Under PSD2 directive all banks which are servicing payment accounts (that's why in the context of PSD2 they are called ASPSP - Acount Servicing Payment Services Provider) MUST allow any licensed third parties to access their customers' transaction data.
This of course is only possible with the explicit and revokable customer consent granted individually to each application and service, which the user might decide to use.
At the same time the ASPS must ensure that the customers give the consent and the right to access their bank accounts only to authorized and trustworthy Third Party Providers (TPP). Banks also must make sure that only the bank account owners can utilize the third party sofware or services to access and manipulate their accounts and fiancial data. Shall the ASPS fail to implement a Strong Customer Authentication (SCA) or to establish Common and Secure Communication (CSC) with the Third Party Providers, it must in case of proved customer's loss, to compensate them accordingly without unnecessary delays and conditioning.
Pretty tough for the banks, isn't it. Of course banks have tools which when applied consistently can minimize the risks. First of all an authorized TPP must own a EIDAS certificate, which encyphers data which can and should be validated with every single request from that very Third Party Servicec provider. Sounds easy. Well it is not. Forget about the technical difficulties. While not trivial, it isn't a rocket science either. Many companies master thid kind of algorithms and most of the banks belong to this category of IT houses. The problems is the complexity of the European regulatory framework and fragmentation of the data spread accroos EU member states financial markets regulators. The single source of truth about validity of TPP authorization is the NCA (National Competent Authority) of the respective country, where the TPP head quarters are located. Banks must then implement connections to all 31 EU countries (including some participants outside of the EU but part of the EEC), and thes connections must be always operational and in sync. Not an easy task at all.
Some banks actually implement this connectors, while some others perorm the necessari TPP valiations using aggregation regualtory services provided by several (although not many) companies accross EU.
EBA
OBLOG
The primary goal of OBLog is to facilitate transparency in the complex world of Open Banking.
Currently OBLog offers an API service and a Mobile application, which can be used to search and display registration data and statistics of PSD2 companies authorized to offer payment account related services in the European Union.
Foundational source of data are the official registers of EBA (Europena Banking Authority). Additionaly OBLog collects and federates several other sources to enhance the data and make it even more precise.
The mobile application (currently on Android mobile platform) allows to search and filter the registers in multiple ways, those making it a snap to check the status of any PSD2 authorized TPP. Different statistics can be calculated on the fly per several categories of data as well as for different time intervals. You can now use your mobile phone to check how many companies were registered in the last day, week or month. You can even find their names and registration details. The data sets are updated several times a day, so we to hav the most recent information available.
O B L og is brought to you by Applego
- an independent software vendor developing smart and secure solutions for the open economy.