European Banks Forced to Open the (Data) Vault
The castle walls are about to come down.
For years, European banks have been self-contained fortresses that plied their customers with everything from checking accounts to credit cards to mortgages, while stockpiling terabytes of data on their spending habits. Now these institutions are about to open up like never before as lawmakers seek to foster competition.
Starting in January, lenders in the European Union will have to provide rival firms with access to their customers’ accounts and data, as long as clients give their permission. Under the revised Payments Services Directive, known as PSD2, the banks will also be obliged to build digital links with outside firms to speed the flow of information.
Traditional lenders are chafing at sharing with the very financial technology startups that want to poach their customers, setting the stage for skirmishes as the banking industry and regulators hammer out the technical details that will control how data flows between the parties. The law, which stands to benefit consumer-data juggernauts like Amazon.com Inc. and Apple Inc. as well as fintech upstarts, may put as much as 40 percent of the European retail banking industry’s income in play, according to a report from Roland Berger, a Munich-based consulting firm.
“There is no doubt that bank revenues will be hit by PSD2,” said Antony Jenkins, the former chief executive officer of Barclays Plc who leads a fintech startup in London called 10X Future Technologies. “For all the effort they’ve invested in upgrading their technology, banks are just not moving fast enough.”
Five years in the making, PSD2 catches an industry in flux. An explosion of apps now offers consumers myriad ways to pay bills and manage their money, even as many banks, burdened with aging technology and hidebound corporate cultures, struggle to adapt to the changing demands of their customers. While the European Banking Federation, an umbrella group representing 32 national lending associations, publicly supports the law, industry leaders grouse that opening their systems to outsiders may be dangerous.
‘Hackers and Thieves’
“We are not confident that our customers’ data will be protected from hackers and thieves,” said Howard Davies, the chairman of Royal Bank of Scotland Group Plc, on the sidelines of a conference in Washington. “We cannot refuse to hand over data because that’s what the legislation says, but we will have to try to educate people to understand the vulnerability that they will then have.”
Banking chiefs also say PSD2 is imposing burdensome costs at a time when historically low interest rates are squeezing profits and they’re coping with other regulatory requirements like MiFID II, an EU law that will change how banks charge for analyst research.
But in an era when digital connectivity is upending finance, EU policymakers want to modernize and unify the electronic payment systems that crisscross the bloc. They also want to provide consumers with transparency, more choices and lower costs for banking services. PSD2 establishes that account-holders’ financial data belongs to them, not their lender, and that customers can share their information with whatever qualified company they choose.
Rather than providing one-stop shopping, banks may have to become more like malls hosting a variety of apps and services. That’s a new reality for an industry that’s long deemed their customers and their financial data proprietary assets.
“The banks had all the advantages,” said Michael McKee, a lawyer at DLA Piper in London who specializes in European financial regulation. “The law is designed to challenge the banks’ position and massively increase competition.”
Before PSD2 can usher in this brave new world, the banking regulators in each of the EU’s 28 member states must create standards defining precisely how financial firms should share—and secure—data. To do so, they have to set up “application programming interfaces,” or APIs, that will enable tech firms to plug their programs into the lenders’ systems.
That’s led to friction between banks and fintech firms in the committees that are drafting these rules across the bloc. Entrepreneurs are wary that some industry groups may seek to adopt such onerous requirements they will effectively block access to accounts.
Earlier this month, European Commission antitrust officials conducted surprise inspections of the Polish Bank Association, the Dutch Payments Association, and the Dutch Banking Association to investigate whether they’re unlawfully preventing rivals from accessing account-holders’ data, even though the customers have given their consent.
“PSD2 is the door opener and that’s why many traditional players are trying really hard to prevent it from happening,” said Roland Folz, the CEO of solarisBank, a Berlin-based startup that makes software for lenders and fintechs. “Traditional banks still want to turn the wheels backward.”
There are other hurdles, too. As part of the rule-making process under PSD2, the European Banking Authority directed lenders to share account balances with outside firms just four times a day, not hourly as fintech firms requested. And the commission proposed banks be permitted to set up “fallback” means of providing access to accounts should they not offer APIs with the reliability called for in the law.
The EBA disagreed with this proposal. Dirk Haubrich, the watchdog’s head of financial innovation, consumer protection, and payments, said backup systems wouldn’t necessarily be more dependable. The measure may allow banks to avoid setting up industry-wide APIs at all, leaving fintechs struggling to adapt to a hodge-podge of systems.
“This fallback option undermines PSD2 by favoring established players instead of opening the market,” Haubrich said in an interview. “The proposal has no major benefits for the many firms that are keen to enter the market, but many disadvantages.”
Even as regulators iron out such details, banking leaders would be shortsighted to embrace loopholes instead of the innovations reshaping their industry, said Oliver Bussmann, the former chief information officer of UBS Group AG, who now runs his own consulting firm in Zurich. With apps already enabling consumers to make payments more quickly and cheaply than traditional banks, the market is moving ahead of lawmakers in Brussels.
Account holders at HSBC Holdings Plc, for instance, can use a payment card from British digital bank Monzo to settle their dinner bills at restaurants in Majorca or Paris with no fuss. And a Hamburg-based firm called Deposit Solutions GmbH has partnered with Deutsche Bank AG and other lenders to offer savers a way to shop around different jurisdictions for higher interest rates with just a few mouse-clicks.
Under PSD2, collaboration will no longer be optional. Ultimately, consumer banks may have to cross-sell products created by others, not just themselves. “The relationships banks have with their customers are loosening,” said Bussman.
Yet this doesn’t have to be a dismal moment for traditional lenders. With their well-known brands and long-term relationships, banks are well positioned to make sense of this chaotic marketplace. There’s no reason why they can’t be the ones who bring together numerous players and their accounts under one roof and reap fees by orchestrating their services for their customers. They just need to learn how to share.
They’d best not dally. Apple, Amazon, and Alipay, the payment powerhouse owned by Jack Ma’s Ant Financial, can chase this “aggregation” strategy themselves.
“This is a pivotal moment,” said 10X’s Jenkins. “Banks should use PSD2 to aggregate all of their customers’ financial relationships in one place. There is a possibility of others doing that to them.”
— With assistance by Marta Waldoch, and Stephen Morris