The Importance of Consent Management in Open Banking
Introduction
Open banking involves making data in the financial system accessible to authorized third-party service providers (“TPPs”) through standard Application Programming Interfaces (“APIs”). It enables customers to share their financial data so that financial institutions can develop new technologies and make different choices for their customers in a competitive environment. However, open banking does not mean open data sharing. Consent management is the key to many financial models offered by fintech companies and financial institutions. This article discusses the concept of consent management and the importance of it in open banking.
Definition of Consent Management
As per the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”) the Central Bank of Türkiye (“CBRT”) sets procedures and technical requirements for payment initiation services (“PIS”) and account information services (“AIS”) (together will be referred to as “data sharing services for payment services (“DSSPS”)) with input from the Competition Authority on data sharing for competition sensitive data. Payment service providers must comply with these requirements, and their compliance is assessed by the Interbank Card Center (“BKM”). Providers successfully completing BKM's evaluation are publicly listed and with CBRT’s approval recognized as authorized providers.
As per the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services (“Communique”), the customer separately consents to each information request and payment order initiation related to the PIS and AIS. For AIS, consent may also be given through the contract regarding relevant accounts.
DSSPSs are defined in compliance with the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD2”). Articles 66 and 67 of PSD2 state that payment initiation service providers (“PISP”) or account initiation service providers (“AISP”) can only initiate a payment or access payment account information with the explicit consent of the payment service user.
Consent management refers to the processes followed to obtain, manage, and document user permissions for accessing and processing their data. Regulations aim to ensure that TPPs may access customer data only with the consent of the payment service user.
The Importance of Consent Management in Open Banking
Open banking, banking as a service (“BaaS”) and platform banking practices depend on the use of APIs. For open banking, CBRT has published API Principles and Rules Version 1.1.0. These principles detail the establishment of customer consent for PIS and AIS and how the consent status may change based on the actions taken by AISP or PISP through the application interface. BaaS is also enabled by the open banking approach, which allows customer data to be shared with third parties upon request while banks continue to provide products and services, third parties act as intermediaries.[1]
Regulatory Compliance:
Regulatory frameworks such as the Guideline on Data Sharing in Payment Services published by CBRT in April 2023 (“Guideline”) state that AIS primarily consists of two stages: obtaining consent and retrieving account information. On the AISP application, the AIS customer seeks consent by choosing the account service provider from whom they will obtain the account information. After customer identity verification and once the customer selects and approves the account(s) for which consent will be given, the consent will be established. After the consent is established, the AISP will be authorized to query the relevant account information.
To enhance consent management, the European Commission proposes, within the package of amendments to PSD 2, among others, requiring account servicing payment service providers to implement dedicated data access interfaces, the creation of 'permissions dashboards' for users to manage their open banking access permissions, and more detailed specifications for the minimum requirements of open banking data interfaces. These amendments are expected to enhance the competitiveness of open banking services.
Risk Management:
Many jurisdictions usually impose data sharing and security requirements on banks and their outsourced third-party services but not for third parties directly contracting with banks’ customers.[2] In some jurisdiction, outsourcing policies require banks to ensure third-party compliance, often requiring documentation in contracts, and in other areas, supervisors have authority over registered third parties.[3]
PSD2 outlines data security standards for third parties, and banks are generally not required to monitor authorized third parties' data security frameworks. However, a regulatory gap may exist if a third party with customer consent to access banking data has no contractual obligations with the bank and is not authorized by any authority.[4]
In Türkiye, as per the Regulation, the procedures and requirements for executing DSSPS must comply with all requirements set by the CBRT. The compliance of these technical and operational requirements is verified through a technical control and evaluation process conducted by BKM. Providers that successfully complete the technical evaluation are recognized as authorized payment service providers by the CBRT upon completion of the necessary approval process.
Data Security and Privacy:
Before the use of APIs, third parties used screen scraping or reverse-engineering techniques to access customer data.[5] Screen scraping and reverse engineering risks security and customer protection, and stability, and does not offer cancellation rights to the customer.[6] On the other hand, several potential operational and cybersecurity issues are also associated with the use of APIs; such as data breaches, misuse, falsification, denial of service attacks, and unencrypted logins.[7] Therefore, to prevent data breaches and cyber threats and protect the customer data, payment legislation, banking legislation, since banks also operate as payment service providers, and data protection legislation must be analyzed collectively. Both payment and data protection legislation discuss the concept of “explicit consent” but payment legislation refers to Law numbered 6698 on Personal Data Protection for the definition and process of explicit consent. PSD2 and General Data Protection Regulation (“GDPR”) have similar approaches to explicit consent. PSD2 in Article 94(2) states that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.” The Guidelines of the European Data Protection Board suggest that “explicit consent” referred to in payment legislation is contractual consent. Therefore, when agreeing with a payment service provider, individuals need to be informed about the types of personal data that will be processed and the specific payment service-related purpose for which the personal data will be used and have to explicitly agree to these clauses.[8]
Conclusion
Consent management is critical to open banking since it requires access to customer account data which requires the customer’s consent in payment legislation, data protection legislation, and banking legislation. Other than regulatory compliance, it is also important for protecting data privacy, security, and risk management. Therefore, by implementing user-friendly, transparent, and secure consent platforms that help customer to manage their consents, financial institutions and TPPs can contribute to an efficient financial ecosystem.
- Aksoy, Pınar Çağlayan / Perçin, Önder / Türkay, Ahmet and others: Sorularla Fintek, On İki Levha Yayıncılık, 2. Bası, 2023, p.121.
- Basel Committee on Banking Supervision, Report on Open Banking and Application Programming Interfaces, 2019 ( https://www.bis.org/bcbs/publ/d486.pdf, Access Date: 10.07.2024).
- Basel Committee on Banking Supervision, Report on Open Banking and Application Programming Interfaces.
- Basel Committee on Banking Supervision, Report on Open Banking and Application Programming Interfaces.
- Worldbank Group and Ministry of Foreign Affairs of the Netherlands, The Role of Consumer Consent in Open Banking, 2021, (https://documents1.worldbank.org/curated/en/099425002082230437/pdf/P1705050aeb8e704f088260f228802b73b8.pdf, Access Date: 10.07.2024).
- Worldbank Group and Ministry of Foreign Affairs of the Netherlands, The Role of Consumer Consent in Open Banking.
- Basel Committee on Banking Supervision, Report on Open Banking and Application Programming Interfaces.
- European Data Protection Board Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR, Version 2.0, 2020, https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf, Access Date: 10.07.2024).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The European Commission (“Commission”) has published the Proposal for a Directive of the European Parliament and of the Council on Payment Services and Electronic Money Services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC. This proposal...
Organization for Economic Co-operation and Development (“OECD”) has published its paper[i] presenting an outline of the diverse frameworks implemented for open banking and other data sharing arrangements in different jurisdictions, discussing expansion of open banking related data arrangements, which is referred...
The goal of this article is to explain and compare asset backed and asset based sukuk structures and their application in Turkish leasing certificate issuance. Sukuk, an Arabic word which is the plural of Sakk, is the common name of sharia compliant bonds also referred to as Islamic bonds. However, the Arabic word...
In September, the Central Bank of the Republic of Turkey (“CBRT”) published the Guide on Associating Business Models in the Field of Payments with Payment Service Types (“Guide”). The Guide includes explanations regarding payment services and electronic money issuance. An operating license is required...
The Banking Regulation and Supervision Agency (“BRSA”) published the Circular on the Disclosure of Confidential Information Regulation No.2022/1 (“Circular”) on 11.08.2022. The purpose of this Circular is to elaborate on concepts and procedures as outlined in the Regulation on Disclosure of...
Public-private partnerships (“PPP”) take a wide range of forms varying to the extent of involvement of, and risk taken, by the private party. The terms of a PPP are typically set out in a contract or agreement, often subject to the private law, to outline the responsibilities of each party and allocation of risk...