New regulations in the European Union (EU) concerning payments and financial data access are laying the groundwork for open finance.

Though these initiatives aim to foster innovation and improve customer experiences in the financial services sector, they may also pose complex and costly implementation challenges to the sector, according to a note by the Institute of International Finance (IIF) released on May 22, 2024.

The note, released on May 22, examines the recent regulatory changes in the EU’s data-sharing landscape, focusing on the impact of new open finance rules on financial institutions.

A major highlight is the European Commission (EC)’s financial data access and payments package, released in June 2023. The package comprises proposals for a revised Payment Services Directive (PSD3), a new Payment Services Regulation (PSR), and a proposed Financial Data Access Regulation (FIDA). These proposals are designed to expand data access beyond payments, improve fraud prevention, and set the foundation for open finance.

Payment innovation and fraud prevention

The PSD3 and PSR are intended to replace and modernize the current Payment Services Directive or PSD2. Their objectives include combating fraud, enhancing customer rights, improving access to bank accounts for non-banking players, and ultimately facilitate open finance.

The European Parliament voted in favor of both the PSD3 and PSR on April 23, 2024, marking a significant step forward in shaping the future of open finance in the EU. It proposed several changes to the texts primarily to improv fraud prevention. These changes include:

• Strengthening consumer protection amid booming fraud activity;
• Promoting innovation through new payment services, risk-based strong customer authentication (SCA) and interoperability;
• Increasing transparency and user control over data sharing;
• Improving fraud data sharing through a dedicated IT platform overseen by the European Banking Authority (EBA); and
• Clarifying the regulations’ scopes regarding electronic money tokens, location-based discrimination, and direct debit refunds.

The EBA responded only a few days after the Parliament’s vote, formulating on April 29, 2024 specific suggestions for further amendments to the PSD3 and PSR texts such as requiring two different SCA factors, mandating comprehensive fraud risk management frameworks, and ensuring pre-execution transaction monitoring for instant payments.

Finalized versions of PSD3 and PSR are now expected by late 2024, with potential implementation around 2026, expects Sia Partners, a consulting firm.

Giving customers more control over their data

The FIDA, meanwhile, is intended to establish clear rights and obligations to manage customer data sharing in the financial sector, giving customers control over their data and allowing third parties access to a wide range of financial information. This includes data on mortgages, loans, savings, investments, insurance, pensions, and creditworthiness assessments.

Proposals under the FIDA include requirements for financial institutions to provide data access to other institutions or fintech firms, subject to customer permission. Customers will have full control over who accesses their data and for what purpose, enhancing trust in data sharing. Additionally, data holders and users will need to join Financial Data Sharing Schemes (FDSS), which will govern data access in line with FIDA and other EU regulations.

FIDA was voted on at the European Parliament’s Economic and Monetary Affairs Committee on April 18, 2024. However, industry experts do not expect FIDA to be finalized before 2025.

Impact on financial institutions

According to the IIF, the PSD3, PSR and FIDA present opportunities for the financial services industry to collaborate with new players in the ecosystem to develop innovative, value-added products and services and improve customer experiences.

However, the trade association highlights the significant challenges financial institutions may face in implementing these challenges. In particular, it notes that meeting the real-time data sharing requirements under FIDA may prove technically challenging and costly for data holders.

Moreover, industry stakeholders remain skeptical of the expected benefits of new regulations. A 2023 research by the EC examined the application and impact of PSD2, and found that the costs of implementing PSD2, particularly for API development (estimated at EUR 3.2 billion) and SCA rollout (estimated at ~ EUR 5 billion, were substantial. An overwhelming majority of banks and associations consulted for the study suggested that these costs largely outweigh the benefits to them.

Featured image credit: edited from freepik