Open Banking in a Closed Market

Open Banking in a Closed Market

July 2022, BDK Advokati

In 2014, Serbia made a big step forward in aligning its payment services regulations with the EU rules. The Payment Services Act (Zakon o platnim uslugama), a local equivalent of the first Payment Services Directive (“PSD1“), was adopted, opening the doors of the industry to non-bank service providers. The acquis target then moved in early 2016, when the Revised Payment Services Directive (“PSD2“) entered into force, making a huge impact on the EU payment market. As there are already talks about a third Payment Services Directive being considered[1], now is an opportune time to examine the legislative footsteps that Serbia has committed to follow.

PSD2
PSD2 laid the foundation for “open banking”. At the heart of this concept are data ownership and access. Data relating to the client’s revenues and expenditures, spending habits, repayment track record, and alike had been collected, processed, and held exclusively by the banks. The main message under PSD2 is that customers own this data and may choose to share it with third parties, in which case the bank must enable the data access to third parties that hold a license for payment initiation services (“PISP“) or account information services (“AISP“).

PISP essentially works as a link between the payer and their bank and merchant. It allows payers to initiate transactions from their bank accounts simplified and securely. Say you are to purchase an e-book in an online market store. The platform offers available payment options, including “pay by bank account”. If you select this option, you will be asked to choose your bank from a list. You then get authenticated by means of a PIN and/or face recognition. PISP communicates with your selected bank and receives, among other data, confirmation of the sufficiency of the funds on your account for executing the payment transaction. PISP can also facilitate peer-to-peer money transfers. Some popular apps allow sending out payment requests via messaging services such as SMS, Viber, WhatsApp, etc.

AISP collects and aggregates financial data from the user’s multiple bank accounts. This data can then be used for various purposes. At the minimum, you can get a nice overview of your financial position and an analysis of your spending patterns and expenses. E.g., you can see that you have spent RSD 5,000 on takeaway coffee that month. There are plenty of add-on services that can be integrated into AIS. Some apps provide saving investment tips based on your financial data (e.g., they can advise you to buy a coffee machine). AIS products can also be used for bank product comparison by enabling the user to check which bank charges the highest fees and which offers the lowest interest rates on credit. Other AISPs create tools that allow customers to share their financial data with prospective lenders, thus shortening the loan application time and improving the affordability assessment. There are even apps that calculate the carbon footprint of your daily purchases. The business applicability of open banking data is truly endless. To be sure, an AISP or a provider of an integrated service should always check whether its model is subject to additional licensing requirements based on what they do with the data (e.g., a recommendation to buy bonds would generally amount to investment advice, a regulated service under the securities regulations).

SCA
Another focus of the PSD2 is the security of cashless payments. Among other measures, payment service providers are required to implement strong customer authentication (“SCA“) standards developed by the European Banking Authority. SCA is a set of rules that aim to verify that the person requesting online access to an account or trying to make an online payment is permitted to do so. Two or more of the following elements must be used for verification: something the customer knows (e.g., password), something the customer has (e.g., a mobile phone), and something the customer is (e.g., fingerprint). Conversely, the method of verification to which most users are accustomed, i.e., entering the payment card number and CVV, does not meet the new requirements. Although the rules are designed to protect users, the way the payment service providers comply with them in practice could affect the convenience of their payment solutions. Therefore, offering a PSD2 and SCA-compliant security mechanism, which is at the same time simple and user-friendly, could be one of the competitive advantages in the market.

Serbia
There is no public information that lawmakers have commenced any work on preparing the regulatory amendments to transpose PSD2 into Serbian law. As an exception, the SCA requirements were implemented by the National Bank of Serbia in the Decision on the minimum standards of management of the financial institution’s information system (“Decision“). The Decision requires local payment service providers to apply SCA when providing electronic services, including payment initiation and access to the account. Exceptions to the SCA requirements are narrow and include low-value payments, payments to trusted, “white-listed” payees, and transactions and services assessed as low risk. Under PSD2, compliance with SCA and the application of exceptions are key factors in determining who is liable in case of fraud. It will be interesting to see how the local rules will develop in this area.

A more general question is how much competition the current Serbian regulatory framework allows for in the financial services industry. PSD2 promotes fair competition between payment service providers, which includes not only banks and other traditional participants but also the so-called FinTech firms. The latter is most often perceived as a driver of innovation in providing financial services. However, the Serbian regulator’s approach to the FinTech regulation is mixed. On one side, experimentation is supported by offering a rudimentary “sandbox” to innovators to test their products within a controlled setting. The main issue on the other side is that the authorization regimes that apply to certain financial services are too extensive and rigid and thus impose high barriers to entry for newcomers. For example, FinTech lending companies generally do not take deposits and therefore do not create money through lending and their investors have no recourse to public guarantees. Nevertheless, unlike in the EU, these firms would still typically be subject to bank licensing requirements under Serbian law because only banks may grant credit as commercial activity[2]. This means that even the non-deposit takings FinTech lenders would have to comply with the prudential requirements applicable to traditional banks (e.g., capital, liquidity and leverage ratio). Until these and other regulatory constraints are addressed, Serbia will lack FinTech players to provide competition, to begin with. If this is to change, the regulators should use the interim before implementing PSD2 and open banking to revisit their approach to regulating financial innovation.

July 2022, BDK Advokati

In 2014, Serbia made a big step forward in aligning its payment services regulations with the EU rules. The Payment Services Act (Zakon o platnim uslugama), a local equivalent of the first Payment Services Directive (“PSD1“), was adopted, opening the doors of the industry to non-bank service providers. The acquis target then moved in early 2016, when the Revised Payment Services Directive (“PSD2“) entered into force, making a huge impact on the EU payment market. As there are already talks about a third Payment Services Directive being considered[1], now is an opportune time to examine the legislative footsteps that Serbia has committed to follow.

PSD2
PSD2 laid the foundation for “open banking”. At the heart of this concept are data ownership and access. Data relating to the client’s revenues and expenditures, spending habits, repayment track record, and alike had been collected, processed, and held exclusively by the banks. The main message under PSD2 is that customers own this data and may choose to share it with third parties, in which case the bank must enable the data access to third parties that hold a license for payment initiation services (“PISP“) or account information services (“AISP“).

PISP essentially works as a link between the payer and their bank and merchant. It allows payers to initiate transactions from their bank accounts simplified and securely. Say you are to purchase an e-book in an online market store. The platform offers available payment options, including “pay by bank account”. If you select this option, you will be asked to choose your bank from a list. You then get authenticated by means of a PIN and/or face recognition. PISP communicates with your selected bank and receives, among other data, confirmation of the sufficiency of the funds on your account for executing the payment transaction. PISP can also facilitate peer-to-peer money transfers. Some popular apps allow sending out payment requests via messaging services such as SMS, Viber, WhatsApp, etc.

AISP collects and aggregates financial data from the user’s multiple bank accounts. This data can then be used for various purposes. At the minimum, you can get a nice overview of your financial position and an analysis of your spending patterns and expenses. E.g., you can see that you have spent RSD 5,000 on takeaway coffee that month. There are plenty of add-on services that can be integrated into AIS. Some apps provide saving investment tips based on your financial data (e.g., they can advise you to buy a coffee machine). AIS products can also be used for bank product comparison by enabling the user to check which bank charges the highest fees and which offers the lowest interest rates on credit. Other AISPs create tools that allow customers to share their financial data with prospective lenders, thus shortening the loan application time and improving the affordability assessment. There are even apps that calculate the carbon footprint of your daily purchases. The business applicability of open banking data is truly endless. To be sure, an AISP or a provider of an integrated service should always check whether its model is subject to additional licensing requirements based on what they do with the data (e.g., a recommendation to buy bonds would generally amount to investment advice, a regulated service under the securities regulations).

SCA
Another focus of the PSD2 is the security of cashless payments. Among other measures, payment service providers are required to implement strong customer authentication (“SCA“) standards developed by the European Banking Authority. SCA is a set of rules that aim to verify that the person requesting online access to an account or trying to make an online payment is permitted to do so. Two or more of the following elements must be used for verification: something the customer knows (e.g., password), something the customer has (e.g., a mobile phone), and something the customer is (e.g., fingerprint). Conversely, the method of verification to which most users are accustomed, i.e., entering the payment card number and CVV, does not meet the new requirements. Although the rules are designed to protect users, the way the payment service providers comply with them in practice could affect the convenience of their payment solutions. Therefore, offering a PSD2 and SCA-compliant security mechanism, which is at the same time simple and user-friendly, could be one of the competitive advantages in the market.

Serbia
There is no public information that lawmakers have commenced any work on preparing the regulatory amendments to transpose PSD2 into Serbian law. As an exception, the SCA requirements were implemented by the National Bank of Serbia in the Decision on the minimum standards of management of the financial institution’s information system (“Decision“). The Decision requires local payment service providers to apply SCA when providing electronic services, including payment initiation and access to the account. Exceptions to the SCA requirements are narrow and include low-value payments, payments to trusted, “white-listed” payees, and transactions and services assessed as low risk. Under PSD2, compliance with SCA and the application of exceptions are key factors in determining who is liable in case of fraud. It will be interesting to see how the local rules will develop in this area.

A more general question is how much competition the current Serbian regulatory framework allows for in the financial services industry. PSD2 promotes fair competition between payment service providers, which includes not only banks and other traditional participants but also the so-called FinTech firms. The latter is most often perceived as a driver of innovation in providing financial services. However, the Serbian regulator’s approach to the FinTech regulation is mixed. On one side, experimentation is supported by offering a rudimentary “sandbox” to innovators to test their products within a controlled setting. The main issue on the other side is that the authorization regimes that apply to certain financial services are too extensive and rigid and thus impose high barriers to entry for newcomers. For example, FinTech lending companies generally do not take deposits and therefore do not create money through lending and their investors have no recourse to public guarantees. Nevertheless, unlike in the EU, these firms would still typically be subject to bank licensing requirements under Serbian law because only banks may grant credit as commercial activity[2]. This means that even the non-deposit takings FinTech lenders would have to comply with the prudential requirements applicable to traditional banks (e.g., capital, liquidity and leverage ratio). Until these and other regulatory constraints are addressed, Serbia will lack FinTech players to provide competition, to begin with. If this is to change, the regulators should use the interim before implementing PSD2 and open banking to revisit their approach to regulating financial innovation.