The questions every bank needs to ask to when dealing with third-party providers
When a consumer sets out to choose a bank account, they must answer two basic questions. Firstly, before handing over any money they need to ensure that the bank is genuine. After all, you wouldn’t trust your savings to an organisation if there was any chance it was not what it claimed to be.
Secondly, a prospective customer must establish that the bank is properly regulated, because storing your money in an account that exists outside of the protective boundaries of the law is clearly a bad idea. Once these questions around identity and regulation are answered, the consumer has established a basic level of confidence in the bank and can proceed accordingly.
Two similar questions must be asked carefully and often in Open Banking, a sector in which newly regulated Fintech companies use application programming interfaces (APIs) to access customer account information from financial institutions. The enablers of Open Banking are called Third Party Providers (TPPs) – organisations authorised to provide new payment and information services to a bank’s customers.
TPPs enable the transaction flow between data holders, which are typically banks, and data recipients, which can be a Fintech or another bank acting as a TPP. The services TPPs provide offer competitive benefits and new innovative products and services. But as well as advantages, there are risks involved in this collaboration. Just like a consumer choosing a bank, financial institutions need to have total confidence in the identity of a TPP as well as its regulatory status. Finding a straightforward, reliable way to perform the checks to verify these two aspects of a TPP is therefore imperative for any Open Banking organisation that works with third parties in the UK and EEA.
Understanding TPPs
Under the EU’s Payment Services Directive (PSD2), banks must open their data to third parties. In the UK, Open Banking legislation requires financial institutions to offer similar access, but also present their data in a standardised format. TPPs can take advantage of this right to access data in several different ways. They can be registered as Account Information Service Providers (AISPs) that aggregate online account information, or Payment Initiation Service Providers (PISPs), which enable customers to pay directly from their bank accounts – or both. TPPs can also be registered as AISPs that are authorised to gain access to an account to offer its holder new ways of managing their funds. Additionally, they may be certified as PISPs, which enable customers to pay directly from their bank accounts, or also fulfil both these roles.
For banks and financial service providers, the stakes are high when allowing TPPs to access their customers’ financial information. Just one mistake could end in disaster and the bank would get the blame. If, for example, it emerged that a TPP was accessing customers’ accounts yet was not authorised to perform the exact services it was carrying out, customers could lose confidence in the bank itself, causing major reputational and financial damage. Negative publicity could also damage the wider Open Banking movement, which depends on security and trust.
TPP or not TPP?
We’ve established that banks and other financial institutions need to know who they are dealing with when opening up their data to third parties. With this in mind, two security checks must be carried out when working with a TPP. The first is Strong Customer Authentication, which involves the account holder proving who they are. The second is TPP identity verification and authorisation.
In the UK and EU, a TPP can be identified by its eIDAS certificate. This acronym stands for “electronic identification and trust services” and refers to an EU regulation on identification for electronic transactions within the single market. eIDAS certificates are used to identify TPPs as well as Account Servicing Payment Service Providers (ASPSPs) – the name for financial institutions that offer payment accounts with online access.
Although it is relatively straightforward to identify TPPs, establishing whether they are regulated to perform the service in the location of a transaction at the time of the request is much more difficult. Nonetheless, both of these checks must be performed together. An eIDAS certificate only tells part of the story because it does not show which services a TPP is regulated to perform in every country in which it is authorised to operate. This information can only be found by burying deep into more than 100 separate data sources across Europe. Regulatory status is also constantly changing, meaning that a TPP could be regulated to perform a given function one week, but is unable to do so the next because its license has been withdrawn or it has changed roles, for instance ceasing to operate as an AISP and instead offering Payment Initiation Services.
To illustrate this problem, imagine a car that is driven out of the garage after passing an MOT inspection and then immediately crashes into a brick wall at 70 miles per hour. If this vehicle was being sold online, the purchaser could inspect its paperwork or pictures taken before the accident and might assume it was still worth buying. It still has a valid MOT, after all, so why wouldn’t it be roadworthy? Unless they take the time to physically inspect the vehicle, it would appear as if nothing was wrong. Yet a lot can change in a short space of time, meaning a car that was once roadworthy can be written off in an instant, and the evidence which “proves” the car is worth buying can quickly become out of date.
The same can happen with TPPs, which can have their regulated ability to perform certain functions in given territories removed at any time. Banks must be sure to monitor many different data sources when making decisions about which TPPs are allowed to access the data they hold. Even if a TPP looks to be regulated from the information given in its eIDAS certificate, further checks must always be carried out to check its current authorisation status.
Cross-Border Confidence
Open Banking is a borderless industry, with Fintech pioneers in one territory providing services to customers in another EEA member state. The transactional nature of this sector is of huge benefit when it comes to innovation, because it allows new players from around the world to add their ideas to a global melting pot, the best of which will rise to the top and hopefully enrich the entire financial industry. Yet with this great possibility comes great risk.
Konsentus’ research from Q3 of 2021 revealed that 21 new TPPs were approved to provide services across the EU and UK between 1st July and 30th September, bringing the total to 518. However, this number doesn’t include the seven TPPs whose licence was withdrawn: three in the Netherlands and four in the UK. Open banking transaction volumes are rising across the EEA, with around 30% of these transactions now taking place across borders. More than half of all EEA TPPs can passport their services outside their home nation. At the end of September 2021, over a quarter of TPPs had different domestic and cross border permissions.
This reinforces the point that a TPP may be authorised to make a payment on an account holder’s behalf in one European country, but not in another. Getting this wrong could cause banks major problems, resulting in sanctions from their own regulators or even drawing negative press attention.
To keep abreast of the ever-changing web of regulations and minimise exposure to open banking fraud, banks and other financial institutions need a reliable way of assessing data sources from around the EEA and UK. Realistically, this requires the services of a third-party company that has the technology in place to provide the always-on, real-time regulatory status of TPPs, as it is close to impossible for most organisations to monitor more than 100 data sources from multiple countries.
This is where Regtech companies must step in. Innovators in this space can identify and verify TPPs in real-time, therefore allowing financial service providers to have total trust in the third parties they deal with. Organisations involved in open banking must seek out partners capable of deciphering the complex web of regulations across Europe. Only then will they get the confidence boost that’s needed to drive this sector forward.