Is PSD2 already developing in a dangerous direction?

PSD2 has changed the world

PSD2 has been implemented  in the European member states during 2018 and 2019. The directive allows account holders to give permission to third parties to access their account information or even have payments initiated from their checking account at the bank. These third parties do need a license from one of the national competent authorities. Various parties are now in possession of this license and it is expected that this number will increase considerably in the coming period.

The social criticism of the sharing of personal data has been decreasing lately. The fact that account information service providers are subject to a license requirement and therefore also have to comply with strict security requirements and privacy-related conditions seems to be the rationale behind this: the license strengthens the account holder's confidence that its account information is properly protected when it is accessed.

Dangerous development

The question is how long this relative peace will last: There are various initiatives in the market that allow companies,  wanting to view their customers 'or prospects'  account information, to bypass the licensing obligation. Some of the licensed parties, for example, aim to offer "License as a Service".. In short, their business model consists of offering non-licensed parties the opportunity to request payment account information from customers through their license. The customer must then give permission to both its own supplier and the unknown licensed party, via a PSD2 consent as well as a GDPR consent.

The European Banking Authority (EBA) has stated that PSD2 does not require that the account information may only be made available to the account holder. But more relevant than whether the above construction is legally tenable, is whether this development is socially desirable.

When licensed parties start acting as intermediaries between the company and the consumer, the chain and therefore the risks will increase . How is the responsibility for customer research organized? Who is liable if the non-licensed company is careless with the account data obtained? Is the consent consistent with the actually requested data? There is at least one European member state that chooses the interpretation that the account information service must be provided directly to the account holder.

Social Debate

In the political and social debate, so far, the phenomenon "License as a Service" has not been addressed intensively. This lack of attention is not in line with the risk impact that the introduction of these market players could potentially entail. In order to ensure that the discussion about the sharing and processing of personal data does not flare up again, it is very important that it is made clear how the supervisors think they can manage the risks related to these parties. Only by providing clarity   can be guaranteed that the innovation drive envisaged with PSD2 is not lost in advance due to renewed privacy-related fear and suspicion among consumers.