4 min read

Payment data in 2020: partnerships are key - but beware

2 December 2019

In the past, a bank sent money to another bank by order of the payer. Today, a number of technological companies are involved in a financial transaction. How do you, as a small or large company in that chain, deal with all the payment data?

The impact of tech on society has never been as great as it is now. Everything revolves around the laws and regulations that have been revised after years of discussion and lobbying and that focus on modern life. Whereas before, tech companies could first develop an innovative product and then tweak the product to comply with the legislation, nowadays the (very) strict requirements for a product or service already apply as soon as it is put onto the market. Benefits for the consumer, but stressful times for entrepreneurs: is the company still compliant? Do new investments need to be attracted in order to comply with privacy legislation? And how can I prevent a clash with the regulator?

One of the most eye-catching regulations is PSD2: a new European directive on payment services for consumers and businesses. It will allow account holders in the EU to give companies, other than their own bank, access to their bank account details. Many FinTech companies are entering this market and offer useful tools for the account holder. For example, the mortgage lender who can see what a person’s spending pattern is at the touch of a button. “But that doesn’t happen just like that,” explains FinTech and payment transfer expert Arno Voerman.

“Regulators, the Personal Data Protection Authority (DPA) and the Dutch Central Bank (DNB), make FinTech companies jump through many narrow hoops. Discussions between regulators have also delayed the introduction of PSD2 in the Netherlands – it is almost the last country in the EU to do so. The PSD2 regulation in the Netherlands is also stricter in some respects than it may be in other countries. For FinTech companies, this means that they have to set up their service at both the back and the front, so that it is clear to the consumer what exactly he is giving permission for.”

The DPA is the talk of the town for FinTech executives and banks, because the regulator has stated that transaction data is primarily used to analyse, profile and perhaps even to sell to third parties for commercial purposes. “The regulator keeps a close eye on developments in the use of payment data for commercial purposes,” says Voerman.

Looking to the future starts at the very beginning

When starting up a tech company, it is important to have everything in order at the base, even for those things you cannot or do not want to offer yet. Does the FinTech start-up already know that it will want to offer insurance in three years’ time? Then make sure you know which permits you need for this purpose, and let the licensing process begin. Patching things up afterwards is usually possible, but it costs a lot of time and money, both on the income side and on the expenditure side. A large number of FinTechs will not survive after one or two years. The data gained will have to be erased, but sometimes it is sold on as well. But, pay attention to the GDPR: can data be sold just like that?

 

In order to be able to process and retrieve these payment data, you can enter into partnerships with other parties in the payment chain. Voerman: “A licensee can make a connection with about 6000 European banks. Building the technical link yourself, via an API, costs a lot of money, knowledge and manpower. Access to an API can also be purchased from an API builder or an API Hub. These are new parties that have found a place in the chain.”

And that is what makes the theme of ‘partnerships’ so important, says Voerman. “Collaboration will often be a better option than building it yourself”.

So PSD2 is revolutionising the payment sector, but a FinTech company must be able to hold its ground in the jungle of laws and regulations, regulators, privacy, partnerships and competition. Voerman does have a suggestion: “Be clear about your company’s revenue model when working with potentially sensitive data. Reputational damage can be devastating.”