Navigating the Future of Fintech: An Interview with Arie van den Bergen on PSD3, PSR, and Open Banking

The financial technology landscape is in constant flux, driven by regulations and rapid technological advancements. To help make sense of it all, we sat down with Arie van den Bergen, a fintech lawyer and an expert in Fintech law, to discuss the implications of the upcoming PSD3 and PSR regulations, as well as open banking.

With almost 25 years of experience and a deep understanding of the complexities of financial regulations, Arie is making a ‘license to operate’ easy for fintech companies by providing practical and hands-on legal and regulatory advice. 

He provides strategic advice and legal and regulatory support to fintech companies navigating the ever-changing landscape. He is also the founder of Finnick, a legal firm dedicated to serving the fintech industry. Finnick offers a hands-on approach, focusing on clear communication and practical solutions to help fintech companies thrive in a regulated environment.

Arie led one of the breakout sessions at the quarterly Ximedes roundtable, where he shared insights on the topic of leveraging regulations. After his presentation, we were eager to tap into more of Arie’s expertise. Let’s dive into the key points he discusses. 

The PSR mandates dynamic linking for TPP-initiated transactions while removing smartphone dependency for SCA. How should fintechs architect authentication systems that satisfy both security requirements and accessibility needs for non-digital users under these new constraints?

As fintech companies, we need to focus on developing multi-channel authentication solutions that ensure high security without relying solely on smartphones or smart devices. This could even lead to a resurgence of one-time passwords (OTPs) delivered via card readers, SMS, or email. While these methods aren’t as secure as biometric verification, they are still in use today. However, biometric methods, like fingerprint or facial recognition, typically require a smartphone. To address this, I think fintechs should explore alternative biometric verification methods that don’t rely on smartphones.

In situations where biometric verification isn't available, it’s crucial that fintechs secure other methods, like OTPs. This could mean layering additional security measures, though we need to be mindful that this could impact the user experience. Beyond that, I believe fintechs should invest in more sophisticated transaction monitoring systems to detect any unusual payment activity.

Of course, all of these measures come with added costs, which ultimately need to be covered by the users since PSPs aren’t allowed to charge for Strong Customer Authentication (SCA).

With the elimination of mandatory fallback interfaces, what technical-legal safeguards would you recommend for TPPs to maintain uninterrupted service when an ASPSP's dedicated interface fails performance thresholds?

First of all, it is important that TPPs implement a robust monitoring and incident response system. TPPs can deploy real-time monitoring tools that continuously track the performance of ASPSP interfaces. In the event of a detected failure or performance issue, these tools can automatically trigger pre-defined contingency measures, such as rerouting transactions through alternative channels or activating backup systems.

Another effective approach is to advocate for the establishment of industry-wide standards and protocols that outline the minimum performance and reliability requirements for ASPSPs. Although the PSR mandates that the dedicated interface should use international standards of communication (e.g. ISO standards) and lists a number of security and performance requirements, the PSR does not create a market standard for the dedicated interface, such as in the UK. This is a missed opportunity, as the API standards are now very fragmented with each bank having its own solution. 

Finally, there is the option for TPPs to request their national competent authority to (temporarily) make use of the customer interface of the ASPSP in case of unavailability or underperformance of the dedicated interface if the ASPSP offers no effective solution without delay. This should obviously be a means of last resort.

The PSR requires PSPs to implement transaction monitoring mechanisms before applying SCA. How does this risk-based approach alter fraud prevention strategies compared to PSD2's rules, and what new compliance challenges does it create?

The risk-based approach means that PSPs should adopt more dynamic and adaptive fraud detection mechanisms. PSPs should leverage real-time data analytics and machine learning models to assess the risk level of each transaction and apply SCA selectively based on the specific context and customer behaviour. This could not only enhance security by identifying suspicious activities more effectively but also improve the user experience by reducing unnecessary friction in low-risk transactions.

New compliance challenges may arise if, e.g., AI is used to determine which transactions are potentially fraudulent and should therefore be subject to SCA. The PSP should be able to explain to users how the algorithm works and that it does not discriminate between users. Also, human intervention may be needed to make decisions with respect to e.g. permanently blocking suspicious transactions or terminating a customer relationship. 

Given the new permission dashboards for open banking providers, what technical implementations do you foresee being most contentious in balancing user control with commercial data utilisation under FIDA's upcoming Open Finance framework?

Both FIDA and PSR provide permission dashboards to enable customers to easily manage their permissions to share data with financial information service providers (FISPs) or account information service providers (AISPs). The data holder usually does not know what the FISPs or AISPs use the data for and what permission has been granted by the customer. If the client objects to his/her financial data being shared, the data holder will, in practice, just stop providing access to this data. 

This means that the FISPs or AISPs lose control over their customers and services, as they cannot have a dialogue with the customer before access to the financial data is denied. Therefore, I think the real challenge for the permission dashboard is to make users clearly understand and control which data is shared, with whom, and for what purposes. Ensuring a user-friendly interface that provides detailed yet comprehensible consent options will be crucial. This means that a granular approach to sharing data should be chosen, whereby the amount of data depends on what financial services the data are used for. 

The regulation mandates "fair, reasonable and non-discriminatory" access to mobile devices (art.88a). From a compliance perspective, how should fintechs structure partnerships with OEMs to avoid antitrust issues while maintaining competitive differentiation?

Article 88a PSR is directed towards the Original Equipment Manufacturers (OEMs), so it is, in the first place, the obligation of the OEM to ensure compliance with the PSR and competition law. However, fintechs should review their partnership agreement with the OEM to ensure that FRAND (Fair, Reasonable, and Non-Discriminatory) conditions apply. 

The PSR already mandates that OEMs must publish general conditions of effective interoperability and access, thereby making the technical features necessary for storing and transferring data to process payment transactions (e.g. the NFC chip) accessible to all parties involved. Assuming that such general conditions are in place, the partnership agreement can focus on the commercial aspects, which can be different for each partner, without imposing any barriers to competition from third parties. 

The EU's PSD3 and PSR proposals aim to strengthen user protection, enhance open banking competitiveness, and improve enforcement. From your legal perspective, what do you see as the most transformative aspect of these changes for FinTech companies? How should firms prepare to navigate the complexities of these new regulations?

First of all, a major improvement of PSD3 and PSR is to bring the PSD2 and EMD2 into one combined legal framework while at the same time ensuring a harmonised approach through a directly applicable Payment Services Regulation (PSR). This will further enhance the level playing field for providing payment services in the EU. 

Another critical element is the fraud prevention measures, particularly in relation to liability for impersonation fraud and fraud data sharing. In case of impersonation fraud using the name, email address or telephone number of the PSP unlawfully, the PSP must, in principle, refund the customer after being presented with a police report, except where it can prove that the consumer acted fraudulently or with gross negligence. 

This means that the PSP, in principle, bears the financial risk for consumers being subject to impersonation fraud, as it will, in most cases, not be able to prove fraud or gross negligence. There is a lot of discussion around similar legislation for authorised push payment (APP) fraud in the UK, and the question is whether the legislation imposes the right balance between the PSPs and the consumer.

With respect to fraud data sharing, PSPs may (voluntarily) enter into data sharing agreements to share payment fraud data with other PSPs, subject to a data privacy impact assessment (DPIA) being conducted (and, in case of high risk, a consultation of the privacy regulator). 

This triggers all kinds of data privacy-related questions, such as which data is shared, in what circumstances, etc.. We know from the Dutch experience with the External Reference Register (Extern Verwijzingsregister) what kind of legal issues may arise. Also, the question is how this will work on an EU level, which would require involvement from the European Data Protection Board (EDPB) to avoid a fragmented approach across the EU.  

Finally, the introduction of direct access for payment and e-money institutions to payment systems such as TARGET 2, which is also included in the Instant Payments Regulation (IPR), has the potential to significantly increase competition. This change allows these institutions to operate independently of banks, providing them with more flexibility and opportunities for innovation. 

In order to prepare for PSD3 and PSR, banks and PSPs should start on time with a gap analysis to see what the potential impact for their products and services will be. In particular, technical changes (such as changes to the dedicated interface) require a lot of time to implement. Also, some exceptions to the licence requirements under PSD2 are narrowed in scope, such as the commercial agent exclusion and limited network exception. Potentially, this means that fintech companies that were previously not licensed may have to obtain a licence under PSD3 and PSR. 

As long as the legislation is not final, banks and PSPs could even try to make themselves heard and influence the decision-making process. Ultimately, all PSPs should reapply for a license under PSD3 which means they should seek legal advice. Finnick can assist with this if needed.

Open banking under PSD3 introduces stricter requirements for ASPSPs to provide seamless data access interfaces. What legal challenges do you foresee FinTech companies facing in ensuring compliance with these standards? How can Finnick assist in mitigating risks while fostering innovation in open banking?

Given that there is no uniform standard for data access interfaces, FinTech companies are now confronted with different APIs from the banks they are connecting with. As these APIs also change regularly, it is very hard for FinTech companies to keep track of all the changes to the APIs and ensure that their services keep running smoothly. The PSR mandates that changes to technical specifications for the dedicated interface must be announced 6 weeks in advance, which is not an awful lot of time.  

The problem is that FinTech companies remain dependent on the ASPSPs for data access. The PSR provides for a dispute resolution mechanism with the competent authority in case of unavailability or underperformance of the dedicated interface (see also my answer to the second question). FinTech companies must monitor the performance of the data access interfaces and be willing to submit their case to the competent authority if needed. Finnick can assist FinTech companies in this process. It often helps to send a formal letter of objection to the regulator if an incident relating to the dedicated interface is not resolved on time or satisfactorily. This keeps the regulator alert and puts the relevant ASPSP on notice.

The new SCA guidelines emphasise inclusivity, ensuring accessibility for users without smartphones or digital skills. How do you think this balance between security and inclusivity will impact the adoption of payment services across Europe? What role can legal advisors like Finnick play in helping PSPs align with these requirements?

The rules relating to accessibility for users without smartphones or digital skills may potentially increase the adoption of payment services across Europe, as it ensures that all users (regardless of their technical skills and background) can access secure payment solutions. 

By addressing these inclusivity concerns, financial institutions can expand their customer base and provide seamless customer experiences. However, the new rules may also lead to increased costs, as the PSPs will have to incur additional costs, and they are not allowed to charge for SCA. 

It is, therefore, important to find the right balance between security and inclusivity. This is where legal advisors like Finnick can play an important role by acting as a sparring partner and challenging the different SCA solutions that are being offered from a legal perspective. 

With your expertise in crypto and blockchain, how do you view the integration of these technologies within the evolving EU payments landscape? Are there specific regulatory gaps or opportunities that FinTech companies should be aware of as they explore blockchain-based solutions?

Fintech companies providing payment services and exploring blockchain-based solutions should carefully review the regulatory landscape, as they would potentially need a licence as a crypto-asset service provider (CASP) under MiCA in addition to a PSD2 (or EMD2) licence. 

The overlap between these two regulatory frameworks becomes particularly apparent when addressing the treatment of e-money tokens (EMTs). MiCA considers EMTs as crypto-assets, while PSD2 classifies them as "funds," which fall under its payment service regulations. This does not change with PSD3 and PSR. 

This dual classification has given rise to several challenges, which is why EBA and ESMA have been invited to come up with proposals to ease compliance and further harmonise these two legislative frameworks. It remains to be seen what proposals will be put forward and how this will affect PSPs and CASPs.

Given Finnick's emphasis on a results-oriented approach and clear communication, how do you help FinTech companies anticipate future regulatory shifts? Can you share an example where proactive legal strategy significantly benefited a client in navigating regulatory changes?

At Finnick, we emphasise the importance of clients staying on top of regulatory developments and anticipating any changes in the regulatory environment in a timely manner. Our hands-on approach means that we not only assist with a legal analysis for the PSPs but also think about the practical aspects of the implementation, ensuring changes are effectively integrated into their operations. 

Our clear and simple communication means that we try to make things easy by stepping into the shoes of the entrepreneur: what are the problems he/she encounters or the issues he/she is most concerned with, and how can we solve them? 

An example of our proactive strategy involved the implementation of the PSD 2 legislation when there was uncertainty regarding the interpretation of the term ‘payment account’. The question was whether certain savings accounts were also covered by the new legislation. 

By reaching out to various market participants and preparing a joint position paper which was subsequently shared with the Dutch supervisor (DNB), we managed to start a regulatory discussion which ended up at a European level. This eventually led to a written position from the European Commission which endorsed the client’s views, leading to significant savings of time and money for the client.

In conclusion, Arie’s insights explain the importance of staying ahead of regulatory changes in the fintech industry. With the introduction of PSD3 and PSR, fintech companies must focus on developing secure authentication systems, effective fraud prevention strategies, and seamless data-sharing mechanisms to ensure compliance and maintain trust with users. Arie also highlights the value of proactive legal strategy and clear communication, as demonstrated by Finnick’s work in guiding fintechs through regulatory shifts. By preparing in advance and continuously monitoring regulations, fintech companies can position themselves for success.