A consistent number of difficulties both for account information service providers (AISPs) and for open banking final users’ come from the process of strong customer authentication (SCA) which is often cumbersome. When the authentication experience being offered by account servicing payment service providers (ASPSPs) is not user friendly, customers have little convenience in using the services offered by AISPs thus resulting also in a high abandon rate of their online operations.
Reducing friction for customers, bringing further harmonization in the application of this exemption, and working for increasing standardization of SCA processes is paramount for developing user-friendly and innovative services for the whole ecosystem.
Consequently, ACCIS welcomes the focus that the EBA has placed on seeking to address the widespread concerns about the practicability of the current requirements around SCA, both in terms of the exemption for AISPs and further improvements of the SCA process itself. As per the last point, even considering the remarks in section 3.2 §§18,19,20 (page 8) of the Consultation Paper- we believe that the reforms as currently proposed do not go far enough in addressing the challenges faced by Third Party Providers (TPPs) as explained below.
ACCIS welcomes the focus that the EBA has placed on seeking to address the widespread concerns about the practicability of the current requirements around re-authentication at 90 days and supports the idea of the change that has been proposed to extend the renewal timeline to 180 days. In fact, we could support an even longer re-authentication window i.e., beyond 180 days, to enhance final users’ experience and to boost open banking services, as intended by the revised Payment Services Directive (EU) 2015/2366 (PSD2).
However, we believe that the reforms as currently proposed do not go far enough in addressing the challenges faced by TPPs. We would like to suggest two additional recommendations:
1. Centralising the full SCA process not with the ASPSP, which is detrimental to the consumer, but with the TPPs who are providing the service being used. In this manner, the TPP will ensure that consumers have a single point of contact and will aid the consumer in not having to revert to each lender to reconsent for the data sharing continuation at the 180-day point.
2. Further standardization of SCA procedures. Common SCA practices should foster a level playing field among all TPPs, which would ultimately lead to increased expansion of account information services and enhanced consumers’ experiences.
For PSD2 to be a wholesale success and achieve the original stated aims of ensuring healthy competition within the financial services sector, stimulating fintech growth and ensuring propositions that can develop consumer-centric products, we need to continually put ourselves in the position of the consumer and understand the current journey that they face when engaging with these services. Unless we come to that point of understanding, it will be a continual process of small adjustment that will have a limited impact on the consumers’ ability to seek the best TPP services, to switch and compare. This has significance not just for the provision of financial services, but also other products and services in areas such as the public sector, property, retail, telecoms, and utilities as more of these industries start to embrace Open Banking.
ACCIS members that have obtained a license as AISPs do currently have to take several additional steps to the connection of the customer’s financial accounts, which can make the process overly cumbersome and requires more additional steps for authentication and explicit consent than a standard consumer banking journey. According to our members, this has been a key factor in why consumers are not engaging with the process. Data shows that the more steps introduced for the consumer, the more risk that they will drop out of the journey.
Whilst ACCIS members report that consumers are highly motivated by the opportunities that Open Banking offer, they have already seen that the strong customer authentication required every 3 months results in customers (even those who clearly intend to reconsent) dropping out of this kind of service.
Removing the need for individual lender authentication and the need for consumers to re-consent with each lender is a fundamentally positive step in aiding with the process of streamlining the consumer journey using the PSD2. Consolidation to the point of the TPP will ease the friction for the consumer and uptake in the service provision around open banking, which in turn will aid with the ultimate goal of increasing switching, competition and stimulating new market entrance.
ACCIS believes that the current timeframe being proposed is simply too long – the impact of having to wait until Q4 2022 as currently envisaged by the EBA to be able to extend the timeline for the renewal of SCA to 180 days will be the death knell for many fintech TPP providers.
The impact of the attrition via the current consumer journey is making PSD2 enabled propositions unviable in the current marketplace. Some of our members report that the 90-day need for reauthentication and full explicit re-consent is resulting in an important drop in the consumer base using their services.
We think that the changes which would need to be made to remove the regulatory barriers to market growth in the open banking space by removing the 90-day requirement could be implemented in 2-3 months maximum. These are innovative data market players who do not have the issues that the EBA has traditionally seen in their regulatory markets such as legacy systems or slow-paced change. The TPP market is well placed to adjust in an agile manner to this change, and as such protracting the time frame for full implementation and going live beyond Winter 2021=2 would be a delay too far and result in the direct failure of fintech – at a time of regrowth and Government focus on the need to stimulate this industry.
We would also like to see the start of the process for consideration of the future regulatory framework under the revision of PSD2 commence ahead of the set regulatory framework of 2023. This again would lead to no practicable change until 2025 at the earliest, a timeframe which is far too slow to manage the process of agile change sought to be achieved under the EBA, European Commission and wider European community.