The European Banking Authority (EBA) recently confirmed that banks cannot give customers the option to exercise a blanket opt out of all third party open banking services and that they cannot revoke the consent customers give to third parties on their behalf either, even if the customers have agreed to this service being provided.
The views expressed by the European Banking Authority (EBA) build on other guidance banks have been given in relation to customer consent in the context of open banking.
Consent central to customer trust in open banking
There is universal agreement that establishing and maintaining customer trust is essential to the success of open banking. Customers will only allow third parties to access their transaction histories, other data and initiate payments on their behalf if they believe that they will not be in a worse position than if they did not use these services.
For this reason, the EU's second Payment Services Directive (PSD2) requires that providers of open banking services obtain the explicit consent of their customers before providing services. PSD2 also sets out detailed security and authentication regimes in order to protect customer data.
In the context of a banking customer, explicit consent is the permission given by the customer to a regulated third party provider to access the customer's payment account held at the bank. When the third party communicates with the bank, the bank must accept on face value the third party provider's assertion that it holds the customer's consent and grant the third party access to the payment account.
No need to check consent
In June last year the EBA clarified that banks "do not have to check" the consent between the customer and the third party. While this response gave banks clarification as to their operational requirements, it did not shed light on whether a bank could check a customer's consent to use a third party provider if the bank wants to check consents on behalf of its customers and its customers agree to receive that service.
This uncertainty led to questions being raised directly with the EBA about two scenarios.
First, the EBA was asked where a bank wants to revoke the permission given by a customer to a specific third party to access its payment account whether it can do so. The argument goes that often customers sign-up for apps without putting much thought into it and later want to revoke the permissions they have given as quickly and easily as possible. For convenience, those customers, according to this argument, should be able to tell the bank which services they want to continue to have access to their payment accounts and which ones they do not.
The second scenario takes it one step further – some argue that banks should be able to offer their customers an 'opt out' from all third party services. In this scenario, the bank would never respond to a request from a third party provider to access a customer's account if that customer has 'opted out'. The bank would take this approach even if the third party asserted that it had the customer's explicit consent.
Given the central drivers for open banking of free competition and promoting innovation, third parties have sought clarification from the EBA as to whether these arguments are valid from a regulatory perspective.
No ability to revoke consent
In a response published in December 2018, the EBA clarified its view in relation to both of these scenarios.
In the scenario where a bank seeks to revoke a specific third party service, the EBA has confirmed that only the customer "has the right to withdraw the consent after it has been provided" and that the bank "cannot revoke the consent".
In relation to the general 'opt out' the EBA took the view that a bank cannot provide this service. A general opt out of third party services "would undermine the very aim of PSD2 to create a level playing field between all market players offering these services", in its view.
The EBA was, however, careful to note that the view it has expressed is simply its opinion and if the matter were to go to court, the Court of Justice of the European Union could express a different view.
Consent in the UK
The Financial Conduct Authority, the regulator in the UK, requires third party providers to submit copies of their contracts with customers when going through the process of becoming regulated. Those contracts must explain how a customer can revoke any consent that has been given.
Consistent with the EBA's approach the FCA has made it clear that it is of the view that banks and other account providers should not create additional steps in relation to a customer's consent to use a third party service. A bank "asking the customer to confirm that they agree to share data with a [third party provider] will be considered an example of an additional consent step", the FCA has said.
The FCA, however, has also acknowledged the benefits of banks, other account providers and third parties using standardised APIs in order to access payment accounts. These standardised approaches may require enrolment in an API programme and adherence to certain additional standards on obtaining consent.
The FCA has made it clear that banks and other account providers are not "able to seek proof, or confirmation from the customer, of that consent as a prerequisite to fulfilling their obligations to provide access to [third party providers]" and that it will "carefully scrutinise any aspect of a [bank's] dedicated interface that gives rise to messaging or steps that go beyond facilitating authentication or specific legislative or regulatory requirements."
Consent in Germany
In Germany, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) has expressed on various occasions that the way it will apply PSD2 will be shaped by the EBA guidelines. This was reiterated in BaFin's December 2018 communication.
For BaFin, banks are generally seen to be under the obligation to cooperate with third party providers. No artificial obstacles are permissible. The principle of non-discrimination is interpreted rigorously. This approach is consistent with the clear guidance set out in the regulatory technical standards on strong customer authentication under PSD2.
In Germany, the discussion has always centred on the customer's explicit consent. This consent must not be compromised. It has to be free and not shaped by bias, notably from any of the stakeholders offering the financial services at issue.
The obligation to cooperate and to stay away from any kind of undue influence are the likely core reasons why the EBA has answered the questions in the way it has, and why this is also reflected in BaFin's approach and interpretation of the domestic stipulations implementing the PSD2 rules in German law. It has now been confirmed that banks have no right of revocation, and that it would not be appropriate to allow them to offer an all-in-one opt-out service.
Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.
Frankfurt-based Nils Rauer is an expert on privacy, digitalisation and copyright.