Data Privacy and Changing Ecosystem Roles in the EU Open Banking Regulation Triumvirate

Written by Mark Boyd & Mariana Velázquez

Updated at Wed May 08 2024

We continue our look at the emerging open banking regulatory landscape in Europe, which will change significantly over the next couple of years with the introduction of Instant Payments, Digital Identity and the Third Payment Services Directive. So far we have discussed the overall European open banking regulatory approaches, and the strengthened fraud prevention and security capabilities in European open banking regulations. In this blog post, we discuss new provisions to ensure consumer data privacy and how the regulations could change the roles of ecosystem stakeholders including banks, fintech, aggregators, and API industry players.

Theme 1: Enhanced digital security/fraud prevention

Consumer data rights are a core theme across all three regulatory packages:

Regulation	Instant payments regulation	eID and Digital Wallets regulation	PSD3
How this theme is addressed	When confirming matches, it is expected that verification of payee will not reveal the name of the account where there is no match with the proposed account information. However, if there is a close match, a suggested name will be shown in order to make the system more practical for the payer (and payee).	Digital wallet owners can decide which data items from their wallet they wish to share with each provider/service.	Under data sharing improvements, providers who enable customers to share their data must provide a dashboard where customers can see which entities they have shared their data with and be able to revoke permissions at any time. Under current PSD2 data sharing roles, some access of customers’ data is not regulated nor supervised. There is also some lack of clarity around consumers’ ability to share data when they want to, bothe issues PSD3 seeks to address. There are a lack of standards around the digital infrastructure that can enable data sharing that PSD3 seeks to address. Consumers will have the right to access their financial data free of charge (including SMEs).

Under both emerging PSD3 and digital wallets regulations, end users should be supported to understand their data sharing footprint. Under PSD3, new mandates will require that providers offer a dashboard view where users can monitor for their data sharing permissions. A similar capacity is proposed for digital wallets. Ideally, providers who will be required to deliver on both digital wallets and wider PSD3 data sharing could streamline this work by building dashboards that meet both requirements. It is unclear at this stage whether new industry-wide standards will be introduced that stipulate how these dashboards should be created. It is envisaged a standards model similar to the UK Pensions Dashboard regulations would be introduced following further industry consultation. This could also open the door for new market players that specialise in creating data sharing permission dashboards¹.

How data rights organisations are viewing new regulations

Profile: MyData

MyData Global has outlined differing approaches to digital wallets and other technologies. As a non-profit organisation focused on improving the right of individuals regarding their personal data, they are involved in providing feedback, advocating for standards, and ensuring the implementation of digital identities that support citizens and businesses to remain in control of their personal data. For example, their digital wallets taxonomy includes a data model reference framework.

Theme 3: Shifting ecosystem roles for banks, fintech and other stakeholders

The EU Open Banking regulatory packages all describe aspects that will fundamentally change stakeholder roles in the wider open banking/open finance ecosystem:

Regulation	Instant payments regulation	eID and Digital Wallets regulation	PSD3
How this theme is addressed	New players that will manage verification of payee databases will be required. There is already discussion that some national level bodies will need to provide a verification of payee database for their local payments services providers to draw on in cases where the provider does not have the data in their own database (that is, routing and verification mechanisms). Others may seek European-wide or international databases. API management and API tolling becomes more prevalent as verification of payee will be implemented as an API in most cases.	This regulation increases the role of identity players in the banking and finance ecosystem. By establishing regulatory deadlines for the availability of digital wallets, new players will look to partner with banks and financial institutions to support them to meet the identity technology components. Others, such as Communication Platforms as a Service (CPaaS) providers that provide text messaging and other instant communications during the consent and SCA workflows would also play a greater role in the ecosystem.	Under PSD3, fintech will be authorised to participate in the SEPA payment scheme without requiring a correspondent banking relationship. PSD3 background papers note that some banks had refused fintech access to a bank account on at time spurious grounds, which limited the ability of fintech to participate in the open banking ecosystem. This clause seeks to remove that barrier.

The three regulatory packages offer opportunities for API industry tool providers to solidify their position in the open banking ecosystem, as well as expand the potential role of other players.

Cybersecurity and API security service providers will continue to be able to build market share working with banks and fintech as more APIs being built (such as the verification of payee APIs) will require more secure data exchange observability, monitoring and incident response.

Identity players will increase their positioning in the open banking ecosystem, becoming crucial players that can help banks and fintech meet end of year deadlines by offering modular access to identity services

New and existing players providing UX-dashboards will increase, responding to the need to create mandated permission dashboards for consumers. We see an emerging role of new players that create modular offerings to enable third-party dashboards to be integrated into the user interfaces of providers like aggregators, fintech, and banks.

Digital wallet providers will expand. Mobey Forum has created a new definition for digital wallets:

A digital wallet is an interface to interact with and manage verified data and digitised assets securely.

Mobey Forum

Beyond Payments: Navigating the Next Generation of Digital Wallets

There are several models for defining the types of digital wallets that are available. At the core, there are two types: those that are connected to a bank account to enable transfer of money, and those that store value (which may have been deposited via a bank account or another source). Mobey Forum have mapped out a range of types of digital wallets including wallets for merchants, transit ticketing, eID, digital assets, P2P, and super apps.

New data holder services could be introduced.

The Financial Data Access Framework (FIDA) legislation as part of the PSD3 package specifically prohibits big tech (“gatekeepers” under the Digital Markets Act) from becoming financial information service providers, which may enable new market entrants to offer data aggregation and database services on behalf of conglomerates, for example banks could share data through one of their regional hubs in a similar way that they collectively joined forces to set up other payments and open banking organisations (for example, in Luxembourg, banks joined to create LUXHUB as their local aggregation platform and separate commercial entity, and in Spain banks joined to create Bizum, the instant account to account payments platform). It is envisaged that this model could also be used for national or regional bodies managing account verification (routing and verification mechanism providers). Identity consultants Ipid note that payment services providers (PSPs) will need to expose an endpoint that allows other PSPs to query them for account verification data, and to connect to an aggregator to connect to all other PSPs to complete their own checks.

For fintech, the continued shift towards recognising fintech as partners will continue. When open banking and open finance commenced, there was a lot of hype that fintech would replace banks. Some of this was spurred on by heavy investment by venture capital, which would benefit substantially if this was true. But VC also destroyed a lot of the potential with fintech by insisting on a rapid scaling of their investment properties by setting requirements for fintech to demonstrate that they could reach millions of customers quickly, rather than build methodically from one use case and target segment in a stable growth manner.

There have been some disruptors that have shifted market share from banks and forced banks to innovate (Klarna and Wise, for example, have both influenced the overall open banking sector in consumer credit and cross border transfers respectively). But in the main, fintech have found longevity by offering complementary services to banks (a strategy successfully leveraged by Erste Bank, for example), or by partnering with banks to become the feature providers to bank customers (for example, Mastercard has launched an open banking subscription service with fintech partner Subaio that they will sell to banks as a feature that banks can offer their customers, rather than as a competing service).

Q2 Open Banking Trends Report

More identity case studies

See our Q2 Trends report for case studies including the Sign in with Klarna service which demonstrates how they have leveraged Verification of Payee regulations into a new business model opportunity.

When building fintech relationships, some banks had also played more of a mergers and acquisitions role, buying out potential threats and moving teams inside to either incorporate the feature into their digital bank strategy or to let the competitive product languish internally until the threat had passed. Now banks are beginning to see fintech partnerships as an opportunity to increase the range of products and services they offer to customers without taking on the risk profile of the new service. By partnering with fintech, but keeping brands separate and clearly delineating what is a bank provided service and which are provided by their fintech partners, some banks are finding they can foster an open banking ecosystem without being responsible for the risk management of the fintech offerings. We believe the new regulations will extend that path, while also enabling payments services providers and other fintech to be less dependent on banks. Digital wallet technologies, for example, would be an ideal platform hub for an ecosystem, if offered by a bank.

Under PSD3 changes, the merging of payments and e-money institutions simplifies some regulatory aspects, and disconnecting the requirement for payments providers to have a corresponding bank could free up fintech to act more independently and boldly.

Verification of Payee Business Models

Profile: CBI

In Italy, where CBI operates (a consortium that comprises 400 banks and payment service providers), amongst the banks that are using their platform, over 60% use their check-IBAN service, the third most popular use case after account information use cases: account aggregation and personal finance management. This makes Check IBAN the highest value-added service in use in Italy, and for CBI represents a revenue generating opportunity.

When first creating the API product, CBI focused on its use amongst public administrators before then opening to private sector companies. In addition, the knowledge from creating the Check IBAN Service has led to multiple products and partnerships, including a Check IBAN Cross Border service for banks and fintech, the Check IBAN CBI product in collaboration with Swift, CBI Go which incorporates strong customer authentication service for data sharing, and CBI Safe Trade for assessing fraud risks in advance invoice processing.

For banks, new roles emerge, such as provider of digital wallets. But beyond that, industry association Mobey Forum noted that there is an opportunity for banks to explore and define what role they would like to play in the emergent digital wallets ecosystem:

Banks will undoubtedly play the “verifier” role in the eID scenario. However, the question arises: could banks also be the issuing party of either the eID wallet or the verified credentials issued to a third-party eID wallet? The question is if the issuer role is a desirable role for banks to inhabit? It remains to be seen if banks will be allowed to issue trusted eIDs or if this will be regulated by the authorities. There might be differences on a national level regarding the role banks (or other private institutions) can and will play.

On a national level, various issuers of eIDs and wallets, both from the government and the private sector, will likely come to coexist, dependent on the use case. Banks should consider pursuing an issuer role to fully leverage the potential benefits, especially in strengthening client relationships and exploring new value streams. The capability to securely store verified credentials is not exclusive to dedicated ID wallets. This leads to eID becoming an important part and enabler for modern banking wallets, although not necessarily sitting at the centre of them (in contrast to dedicated ID wallets), as they remain customer centric.

Mobey Forum

Beyond Payments: Navigating the Next Generation of Digital Wallets

As these new roles are decided, and alongside other aspects of the three regulations, banks are faced with a number of new business case opportunities:

Do they want to pursue banking-as-a-service opportunities as more payments providers are supported as independent ecosystem stakeholders in open finance? In Europe, some banks like Solaris, have seized the opportunity to be the BaaS infrastructure for others, while other banks have been afraid that such a role would diminish their direct customer relationships, or fear that accepting this role would relegate them to a background infrastructure player.
While regulations stipulate that end users should not pay for verification of payee services, banks may find a business case in offering ecommerce retailers, SaaS providers, and embedded finance services with a commercial VoP offering, perhaps coupled with other value-added services (as CBI are doing), or that enables a greater bulk amount of API calls, as ABN AMRO are experimenting with at the moment (they currently offer merchants and business customers an IBAN-Name Check API that provides 6,000 name checks for €3,000).
Digital wallets and the consumer data dashboard could offer banks new communication channels for existing customers and the chance to strategically offer other bank products and services, or to build out a marketplace business case.

For smaller banks across Europe, PSD3, digital identity and instant payments regulations represent an opportunity for those that have perhaps avoided an API strategy. It is not necessary to build out a complete portfolio of APIs, but there could be strategic advantage in leveraging identity and wallet APIs by smaller banks to support new account openings which in turn could lead to more customers opening deposit accounts, using lending services or applying for a new credit card: areas of revenue growth for any bank. Under proposed FIDA and other regulations, smaller banks could increase the personalised offerings and communications they make with existing customers. Hopefully, the new regulations could encourage these smaller banks to start experimenting with an API strategy that moves the bank further into the overall digital ecosystem.

We believe this strengthening of consumer data rights and the changing roles of ecosystem stakeholders can lead to more innovation and a greater range of open banking products and services, as well as drive the emerging embedded finance ecosystem. In our next post we look at the final theme focused on the new service opportunities, and we discuss where the digital euro fits in to the regulatory landscape.

Article references

New market for data sharing permission dashboards :

There are similar needs in other sectors such as open health, with the emergence of the European Health Data Space and work in individual countries to enhance health records consent processes by providing a health records wallet for individuals to access.