from the scope of the PSD2, when the services provided are referred to Payment Initiation Services and Account Information Services that exclusion does not apply and the PSD2 became applicable.[6]

In this regard, to be a PSP shall be submitted an application for authorization to the competent authorities of the home Member State, together, depending on the payment service that will be provided, with the following documents: (i) program of operations setting out the type payment services envisaged; (ii) business plan including a forecast budget calculation; (iii) description of the governance agreements and internal control mechanisms; (iv) description of the process in place to file, monitor and restrict access to sensitive data; (v) secure policy documents, among others[7].

Additionally, the Member States shall require undertakings that apply for authorization and registration procedure, where applicable, to provide Payment Initiation Services and Account Information Services, PSP must hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against their liability[8]. The decision about grant and refuse the authorization request shall be inform to the applicant within 3 months of receipt of the application[9].

Although the Fintech companies are not specifically included as a PSP in the terms of the PSD2, these companies can submit an authorization application before the competent authority to the provide payment services and other related activities, and hence become a Payment Institution and provide and execute payments, particularly, Open Banking and banking services using a BaaS platform throughout the EU.

Article 97 of the PSD2 states that Member States shall ensure that a PSP applies the Strong Customer Authentication (“SCA”)[10] where the payers: (i) accesses its payment account online; (ii) initiates an electronic payment transaction; and (iii) carries out any action through a remote channel which may implied a risk of payment fraud or other abuses. This authentication is intended to protect the confidentiality of the personal, financial and sensitive data and avoid data breaches.

Article 67.2 of the PSD2 established the rules on access to and use the Account Information Services, according to which the AISP shall: (i) provide services only where the PSU explicit consent; (ii) use efficient and safe channels to ensure that the personalized security credentials are not accessible to other parties; (iii) for each communication identify itself towards PSP and PSU; (iv) not request sensitive payment data linked to payments accounts; (v) not use, access or storage any data for non-authorized or explicit requested services.

Also the PSD2 provides strict security requirements for electronic payments and the protection of consumers’ financial data, guaranteeing safe authentication in order to reduce the risk of fraud. Thus, Member States shall permit processing of personal data by payment systems and PSP when necessary to safeguard the prevention, investigation and detection of payment fraud[11].

2.2. UK Law Perspective

Due to the withdrawal of the UK from the European Union on February 1st, 2020 and once the transitory period as finished on December 31, 2020, UK is considered as a “Third State” and the EU Laws are not longer applicable. Specifically, according to the Notice to Stakeholders issued on July 7, 2020, the EU Rules in the field of banking and payment services will not longer apply for the UK and only domestic UK Law will be applicable.

However, the PSD2 was implemented into UK national law prior to the UK’s exit from the EU, primarily ruled by the UK Payment Services Regulations 2017 (“PSR”). Additionally, the PSD2 has been “onshored” following Brexit into UK Law by the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication Instrument 2020 made by the FCA (“SCA-RTS”).

The Financial Conduct Authority (“FCA”), UK entity regulator for banking and financial services by excellence, in order to increase the adoption of the Open Banking and BaaS services has proposed some amendments to the EU regulations to meet the needs of the UK internal market. Accordingly, the vast majority of financial services and authorization procedures in the UK are established in the Financial Services Act 2021(“FSA”) and under the PSR which was amended on 2020.[12]

According to the Consultation Paper CP21/3 issued by the FCA on January 2021, the key changes established to the SCA-RTS to support competition and innovation in the payments and e-money sector are: (i) adding a new SCA exemption so that customers do not need to re-authenticate every 90 days when accessing account information through an AISP; (ii) mandating the use of the dedicated interfaces, such as APIs; and (iii) increasing the single and cumulative transaction thresholds for contactless payments[13].

In general terms, the services provided and the activities executed by TPPs regarding the Open Banking and BaaS and other payment services established under EU laws have not change under the amendments and changes of the FCA and UK competent authorities under UK Law, the payment regimes remains closely aligned. The changes will allow the UK to continue accessing customer data and the initiation payments by using alternatives to fit in the current UK internal market.

The PSR states that Payment Services can be provided by (i) an authorized payment institution: (ii) small payment institution: (iii) registered AISP; (iv) credit institution; (v) electronic money institutions; (vi) post office limited. Additionally, the FCA states that the statements will primarily be of interest to all PSP, including; (i) banks; (ii) building societies; (iii) e-money issuers; (iv) PISP, and it will also be of interest to consumer bodies and relevant trade bodies, retailers, consumers, micro-enterprises and those involved in Open Banking and BaaS initiatives.

Therefore, PSPs must submit an application for authorization to the FCA. The application for authorization as a payment institution, just like the EU section, must contain or be accompanied by the information and documents: (i) program of operations setting out the type payment services envisaged; (ii) business plan including a forecast budget calculation; (iii) description of the governance agreements and internal control mechanisms; (iv) description of the process in place to file, monitor and restrict access to sensitive data; (v) secure policy documents, among others, which will depend on the payment service provided.[14]

Although the Fintech companies are also not specifically included as a PSP in the terms of the PSR, these companies can submit an authorization application before the FCA to the provide payment services and other related activities in order to become a Payment Institution and be able to provide and execute payments, particularly, Open Banking and banking and financial services using a BaaS platform.

The Regulation established that a PSP must not access, process or retain any personal data for the provision of payment services by it, unless it has the explicit consent of the payment service user to do so.

Also, the standards established in the SCA-RTS provides the requirements to be complied by the PSP in order to implement security measures as follows: (i) apply the SCA; (ii) protect the confidentiality and integrity of the user personalized credentials; (iii) establish common and secure standards for the communications between the parties involves in the operation in relation and use the payment services. Like EU laws, UK laws provides strict security requirements for electronic payments and the protection of consumers’ financial data, guaranteeing safe authentication in order to reduce the risk of fraud.

3. Open Banking and BaaS Samples in EU and UK Practise

In the UK side, UK regulators and policy makers, have undertaken a variety of initiatives and projects to understand the implications of technology in financial service in order to raise the UK’s status a global hub due to the Brexit challenges. The FCA has established the Innovation Hub and the Regulatory Sandbox to support innovation in the interests of consumers (e.g. “Fintech Strategic Review”, often referred to as the “Kalifa Review”).

Nevertheless, currently in UK there are many companies that provides Open Banking, BaaS and banking and financial services, such as Revolut, Atom, Iwoca, Paymentsense, Molo Finance, MarketFinance, Capital on Tap, Tamdem, among others. Some of these services provided are digital banking services, opening savings accounts, mortgages, business loans, short-terms loans, virtual payment methods, mortgages lenders, business credit cards and credits.

Regarding the EU countries, it is important to highlight the following cases:

Denmark: put together a Fintech task force aimed at ensuring that Fintech initiatives receive appropriate guidance as to the type of license;
France: have created a taskforce offering a single point of entry for Fintech start ups to facilitate a simplified licensing process and also created a “ACPR-FinTech innovation Pole”, that welcomes innovative project initiators;
Italy: promoted innovative entrepreneurship, applying generally to so-called “innovative” start-up companies and including incentive measures to support these companies; and
Spain: the CNMV launched a new Fintech and innovation portal on its website in order to create an informal forum for exchanging information on Fintech initiatives.

Additionally, Visa have a program called “Fintech Fast Track Program”. Inside this program, Visa signed up a regional partnership with Rappi (delivery app company), according to which customers can apply for a Visa card (debit, credit and prepaid cards) directly through the Rappi app across Latin America Markets. The card is delivered within 30 minutes by the Rappi courier and it is activated with a QR Code. With this partnership Rappi is able the make payments more convenient for costumers and the merchants they work with.

Visa is also currently working with companies and Fintech Leaders around the world granting solutions regarding i) digital wallets; ii) digital banking; iii) B2B payments; iv) “Buy now, Pay Later”; v) payments infrastructure; iv) person to person payments; and; vii) financial inclusion, among others.

C. Conclusion

PSP must request an authorization from the competent authority of the Member State for the EU countries and from the FCA for the UK. The application must be submitted with documents and information requested depending the type of services provided.

PSP can be: (i) credit institutions; (ii) electronic money institutions; (iii) post office giro institutions; (iv) payment institutions; (v) small payment institution: (iii) registered AISP; (iv)electronic money institutions. In this sense, Fintech and non-banks business may provide their customers Open Banking services and banking and financial services, such as, credits, bank accounts, debit cards, lending, short term loans, mortgages, payment services and other banking and financial services using BaaS.

EU and UK laws provides strict security requirements for electronic payments and the protection of consumers’ banking and financial data, guaranteeing safe authentication in order to reduce the risk of fraud, requiring explicit consent of the data owner for using, storage and manage their personal and sensitive data, requesting a SCA, an extra level of security that ensure the confidentiality and avoid risks of data breaches.

Due to the innovative projects and initiatives for Fintech Companies in the EU and UK regulators are very likely to support and allow the entry of new services providers into the market and granting the authorization and registration needed to execute successfully the operation and services requested and any other initiatives that can boost and open up the banking and financial market.

[1] PSU is means “a natural or legal person making use of a payment service in the capacity of payer, payee, or both” (Article 2, PSD2).
[2] ASPSP means “means a payment service provider providing and maintaining a payment account for a payer” (Article 4 (17), PSD2).
[3] Article 18.1, PSD2.
[4] Article 18.4, PSD2.
[5] Article 4 (4).
[6] Article 3(j), PSD2.
[7] e.g.,The natural or legal person providing only the Account Information Services shall be exempt from the applications and conditions set out in Sections 1 and 2, with the exception of the points (a), (b), (e) to (h), (j), (n), (p) and (q) of Article 5(1) and Article 5(3), as well as, Articles 14 and 15. The Section 3 shall apply with the exception of Article 23(3). Also the Titles III and IV shall not apply to them, with the exception of Articles 41, 45 and 52, where applicable and of Articles 67, 69 and 95 and 98.

[8] Article 5.2 and 5.3, PSD2.

[9] Article 12, PSD2.

[10] SCA is defined as authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data (Article 4 (30), PSD2).

[11] Article 94, PSD2.

[12] The Payment Services and Electronic Money (Amendment) Regulations 2020 No. 1275.

[13] Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual, Consultation Paper CP 21/3, issued by the FCA on January 2021.

[14] Schedule 2, PSR.

This document is issued by Erendac Legal Consultancy & Attorney and all rights are reserved.