Qvik CEO Tuominen: “PSD2 legislation late across the board”
The Finnish Financial Supervisory Authority (FIN-FSA) published its guidelines for the PSD2 transition period only a few days before the directive’s entry into force. The verdict was that screen scraping will not be allowed, which may be understandable from the point of view of consumer protection, but can set hurdles for innovation.
Last week’s hot topic in the Finnish PSD2 scene was screen scraping: a method in which an online service captures the online banking codes entered by the user, after which it logs into the online bank as you. This means that, even if you only authorized an online shop to charge your account, it would gain access to your loan and insurance information while at it. In Finland, the use of screen scraping is restricted by the Payment Services Act, which requires compliance with the terms and conditions of banks – and such terms and conditions universally limit the use of online banking codes to the bank’s own services.
Improving consumer protection in digital commerce was one of the main goals of PSD2, and FIN-FSA’s decision is in line with this objective. The ruling is also in alignment with the principles of the General Data Protection Regulation (GDPR), which will enter into force in May.
“The risk of data abuse is greater with screen scraping”, says Qvik CEO Lari Tuominen. “Instead of handing out all data to a third party, PSD2 demands that the APIs opened by banks only allow access to specific data, such as account details and payments.”
Some EU countries do allow screen scraping, however. In Sweden, for example, the method is legal, which puts the Finnish and Swedish financial technology (fintech) industries in an unequal position. In countries that permit the technique, fintech companies have wider access to the data of their customers and can thus offer more personalized and comprehensive services. The decision also puts the competitors of traditional banks on the back foot. In Finland, companies such as Ferratum have expressed their disappointment with FIN-FSA’s policy.
“One of the goals of PSD2 was to increase innovation in the European payment and finance sectors”, Tuominen says. “When the directive is applied differently by individual states, it defeats the original idea of a level playing field.”
The inequality will only last for the transition period, which lasts until September 2019, when all banks must have their PSD2-compliant APIs online and screen scraping will be banned everywhere in the EU.
FIN-FSA’s ruling came extremely late and hinders product development
FIN-FSA only formulated its position on practices during the PSD transition period a couple of days before the start of the period. Neither was this the only matter on which their rulings have been late in coming. Clearer statements are called for from both the European Commission and Finnish legislators.
“The implementation of this field of legislation has been late across the board, which considerably hampers the work of product developers”, Tuominen says. “The practical implementation of the act is not prepared well enough. Now, product developers face a huge amount of questions when designing services, and it’s frustrating when no-one is prepared or able to give clear answers.”
The EU, too, needs to shoulder its share of the blame for the poor flow of information. Because the EU left the regulation open to interpretation, individual states have to try and plug the gaps with their own legislation.
No impact on fintech if banks do not drag their feet
More relevant than the length of the transition period is the willingness and enthusiasm of banks to implement PSD2. The Finnish banking sector is technically advanced and partly prepared for the new legislation, so the times may not get so tough for fintech after all. If the banks open their APIs quickly, the screen scraping ban will not retard the development of Finnish fintech.
“Banks like Nordea and OP have opened APIs even before they had to”, Tuominen says. “It is more profitable for banks to approach the new legislation from the innovation angle. If they take this attitude, APIs will be open even before the transition period runs out.”
Even though the 18-month period of transition may feel long, it will be sorely needed to address some fundamental unresolved questions involving, for example, uniform security specifications and authentication. The transition period also cuts banks a little slack to test and build their own services in preparation for increased competition.