Market participants welcome the possibility of a transition period because an abrupt changeover could lead to technical problems. At the customer’s request, so-called third-party service providers and other banks access the accounts via the interfaces. For example, they offer multibanking apps, analyze the creditworthiness of customers in advance of granting a loan, or execute payment orders on the accounts.
The reason for the new account interfaces lies in the PSD2 – the second European payment service directive. This is the directive that has made access to online banking more complicated for many banks since last autumn. It stipulates that banks must grant third parties access to bank accounts. In the past, this was already done via the HBCI / FinTS data interfaces and web scraping, where service providers log into customers’ online banking. But that was considered too unsafe.
Most financial institutions have now developed special PSD2 data interfaces (API). The possibility of adapting existing interfaces to the new legal requirements was not well received. For the new API of the Sparkassen-Finanzgruppe – including NordLB and LBBW – the three-month market phase ends. If the Bafin now found the interfaces to be good, the financial institutions would actually no longer have to allow third-party access via other interfaces – which are referred to as the so-called emergency mechanism.
However, it can be heard from Bafin circles that the authority will first evaluate the results of the market-proof phase and therefore no decision will be taken in the short term. In addition, the supervisors have recently informed the banks and third-party service providers about what to do next after the exception has been granted to provide an emergency mechanism.
The letter, which is in the Handelsblatt, states that Bafin will not object for a period of three months from the granting of the exception if third-party providers continue to access the accounts via previously used access routes. However, the decision to allow this is up to the banks, and third-party providers must report alternative access to the Bafin.
The Sparkassenverband (DSGV) says: “The financial group is currently examining the further procedure and the possibilities of gradually switching to the new PSD2 interface. For this we are also in a constructive dialogue with third-party services. ”
Such a possibility is supported by third parties. “A change from one day to the next would not be possible, we need some time to gradually change the account access for our customers,” says Caroline Jenke, chief lawyer at the third-party provider Fintecsystems.
Progress through clear guidelines
Like FinAPI and Finleap Connect, Fintecsystems offers account access as a service, for example for providers of financial apps and accounting software or banks. From the perspective of Jenke, the Sparkasse API, for example, is not yet fully usable, so the amount available on the account will not be transmitted. However, the savings banks confirm that this is being worked on, because according to Bafin, this data will have to be provided in the course of 2020. However, this should be independent of the granting of an exemption from the emergency mechanism.
Bafin has now also issued a stipulation on another point about which banks and third-party providers have long argued: banks must also disclose the names of the account holders via the interfaces. “However, this only applies if you access the account as an account information service, but not if you want to initiate a payment,” says Jenke. In case of doubt, the service providers would have to access the account twice – and the customer may have to confirm this twice.
Another innovation, which providers of accounting software for companies are particularly pleased about: If the interfaces previously used offer so-called functionalities that are not available with the PSD2 interfaces, regulated third-party providers can still access the accounts via existing interfaces. In particular, this means collective transfers that are made possible via the HBCI / FinTS interface. The decision to enable this access is also made by the bank.
Compared to the discrepancies that third-party providers had mentioned last autumn, the remaining hurdles seem to be overcome. It will still take a while until all account access is only possible via the special PSD2 API. After the savings banks, the interfaces between Weberbank and Ebase entered the market testing phase in January. The Volks- und Raiffeisenbanken and the Norisbank followed in February. Deutsche Bank added to the round in March, and Postbank this Friday.
More: Study – Customers are reluctant to pass payment data on to third-party providers, but are already doing so unconsciously