/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
Trust in Open Banking: Negotiating data liability between banks and TPPs

Trust in Open Banking: Negotiating data liability between banks and TPPs

The breadth and complexity of Open Banking systems involve a web of players interconnected by the core need to access data. Used as the tool by which financial institutions and third parties deliver innovative financial products, the data required is highly personal by nature and brings with it a myriad of challenges on the part of institutions trying to capitalise its on value without taking on too much risk.

The development and implementation of APIs to deliver Open Banking requirements has already shown immense promise in providing transparency across banking in the UK, but spikes in reported cyberattacks on financial services firms illustrate that the expanded boundaries necessitated by APIs multiply the risk of attack significantly.

Customer expectation, reputation management and legislation weigh on FS firms, meaning the issue of cybersecurity has transformed from a traditionally ‘vertical’ responsibility on IT departments to a ‘horizontal’ responsibility shared across the supply chain end-to-end. So where does liability fall within the supply chain when a data breach transpires?

How does liability play out?

Under the UK Open Banking Standard and PSD2, TPPs, such as PISPs and AISPs, must be authorised by the FCA in order to share data with a UK firm.

In conversation with Finextra, Ralf Ohlhausen, vice-chairman of the European TPP Association, executive advisor to PPRO and TINK, explains that the regulation is quite clear cut: “Under PSD2 it is the licensed and regulated party, which is responsible for anything going wrong within their own domain.

“If a licensed entity of this type is outsourcing part of its services to a non-licensed technical service provider, they must comply with the quite stringent laws regulating the outsourcing of financial services in the EU. In addition to this, they retain full responsibility vis-à-vis their regulator for anything they have outsourced.

“Outside the realms of PSD2, GDPR still applies, which defines exactly how responsibilities are assigned to or shared between data controllers and data processors. There should not be any uncertainty at all about such responsibilities in the EU.”

Shefali Roy, COO & CCO of API provider TrueLayer, adds that in terms of liability, FIs and TPPs are responsible and liable under GDPR for the personal data they hold.

“PSD2 provides a lawful basis on which TPPs and tech suppliers can come into possession of personal data, which in some cases means they also become data controllers in respect of that same set of data held by financial institutions and will be separately responsible for compliance with GDPR.

“Where data has been lawfully transmitted to a tech supplier, the FI would not be responsible for data breaches by the TPP or technical supplier, just as the TPP or tech supplier would not be responsible for breaches by the FI.”

Roy goes on to clarify that under PSD2, regardless of whether an unauthorised transaction has occurred as a result of TPP access, the rule of thumb is that a FI must reimburse the customer.

“If a TPP is ultimately responsible, the FI can request compensation, and the TPP must compensate the ASPSP for losses incurred or sums paid as a result of a refund to the customer. The burden of proof lies with the TPP to show that it was not responsible.”

An industry framework to administer such compensation claims has not yet emerged, and the disjoint between legal liability and practical rectification doesn’t engender a great deal of confidence.

Why does this get gritty?

Protecting contractual positions when negotiating agreements to outsource through TPPs sounds fantastic in theory, but when it comes to data protection and fault in the case of a breach, certain implications shouldn’t be brushed off as Open Banking teething issues.

Vikram Khurana, senior associate, Bristows LLC says that as FIs can’t contract out of their accountabilities set out in legislation: “all they can do is ensure that if they have appointed third parties, they have coverage within the contract which protects them.

“Banks are focusing on whether their existing insurance policies actually cover them for cyber risk. The issue of ‘silent cyber’ is emerging as many firms assume that cyber risk is already covered in their insurance, but the need for more specific ‘cyber insurance' is becoming clear.”

A fundamental objective of Open Banking is to encourage smaller FS firms to enter the playing field, but these players are less able to allocate the same capital as incumbents to compliance or cyber-security, so the question of whether TPPs will be able to pay penalties if and when they are found liable for data breach remains to be seen.

Khurana continues: “There are lots of fintech providers who are small or thinly capitalised and they won’t necessarily have the size or insurance to deal with these kinds of risks, so it’s up to the FS organisation to carry out due diligence and risk assessment on those new vendors.”

Given this reality, FIs spare no expense in carrying out rigorous in-house security processes. Nevertheless, Shefali Roy explains, “the FI is not permitted, under the regulatory framework, to make access contingent upon testing the TPP’s robustness […] In the EU and UK third parties need to pass the scrutiny of the regulator before they are permitted to access payment account data.”

Once authorised by regulators, third parties have a right to access data held by FIs. Roy continues: “Where FIs wish to partner with third parties to undertake activities that are outside the scope of regulation, they will undertake their own due diligence.”

Danske Bank chief digital officer Søren Rode Andreasen says the bank takes “great care in assessing third party vendors and partners with regard to their security and data capabilities, and many banks deploy advanced biometric fraud detection on the device front-end and looking for tampering.”

He also highlights that “Open Banking with TPPs is a bit different, as it is the customer who instructs us to share his data with the third party on his or her behalf.”

Is the data worth the risk?

Under GDPR’s strict requirements for data-controllers, TPPs that interact with larger FIs are at risk of unwittingly placing themselves in a position of liability by taking more control over data than they may want or need. The thirst for access and control of data is understandable for TPPs who are focused on using the data to refine customer insights and customisable products, but for banks, the issue of trust and the threat of losing it remains the central priority.

Ville Sointu, head of emerging technologies, Nordea, adds that without trust, regulated institutions like Nordea would be out of business: “we are ultimately less concerned about who controls the data rather than what is fair and right for our customers.

"This means we support the concept of data democracy where we want to enable our customers to be in full control of their own data. From my point of view driving the adoption of Emerging Technologies in our bank, we support initiatives surrounding self-sovereign data and identity, but in a way that ensures that our customers can also feel safe about the institutions they trust in this new data ecosystem. We believe trust on this level is built on established law and regulation in the nation states where our customers are.”

“Our top priority is protecting our customers’ data. In accordance with PSD2, we do not share data unless the customer has given their consent and only through a licensed TPP/technical provider assigned by the customer. Regulation is very important and maintaining trust from our customers is of course critically important,” continues Ulrika Claesson, commercial business developer, Nordea. “Trust is a sensitive asset and takes a long time to build, but it is quick to destroy.”

The risks of data breach aren’t just reputational, Khurana expands that “although we haven’t quite seen it in the FS space yet, everyone is quite concerned about the size of the fines which have been dealt out for GDPR breach.”

While the regulations make clear that penalties will be incurred, once a data breach has occurred the information is likely in the public sphere and unable to be ‘forgotten’.

The opt-in opt-out characteristic of Open Banking means that a consumer is entitled to request that their details be forgotten, however, the ability for this to occur naturally means that an institution must have control over that act of ‘forgetting’.

If a data breach has occurred, there is no knowing where sensitive details may end up - let alone guarantee that they’re wiped from digital history in line with the consumer’s wish. The responsibility of a data trawl to rectify this seems ambitious at best.

While incumbents keep pace with the agile developments of disruptors, disruptors will likely continue to face an uphill challenge in negotiating partnerships or deals for as long as liability uncertainty persists, and FIs will likely leverage the responsibility they bear for the risk of rectifying data breaches that occur through TPPs.

A key objective of enforcing Open Banking was to stimulate innovation by encouraging healthy disruption in the financial services industry. But when a lack of clarity about underlying responsibility and incomplete frameworks for recourse exist, could regulators be inadvertently stifling collaboration as incumbents are obliged to shoulder the burden of mitigating risk?

Comments: (1)

Brendan Jones
Brendan Jones - Konsentus Ltd - Reading 25 November, 2019, 13:081 like 1 like

This is an excellent article that lays out some of the key challenges are risk and liabilities.  It talks about banks investigating to see if insurance covers them for cyber-crime risk but in my view misses one key aspect of the whole process.  Checking to see if the TPP is both valid and regulated.  The challenge is there is no central government database that covers both eIDAS certificates, passporting and regulated status.  Even for the regulated status check the only central database offered by the EBA, not only does it not include banks (Credit Institutions), but states on the home page: users of the register should be aware that there may be a discrepancy between the information contained on the file and the information contained on the actual register’ or in other words it may not be accurate. 

To complicate matters still further we have seen some National Competent Authorities have introduced a new class of ‘suspension’ in that the party is still regulated and would appear on the EBA database as regulated, but in reality, has been suspended from carrying out regulated activity.  The risk here to banks of course is significant as if they provide data to unregulated TPPs or TPPs not regulated for that data i.e. AISP/PISP then they leave themselves open not just to the financial cost but also reputational issues and the effect this may have on customer trust.

A number of private companies such as Konsentus and PRETA have stepped into this void and created accurate NCA registries that banks can use to check data.  Konsentus even cover both eIDAS and NCA data as well as offering insurance for the banks.