AT A GLANCE:
PSD2 & DATA PROTECTION
January 2021 saw the introduction of new rules for online credit card payments. All online merchants must now meet the requirements of the EU PSD2 Directive with regard to strong customer authentication, which aims to make credit card payments on the Internet more secure. But what else has actually changed as a result of the PSD2 Directive coming into force three years ago?
THE DIRECTIVE IN DETAIL
The “Payment Services Directive 2” (PSD2 for short) is an EU Directive for payment services. With this Directive, the EU aims to strengthen consumer protection, increase the security of online payments and promote the further development of digital solutions in the European Economic Area. The Directive is being implemented in Germany in two stages: the first stage has been in force since January 2018 and the second stage since autumn of 2019.
What issues does the Directive regulate?
- Fewer fees: online payments will become cheaper for consumers because merchants are no longer allowed to charge extra fees for using payment methods such as bank transfer, direct debit or credit card.
- Less fraud, more security: additional security requirements will make fraud more difficult and better protect consumers; for example, strong customer authentication will become mandatory when making online payments and accessing online banking. So-called "two-factor authentication” allows the customer to be unequivocally identified using at least two features, from the customer’s knowledge (PIN, password), possessions (card, mobile phone) or inherence (biometric characteristics such as fingerprint, iris).
- New services and more convenience for consumers: banks will have to allow third-party providers such as financial start-ups (fintechs) and insurance start-ups (insurtechs) offering new digital solutions to access their customers' account information via standardised interfaces, if the customer authorises one of these third-party providers to do so.
Consumers own their data and have full control
Consumer advocates often warn against “data leeches”, suggesting that they allow anyone to easily and permanently access all data. This is not correct. It is true that until the introduction of the PSD Directive, there were two major problems: firstly, banks had had a monopoly on their customers' account data for a long time. Secondly, when the first providers of banking apps, contract cancellation services and instant transfers started accessing bank details, there were initially no clear rules. Consumers often simply gave these providers the login details to their accounts and the latter then accessed the data. This is where the PSD Directive comes in: it breaks up the banks’ monopoly on account data, and it creates a legal framework for third-party access to accounts, which sets out exactly under which conditions banking information may be accessed:
- Nothing is permitted without consent: the PSD2 Directive increases the customer’s self-determination as the responsible owner of his data: He alone decides who may access to his banking information and who may not. Third-party providers are only granted access to account information if the customer explicitly agrees.
- Revocable at any time: if the consumer changes his mind at any point, he can withdraw his consent at any time.
- Time-limited: being granted access on one occasion does not automatically mean permanent access, because the customer must reiterate his consent periodically – usually every 90 days.
- Purpose-specific: access and processing of personal data by third-party providers is limited to the content required for the purposes for which the consumer has given consent.
- BaFin authorisation required: here in Germany, only providers that have a special permit from the Federal Financial Supervisory Authority (BaFin), which also supervises banks, are allowed to access account information on behalf of the consumer. The PSD2 Directive distinguishes between two types of services: payment initiation services and account information services.
The more concrete the benefits, the more open-minded consumers are
Germans are still rather cautious regarding the use of personal data, such as health or financial data, in comparison with digital pioneers such as Denmark, Estonia or Sweden. However, the proportion of those who cannot imagine sharing their account details under any circumstances is decreasing, according to the results of a study by PwC Strategy& published in September 2020. Today, one in five Germans (20%)* is willing to grant access to their account information if they receive benefits, additional services or similar in return (see below for practical examples). According to a study conducted by the market research institute Heute und Morgen in November 2018, willingness to provide access to insurance companies, with which the respondents are already customers, is among the highest (23%)**. Trust in insurance companies is reinforced by the fact that they are also supervised by BaFin.
HERE'S HOW THE PSD2 DIRECTIVE MAKES YOUR LIFE EASIER
Please note: Many banks and building societies have a function in their online banking set-up that allows you to see which account information or payment initiation services have accessed your account on your behalf, and to manage that access.
Benefits of the PSD2 Directive for insurance policyholders:
the PSD2 Directive also offers benefits in relation to insurance, including in the field of so-called “digital bancassurance”. This involves incorporating insurance into the range of online products offered by banks, so that consumers can manage their financial and insurance affairs quickly, easily and efficiently in one central location. With the help of digital bank account analytics, customers can be offered more convenient, more suitable and more affordable insurance solutions:
- Digital insurance folders: many consumers want to manage their insurance policies digitally, rather than with lots of paper forms. The PSD2 Directive makes it much easier to transfer policies into a digital insurance folder: consumers no longer need to have their insurance documents to hand or to manually enter policy details. Instead, insurance-related information such as the policy number is automatically recognised from bank account entries and is presented in a digital insurance summary.
- Tailor-made coverage: major life events can also be identified and appropriate adjustments to the insurance cover can be proposed. If the bank account has recently started receiving child benefit payments, the insurer can ask the customer whether there has been an addition to the family and, if necessary, check that the insurance cover is suitable for families. If the rent has changed, the customer may have moved and home insurance coverage may need to be reviewed. Using the account information allows insurance companies to offer prompt, individually tailored and therefore relevant insurance quotes.
- Cheaper contracts: overpriced old contracts can be identified from the account information and more cost-effective alternatives can be offered, which the customer can accept at the click of a button directly through their online banking, which they log into regularly anyway.
Benefits of the PSD2 Directive for insurance companies and banks:
- Insurance companies can offer their customers more convenient, more suitable and more affordable insurance solutions based on the new information. They also have the opportunity to significantly increase the frequency of contact with their customers, becoming more relevant in their daily lives.
- Along their traditional banking business, banks can now also incorporate external offers from insurers and insurtechs into their own platforms, offering appropriate services to their customers and thus increasing customer satisfaction and loyalty.
PSD2 as a cornerstone of Friendsurance's product range
In its “Friendsurance Business” division, the Berlin-based tech company develops and operates B2B2C digital insurance sales platforms for insurers, banks and other partners. The range includes:
- A scalable and modular technology platform with various features for digitally managing and optimising insurance. Friendsurance facilitates a deep and seamless integration into each partner's business environment.
- Various cooperation models in the field of digital bancassurance (agent and broker licences as well as white-label solutions, customised solutions and mixed models where a white-label solution can be combined with customised modules).
- Support in the digitalisation of other insurance distribution channels
- A deep understanding of customer needs based on many years of experience in B2C business, as well as a wide range of customer services and CRM tools for an improved customer experience.
- PSD2-compliant bank account analytics to automatically identify customer needs, supply gaps and optimisation potential.
Digital account analytics: Highest data protection and data security standards
Friendsurance's digital bancassurance solutions can also use account information in accordance with the PSD2 Directive if the customer gives their express consent: firstly, when creating the digital insurance folder, and secondly, to identify life events. Friendsurance complies with the principle of data minimisation and the customer is fully informed about all information collected and must explicitly consent to their data being processed.
As account information may only be accessed in Germany by so-called account information services with a special permit from the Federal Financial Supervisory Authority, Friendsurance only works with state-regulated providers with the appropriate licence. Friendsurance itself does not have access to its customers’ account access credentials at any point.
Friendsurance processes the account information generated in this way using its own algorithms specially developed for insurance data. Only data relevant to the specific use case is processed. No data is passed on to third parties.
All legal data protection requirements are complied with and the customer receives the highest possible level of data security: Friendsurance operates strictly in accordance with consumer protection regulations and complies with all legal requirements under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) and the General Data Protection Regulation (GDPR). All data-related processes are also initially approved by the company’s legal department and data security expert and are subsequently monitored on an ongoing basis. Furthermore, Friendsurance maintains close contact with all regulatory authorities.
Dr. Sebastian Herfurth
Last update: 09.02.2021