The online magazine of the Swiss Bankers Association
December 13, 2017


Open banking yes – but with no obligation

Open banking yes – but with no obligation

The banks in Switzerland support open banking, but they want to decide for whom they open interfaces. Forced opening such as under PSD2 in the EU has consequences for the security of customer data.

Almost nobody leaves their front door open so that anyone can walk in. But that is exactly what will happen to the banks and their customers in Europe with the Payment Services Directive (PSD2), which the EU is introducing next year. With this payment directive, the EU is obliging its banks to grant so-called third party payment service providers (TPP) access to bank accounts. With the consent of the customer, these third-party providers receive access to the interface. Exactly who will be walking through the bank’s front doors or to whom exactly the customer will give how much access to their banking information is in some cases difficult for the bank to determine.

Security gaps due to PSD2

Christoph Wille, Valiant Bank
As a third country, Switzerland is not obliged to implement PSD2. Notwithstanding this fact, there are some people here who are calling for a PSD2-equivalent regulation. The Swiss Bankers Association (SBA) rejects such a regulation for a number of different reasons, as it explained during a recent expert discussion with journalists. Not only would a PSD2-equivalent regulation be an unnecessary intervention in what is a functioning market, it would also force banks into a regulatory corset without there being a need to do so. Many questions surrounding security and data protection have still not been resolved under PSD2. "The bank does not know the third-parties that access the account and it is difficult for customers to assess who they give access to", explained Christoph Wille, Head of Distribution Channels at Valiant Bank, to the journalists who attended the event. "That concerns me." Fishing attacks are already an issue, and the problem will become bigger with the PSD2 regulation, said Wille.

“The banks want to be part of the decision-making”

Rolf Brüggemann, SBA
According to Rolf Brüggemann, Head Tax, Legal & Compliance and Regulatory at the SBA, it is not about preventing or disabling the competition. "But the banks have a responsibility to protect the customer as best possible. With PSD2, this high level of protection can no longer be guaranteed", Brüggemann warned. Just like the customer, it is also difficult for the bank to determine whether a third-party provider is secure or not. "That is why the banks want to be part of the decision-making in terms of who they trust and to whom they will open their interfaces with access to customer data", said Brüggemann.

Open banking works – without obligation

There are countless examples that show that open banking is on the rise in Switzerland and that even without PSD2, innovative business models are being implemented. One example of third-party applications having access to accounts is Ebics, which is offered by a number of different banks. Ebics offers corporate clients non-discriminatory and free access to customer accounts and enables the initiation of payments using the interface. The security for the user is guaranteed through distributed electronic signatures.

Source: Valiant Bank

There are plenty of other innovative examples that are already being used or that will be implemented shortly: for example "Klara", a digital assistant that uses a platform to carry out all of an SME’s administrative processes, or "bexio", the market leader in online accounting, which offers numerous functions ranging from contact management through to accounts payable using automatic data exchange via e-banking. "We are on the right path", says Christoph Wille of Valiant. "The interfaces are in place, but they are not yet where we would like them to be. We’re in the process of standardising these interfaces so that open banking will be as far-reaching as possible."

"We are on the right path."

So innovation can also be achieved at the banks in Switzerland without their hands being forced by regulation. This is why the one-sided opening of access rights for third-parties as required within the EU under PSD2 is unnecessary. What’s more: it is an experiment that is being conducted at the expense of bank customers and that puts the security of customer data at risk.