Data directive New E.U. Law Gives Fintechs Upper Hand

A new E.U. law will give financial technology firms access to people's bank account information, potentially allowing them to poach clients from established banks. The old firms could suffer huge profit declines as a result.
Quelle: Bloomberg
Germany's established banks, mostly based in Frankfurt, will have to react fast to the new directive.

The European Union’s second Payment Services Directive, or PSD2, sounds bureaucratic and unspectacular, but it contains dynamite for established banks.

It will allow young technology companies to mount an all-out assault on the core business of banks.

The new rules, which will become law in Germany by January 2018, will give so-called fintechs and other firms direct access to a treasure the banks have been closely guarding: the account information of their private customers.

“The implementation of the directive will topple the house bank privilege,” said Hans Kraus, senior partner at consultancy Capco Deutschland. Until now, banks that run the checking accounts of their customers have the closest contact with them and can easily sell further products such as construction loans or insurance.

But in future, non-banks will be able to get in on the act — if the customers permit it — and use the clients’ account information to offer tailor-made products.

Those [banks] that don’t invest in digital strategies will be left behind sooner or later. Christopher Kampshoff, head of fintech Lendstar

It heralds a painful loss of business for the banks which are already struggling to cope with low interest rates and increased regulation.

Management consultancy Roland Berger calculated that, in the long term, it could cost the established banks up to 40 percent of their profit in their retail banking business. If banks lose their quasi-exclusive relationship with customers, their margins and fees from private loans, insurance, payments transfers and other services will be at risk, it said.

Banks have been aware of the threat for some time, but have been slow to respond. “Many banks still don’t have any concrete strategies,” said Jörg Sandrock, an advisor to executives in the financial services industry for Strategy&, PwC’s strategy consulting business.  “They’re making sure they fulfil the regulatory requirements but they’re not investing enough in new revenue models.”

The actual purpose of PSD2 is to enhance consumer protection and boost competition in the payments business. In particular, the E.U. wants to make paying for online purchases safer, easier and cheaper for customers.

But it also calls for strengthening the role of non-banks if they provide innovative payment methods or use payment information to offer new services for consumers such as financial planning or insurance.

To allow them to get the necessary information, the banks must now install gateways that can be opened to third parties. It could end up reducing banks to being pure payment processors.

But the banks have options. Christopher Kampshoff, the head of Lendstar, a fintech, said: “Data are the new interest rates. The banks have the possibility to monetize their data protection.” But that will require the banks to get moving and respond to the challenge. “Those that don’t invest in digital strategies will be left behind sooner or later,” he said.

Banks tend not to use their clients’ data. Many even believe they’re not allowed to analyze them — but all they need to do is ask their customers for permission, even under Germany’s strict data protection laws — as long as they explain what they plan to do with the information.

Peter Grosskopf, chief technology officer at Solarisbank, said this can benefit customers. “Of course the analysis of transactions on the account can lead to recommendations for cheaper offers. Basically, customers are to an extent being empowered more.”

Fintechs have fewer qualms about handling customer data. “They mainly concentrate on technical developments and barely have data protection on their radar,” said Michael Kaiser, an official who works in the Hesse regional government’s information privacy unit. That too will have to change with the new directive coming into force.

Companies will need a license from the Federal Financial Supervisory Authority (Bafin) to provide payment services. They will also have to adhere to data protection rules and have liability insurance.

That’s not enough for the banks. The Association of German Banks, not usually a friend of more regulation, has just released a paper on “Digital Payment 2020” proposing that firms be obliged to reveal what they plan to use customer data for and whether they will pass it on to third parties.

“The same rules must apply to all,” said Michael Mandel, management board member of Commerzbank and chairman of the bank association’s committee for retail and business clients. “Also, some details on liability still have to be sorted out.”

Martin Schmid, head of security at account information service company FinTecSystems, said: “Ideally there will be a uniform gateway for all banks in the E.U.”

Meanwhile, the banks are expanding their own fintech services. In an interview with Handelsblatt, Mr. Mandel said Paydirekt, the online payments system of German banks, would soon be expanded from Internet payments to permit transfers from cell phone to cell phone. “A function to allow mobile payment in stores would then be the next logical step,” he said.

He added: “Payment settlement is a core business of banks and we mustn’t let others wrest it away from us. Big outside players — especially from the U.S. — are already well-established globally, so we must at least operate at a pan-European level. Retailers are demanding that too. We’re already holding talks.”


Katharina Schneider is a correspondent in the finance section of Handelsblatt based in Frankfurt. Frank Drost is a Handelsblatt Editor in Berlin, covering financial supervision and banks. To contact the authors: [email protected], [email protected]