News

by rebecca rebecca No Comments

Member Spotlight: ValidiFI


Can open finance positively impact the traditional financial services sector? ValidiFI has proven it can.

ValidiFI is a technology company that delivers data solutions to business and financial service providers. Simply: through a combination of technology and strategic partnerships, ValidiFI creates better ways to validate and analyze customer information.

ValidiFI’s data—which is sourced from banks, payment processors, financial platforms, and hundreds of thousands of businesses—comprises the most comprehensive lake of financial information in the industry. Financial services firms harness the data to improve account openings, credit decisions, payment processing, fraud detection, and risk segmentation. Businesses of every size—from new startups to public companies—use ValidiFI solutions to increase sales and facilitate payments.

Take managing underwriting and risk, for example.

It is becoming increasingly difficult for financial institutions to properly segment their applicants while identifying who will be a good and bad customer. ValidiFI’s alternative data solutions help firms identify and segment the risk of applicants based on their employment, income, and bank data. ValidiFI’s Payment Instrument (PI) Risk Score analyzes thousands of attributes to enhance the financial profile of the consumer, helping to mitigate fraud, reduce defaults, and reduce returns.

ValidiFI’s tools also help financial services firms stay compliant with government and organizational regulations. Using Bank Account Validation (BAV), firms can adhere to the Consumer Financial Protection Bureau’s payment provisions. ValidiFI also offers comprehensive Account Validation services to help maintain compliance with Nacha’s WEB Debit Rule.

According to ValidiFI, accessing a greater range of data is essential as the United States and Canada climb their way out of the COVID-19 health and economic crisis. ValidiFI said companies that are able to adapt to change by utilizing alternative underwriting methods and data, for example, will recover and advance more successfully.

ValidiFI joined FDATA North America in March 2021.

President and Chief Operating Officer Jesse Berger said, “Access and insight into the rapidly changing regulatory environment for open banking and finance is crucial. It is vital for the development of innovative financial data and technology products like those offered by ValidiFI and other FDATA members. With FDATA’s support, members are ensuring financial products give consumers and businesses more choices and competitive service offerings.”

by paul paul No Comments

Leveling up the UK Market

Leveling up the UK Market: Why the FCA has determined the MCI has got to go [but also why API performance matters]

It may seem like a minor change in regulatory policy; it, however, is not. I’ve said that repeatedly about various points in the FCA’s recent consultation on changes to the Regulatory Technical Standards (RTS). It bears repeating, but this time my poetical waxing focuses on a major change to how all banks across the UK market provide access to consumer data: the removal of the modified customer interface (MCI) exemption.

When combined with Secure Customer Authentication (SCA), those banks who took the exemption to providing an API, instead offering up an MCI, ended up with something that basically stopped data access in its tracks. It also rendered passive screen scraping impossible. [Screen scraping is verboten under PSD2, except when an MCI is the only means of accessing the data; it’s also a materially less secure means than API data access as it’s all about repeated security credential sharing.] And for those customers of banks who only offer an MCI, screen scraping is the only way they’re able to access value added services fintechs provide; yet they can’t extract the full value of those services because of how SCA is applied. Why? Because screen-scraping is technically impossible without the customer present to authenticate every data request.


MCIs are the proverbial catch-22, with bad consumer outcomes no matter how you slice it.


Fintechs (third party providers, TPPs under PSD2) have proven business model utility time and again over the last 15 years, pre-PSD2; yet SCA policy is the proverbial looming sword over the TPP business model neck. It is not the lack of proven business model value that threatens the aims of PSD2 to deliver competition and innovation to the market; it is bad policy that threatens to kill fintech.


In short, due to the nature of MCIs, they require a customer be present for every data transfer from the bank to the fintech. Combined, the SCA and 90-day Reauth rules in the MCI scenario result in a near 100% customer attrition rate for the fintech; and a 100% value loss for the end customer.


Before APIs became de rigueur, screen scraping was the norm. Screen scraping access models for TPPs typically involve the Account Information Service provider (AISP) or their Technical Service Provider (as their agent) storing static login credentials, then passing those credentials through the end consumer’s interface when the customer is not present. PSD2 did try to protect the TPP’s right to pass through these security credentials in the Level 1 final text (PSD2 itself), however clarifications in the Regulatory Technical Standards (RTS) step back from this.


The pedantry from my previous article continues. Bear with me here, because this matters – and it proves why the FCA’s proposal to revoke the MCI exemption is such a big deal for end consumer value.


PSD2 Article 67(b) states that the AISPs must ‘ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels’.

However, RTS Chapter II introduces authentication codes, dynamic linking (to enable authorisation in the payment flow) and a requirement to keep the Knowledge, Possession, and Inherence elements of the SCA flow strictly separate to avoid the compromise of one element afflicting another.


Remember Article 10 in the RTS? It says that Payment Service Providers are ‘allowed not to apply SCA’ to AISP access between the initial set up access and the 90-day reauthentication. If a bank applies SCA here, they block the TPP from transmitting personalized security credentials. It’s this point at which the RTS effectively contradicts the intention of PSD2 – particularly in the case of banks offering an MCI.

Instead of using the end-customer’s security credentials (typical screen scraping stuff), the fintech is now obligated to identify itself to the bank in order to access the data via the MCI. This becomes a double challenge when the bank has designed SCA for the MCI in such a way that there is a dynamic element to which only the customer has access. This is especially troublesome as the bank has no obligation not to use SCA for all connections. It is another technology layer fintechs must contend with in order to pass through the authentication gateway, another engineering challenge, and another obstacle to circumvent in what should be obstacle free consented data access.

Compounding insult to injury, the engineering workaround introduces even more security vulnerabilities. If banks fail to address these and implement SCA, fintech (AISP) customer-not-present access is completely inhibited. Moreover, banks are not providing test environments for SCA through their MICs, which causes significant business interruption for both fintechs and the end consumers.


Long story short: while the RTS seeks to improve security measures, SCA as applied to an MCI is inconsistent with the intent of PSD2, and materially impacts continuity of customer service and introduces security vulnerabilities.


The FCA consultation addresses dynamic linking of authentication in section 4.7 of their consultation; it is the justification for eliminating the MCI exemption. By eliminating this exemption, the FCA is pushing to level up the rest of the market to the big nine UK banks mandated under PSD2 to deliver a dedicated API. This is good for the market, and especially good for end consumers. It means less risk of being cut off from data access and services.
And yet. (You were waiting for that, weren’t you?). And yet this is where API performance and conformance are clutch hitters in whether that unblocked data access is a reality.


It’s fair to say that some fintech services require continuous access, otherwise they don’t function. However, not all banks are delivering consistent high-quality performing APIs unilaterally across the UK market. Early on in the UK open banking journey, consistent performance and conformance was a pipe dream; however, both have improved immensely for the big nine in particular under the supervision of the Open Banking Implementation Entity. But banks not mandated under the Competition and Market Authority’s order are not held to the same technical standard, nor the performance and conformance requirements. This fact alone is proof that independent oversight and monitoring are crucial to achieve quality delivery across a single market.


However, relying on banks to provide self-assessment of API performance and conformance is tantamount to leaving the student to mark their own exams: it’s meaningless and subjective. Rather, tech should be used to measure tech, and all parties in the ecosystem should be supervised to the same standard. Going forward, all banks across the UK market should be held to the same API standards that apply under Open Banking, and the FCA would be wise to hold that line for all UK banks once the MCI exemption is removed.


There is another reason why the quality of an API matters: contingency access methods. This contingency method is provided for in the RTS in yet another paradoxically ineffective approach to ensure TPPs have access to data.
Because of inconsistent API implementations (aside from the UK big nine, this inconsistent delivery is true for both the long tail of UK banks as well as financial institutions across the EU as a whole), banks have had to fall back on providing contingent methods of access. RTS Article 33(4) explains the conditions and expectations on the bank in providing contingency methods to access when their dedicated access (the API) fails:
“As part of the contingency mechanism payment service providers referred to in Article 30(1) shall be allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment provider, until the dedicated interface is restored to the level of availability and performance provided for in Article 32.”


TPPs are hopeful that the risks are somewhat mitigated by real rigueur in the exemption process, however the TPP community is very skeptical as to whether the Contingency Access Method is realistic, because it is costly to maintain two types of access methods. Normally, once customers have been migrated to the API access model, they stay there. The wholesale transition of TPPs’ customers to a new Consent, Authentication, and Authorisation flow cannot be reversed easily. Moreover, TPPs cannot maintain direct access (screen scraping) agents for ASPSPs which they are not allowed to use, that can reasonably be expected to function in a crisis. Customers cannot be induced at the ‘touch of a button’ to re-enter credentials for the AISP use case. There Is no scenario under which a PSU will re-authenticate daily, let alone several times a day, to maintain access.


It is more than likely a fintech would remain non-functional while waiting for the ASPSP to fix their API channel. In addition to the technical and customer security issues, there would be material customer communication, confidence, and engagement challenges. Moreover, the bank would be violating RTS Article 32(3) by creating an obstacle to PIS and AIS services. Any faith that contingency access while an API is down is mooted even before we’re out of the gate. Article 33(4) is pointless in the face of reality.


Just one more point about obstacles, and more to the point, what RTS Article 32(3) specifically says that banks are obligated to ensure that their “interface does not create obstacles to the provision of payment initiation and account information services” It ALSO explicitly states that obstacles to the provision of those services may include, among other things, ‘imposing redirection to the [bank’s] authentication or other functions, requiring additional authorisations and registrations.’


Here is where poor API performance and bad customer journeys intersect: in mandatory redirection. Licensed fintechs have a right to access consenting customer account data in order to retrieve information strictly necessary to provide their services under Article 66(2). Banks have a choice to continue to allow for direct access via the customer-facing online banking interface (including mandatory identification of the TPP) or to provide a dedicated API.


Mandatory redirect is a clear violation of Aritlce 32(3), as well as PSD2’s principles of technology and business model neutrality. Mandatory redirect is also excluded under Aritlce 30(2b), in that the interface needs to ensure that the communication session between the bank, the fintech, and the consumer concerned be established and maintained throughout the authentication step. Article 30(2b) explicitly forbids disrupting a TPP session to divert the consumer back to the bank; such a disruption is the very definition of redirection.

The principles of technical and business neutrality enshrined in Article 98 PSD2 would dictate that the banks cannot force PISPs and AISPs to use redirection. Rather, the RTS provides that banks must leave the possibility open to offer the customer an option to use and stay connected to the fintech’s own website for authentication.


Moreover, mandatory redirection only exacerbates the SCA problem. If SCA is imposed in an obstructive manner, and SCA includes mandatory redirection, fintechs will suffer additional negative impacts and restrictive competitive opportunities Mandajtory redirection relegates the noble aims to promote competition and improve customer outcomes to the rubbish bin: it allows banks who offer the poorest customer journey to suffer the least competition.

I mention mandatory redirect to underscore a point: where and how SCA is being placed in the customer journey has been so poorly executed that it necessitates being declared an obstacle. Mandatory redirect is just insult to injury in a line of obstacles to accessing data and hurdles to be cleared in the customer journey. It is time for those obstacles to be removed. The FCA clearly recognizes this, and their proposed elimination of the MCI exemption is proof of it. The UK market – banks, fintechs, and end customers – will profit from this. It’s time the rest of the EU markets saw the same light and upgraded the whole market to API first (based on harmonised, interoperable tech standards across the board).

Download Document Here

by rebecca rebecca No Comments

FDATA North America Sends Letter to Canada’s Department of Finance on Next Steps in Delivery of CDF

March 15, 2021, Washington, DC – Today, the Financial Data and Technology Association (FDATA) of North America submitted comments to Canada’s Department of Finance outlining its key recommendations for next steps in the deliver of Customer-Directed Finance (CDF). 

Following the conclusion of the second phase of the CDF advisory committee’s consultations at the end of last year, FDATA North America Executive Director Steve Boms encourages the Department to advance the process of implementing a CDF system in Canada this year by:

  1. Appointing a full-time, senior staffer at the Department as soon as possible whose sole responsibility will be to oversee the design and delivery of a CDF regime in Canada; and
  2. Creating a CDF Implementation Entity tasked with the policy design and implementation of open finance in Canada.

Boms noted that FDATA North America and its members “are committed to seeing CDF become a reality for the benefit of Canadian consumers and SMEs. To achieve this goal, and to provide industry with the policy framework under which such a regime can be delivered, we respectfully encourage the Department to begin implementation of a CDF in Canada by appointing a senior staffer within the Department to be responsible for the delivery of CDF and by creating the CDF Implementation Entity as soon as possible.”

Image result for paperclip iconFDATA North America Submission to the Department of Finance


ABOUT FDATA NORTH AMERICA
FDATA was heavily involved in the UK Open Banking Working Group in 2015. In 2016, the working group’s output was published by Her Majesty’s Treasury as the Open Banking Standard. FDATA North America was founded in early 2018. Its members collectively provide tens of millions of consumers in Canada, the United States and Mexico with aggregation-based tools to better manage their finances. Existing FDATA North America members include: air (Alliance for Innovative Regulation), API Metrics, Betterment, Codat, Direct ID, Envestnet Yodlee, EQ Bank, Experian, Fiserv, Flinks, Interac, Intuit, Kabbage, Mogo, Morningstsar, M Science, MX, Petal, Plaid, Questrade, Quicken Loans, TransUnion, Trustly, ValidiFI, VoPay, Wealthica, Xero, and others.

by paul paul No Comments

CDR Market Participants

A CHOICE NEEDS TO BE MADE
If the current definition of CDR Data remains unchanged; the ability to permit accreditation to all levels of the ecosystem is the only way that compliance with the legislation can occur. This includes accountants, advisers, brokers, bookkeepers, marketplace participants, etc.

Download Document Here

by paul paul No Comments

Consumer Data Right

A CHOICE NEEDS TO BE MADE
If the current definition of CDR Data remains unchanged; the ability to permit accreditation
to all levels of the eco system is only way that compliance with the legislation can occur. This includes accountants, advisers, brokers, bookkeepers, marketplace participants, etc.

Download Document Here

by rebecca rebecca No Comments

Member Spotlight: Fiserv


Established in 1984, Fiserv is a leading global provider of payments and financial services technology, including data aggregation. Today, the firm, which has been named among Fortune “World’s Most Admired Companies” for eight years running, helps thousands of financial institutions, millions of businesses, and tens of millions of consumers in more than 100 countries move money and access information.

Fiserv is among the world’s most admired companies for good reason. Just consider, for example, how it has revolutionized consumer financial management. The company has made pioneering contributions in digital banking, electronic bill payment, person-to-person payments, and invented the e-bill.

Fiserv understands that consumers are not thinking about financial data – they’re thinking about buying a home or putting a child through college – or if they have enough money in their bank account to go out to dinner tonight and still cover the bill payment that is due tomorrow. Data is at the heart of what Fiserv does every day. From moving more than $75 trillion each year to delivering a better customer experience to preventing fraud, Fiserv enables today’s digital economy while solving real-world problems for real people and real institutions.

Leading financial institutions and technology providers use AllData® Aggregation from Fiserv to access real time consumer financial data from more than 18,000 unique data sources. Given data security and regulatory compliance are crucial, Fiserv is also focused on reducing risk associated with data sharing via its AllData® Connect product.

Fiserv plays a unique role in the market as both an aggregator and data source – with a client list that includes thousands of banks and credit unions. A range of companies as well as consumers rely on account aggregation solutions from Fiserv, from fintechs disbursing wages on-demand, to lenders automating and expediting the lending process, to financial institutions helping customers gain insight into investments and spending. Fiserv brings decades of data aggregation expertise to the industry, striving to improve the secure exchange of financial data, and deliver value to clients and consumers while helping move the industry forward.

Find out more about Fiserv at www.fiserv.com/alldata.

by paul paul No Comments

CDR RULES EXPANSION AMENDMENTS – SUBMISSION

Open Finance, a precursor to the Consumer Data Right began as a grassroots movement, campaigning for the legal rights of consumers and businesses to have control of their financial data and to be able to share this data with businesses of their choice digitally. It is part of a broader suite of Open Data initiatives, aimed at empowering consumers and small businesses to access, change and benefit from the data held about them by governments and institutions.

The initiative has gathered considerable momentum; various markets around the world are assessing, adopting or implementing laws and regulations to support it. In the EU, Canada, USA, Mexico, Brazil, India, Japan, Australia, Russia, New Zealand, South Korea, Singapore and many other significant markets are already at varying stages of review, policy development or implementation.

Despite these positive market developments, there is still much to understand about the versatility of Open Data, Open Finance and Data Portability to unlock economic potential and to improve the financial wellbeing of customers. In addition to exploring these opportunities, there are also risks and ethical considerations which will be critical factors for governments and regulators in developing policies and regulatory reform moving forward.

Research is needed to understand, measure and forecast the considerable impact of Data Portability on society and to shape public policy to ensure a Consumer Data Right creates positive disruption and the appropriate flows of capital allocation in markets, as well as to assess the techniques of regulation.

FDATA wishes to commend the efforts of the Australian Government in the continuing consultation with Industry and the release of the latest version of rules that will form Australia’s Consumer Data Right. Various groups have supported these works intending to design and develop a fit-for-purpose solution.

To arrive at the most suitable solution for Australia, working with such groups of expertise and enthusiasm, along with a comprehensive suite of participants, is essential. Globally, FDATA has provided comprehensive research and advisory to Federal Regulators and their Government’s alike. The design of the following sections provides targeted feedback in response to this final round of consultation. FDATA would be pleased to provide additional feedback or Global research to the Australian Government if required to progress the formalisation of CDR rules.

Australia has proven to be a world leader in legislative reform and its unique approach to adopting a Consumer Data Right. FDATA commends your attempts to learn from other jurisdictions and consider all options before deciding on the right path forward.

Download Document Here

by paul paul No Comments

How SCA and 90-day Reauth Harm Competition & Security

If you’ve read the previous tomes in this series, you’ll know that the FCA’s proposed change to the 90-day reauthentication requirement will have significant positive impact on the industry – and why this course correction is good for the competitive landscape and fintech innovation. You’ll also already know the context for how the rules combining secure customer authentication (SCA) and the 90-day rule are mired in a conflicting quagmire that does nothing to materially improve customer security and access to open banking value propositions. Not to mention, you’ll already be familiar with how SCA and 90-day do nothing to further the PSD2 objectives to improve innovation, promote competition, and secure consumers better financial outcomes; in fact, it does the just the opposite as it dooms PSD2 to a political failure rather than an innovation triumph.

Download Document Here

by paul paul No Comments

The Detrimental Impact of 90D Reauth & SCA on Fintech, the Market, & End Customers

Secure Customer Authentication (SCA), combined with the requirement for end-users to reauthenticate every 90 days, is meant to provide a secure and reliable way for consumer to connect their bank accounts to regulated fintech services. Or at least that was the intention when it was enshrined in law as part of PSD2’s Regulatory Technical Standards (RTS). But the road to Hell is paved with good intention, and the path that SCA and the 90 Day Reauth rule have created has been chthonic at best, and hellish at worst: the entire Open Banking market has suffered from lost revenues, lost opportunities, and less innovation with fewer value propositions brought to market because of it.

Download Document Here

Top