#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:

‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:

"and includes such a service whether information is provided—

(a) in its original form or after processing;

(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]

This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):

• dashboard services that show aggregated information across a number of payment accounts; 
• price comparison and product identification services;
• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
• expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.

The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:

• does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.

• the service has to be "online", but what if some of it is not?

• little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?

• the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');

• it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;

• what is meant by 'after processing':

1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;

2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?

3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?

Sorry, more questions than answers at this stage!

Update on 21 April 2017:

The FCA has indicated in Question 25A of its proposed draft changes to the Perimeter Guidance that:

"Account information service providers include businesses that provide users with an electronic “dashboard” where they can view information from various payment accounts in a single place, businesses that use account data to provide users with personalised comparison services, and businesses that, on a user’s instruction, provide information from the user’s various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies." [my emphasis added]

Caution On Payday Loans Cap: It's A Midata Problem

The government is right to resist automatically capping interest rates for short term or 'payday' loans, and to insist on an evidence-based approach to the market which takes account of unintended consequences. Powers to cap rates, prevent endless renewals and aggressive, unsupportive collections activity are important. But it's critical to understand the real problem confronting the payday borrower before leaping to solutions.

Until now, the popularity of short term loans has been positioned in Parliament as a moral problem (rich for MPs!) for which an interest rate cap is the solution. 

But the annualised percentage rate (APR) for short term loans is misleading and unhelpful for borrowers in context. It only enables comparison of one short term loan against another. And it produces such a strange result against longer term loans that borrowers ignore it - especially, as those loans may not be available to short term borrowers anyway.

Typically, a short term loan is applied for when other debts are due, fees are about to be incurred and other consequences are biting or about to bite. The relevant data points include the cost of unauthorised overdrafts, default fees on card accounts, the consequences of missing the rent, failing to pay a phone or energy bill, and so on. Borrowers react to the worst of the known consequences when borrowing, but may not be aware of them all, let alone take them all into account when assessing the best option.

This is a data problem, not an interest rate problem associated with just one of the options available to the borrower.

What would be helpful is a tool that enables comparison of all the options facing a short term borrower in the borrowing context.

Such applications are evolving, and it's important to note that the government is also playing a role to foster that evolution.

The Midata initiative, for instance, is aimed at producing solutions to meet exactly this kind of challenge. It aims to drive the development of simple applications that will access a person's own transaction data (including fees) to enable that person to make better purchasing decisions. Initially, the government is targeting suppliers in markets for energy, mobile phones, current accounts and credit cards. But it has issued a warning to others. 

If only we could get our MPs to focus on proportionate solutions to the root causes of society's problems rather than embarking on populist moral crusades and fiddling their expenses!

Warning Shot Fired Over Midata

The government is preparing the way for regulations to enable consumers and small businesses to request all their transaction data related to energy, mobile phones, current accounts and credit cards. If considered necessary, regulations could be in place in 2013, and may target other markets where certain factors point to consumer detriment.

The decision follows a consultation in the summer, and the full  response is here.

The proposals should add momentum to the voluntary Midata programme fostered by the Department for Business Innovation and Skills to help industry and consumer representatives resolve some of the key challenges in the 'core' consumer markets.

The Information Commissioner’s Office would take the lead role in enforcing any regulations, while concurrent enforcement powers could be given to sector-specific regulators.

The 'transaction data' at stake are the records of a consumer’s own purchases or consumption from a supplier - what the consumer bought, where and how much they paid for it - not the supplier's subsequent analysis. The data would have to be released in computer-readable format to enable it to be analysed by the consumer or a service provider of his/her choosing. This would help prevent suppliers gaining an unfair pricing advantage over consumers, for example, and make it easier for consumers to figure out the product right for them.

Factors the government might consider when deciding whether to expand the programme to other sectors include: 

• the market is not working well for consumers, e.g. consumers find it difficult to make the right choice or their behaviour affects pricing it's difficult to predict that behaviour;

• there's a one-to-one, long-term relationship between the business and the customer, with a stream of ongoing transactions;

• consumer engagement is limited, e.g. low levels of switching or competition; and

• suppliers don't voluntarily provide transaction/consumption data to customers at their request in portable electronic format.

I should add that I am involved in the Midata programme, as a member of the Interoperability Board, and on working groups considering issues related to data transmission and law/regulation.

Response to Midata Consultation

As part of its 'midata' initiative to empower consumers, the department of Business Innovation and Skills has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a consumer’s request. In the interests of transparency, I've summarised below my response to the consultation. As previously explained, I should mention that I've been involved in the midata Interoperability Board from its inception in 2011.

General Comments:

'Midata' scenarios involve consumers' transaction data being returned to them in a way that enables them to use it to improve their purchasing decisions. This reflects an existing, yet evolving commercial trend that is developing positively. Many businesses provide customers with their personal transaction history through ‘my account’ functionality which enables downloads. In addition to price comparison sites, other intermediaries are evolving to help consumers identify where data is stored, as well as to gather, share and analyse it.

It is acknowledged that there are certain operational risks involved in the widespread sharing of such data and various suppliers, intermediaries, officials and consumer representatives are co-operating to address these. One example is the work done by the World Economic Forum ‘tiger-teams’ on “Rethinking Personal Data” (here's my note of the London session). Government is also playing a very helpful role in fostering an environment in which suppliers can evolve best practice in the management of operational risks, as illustrated by the Midata initiative. Official guidance in the area includes the UK Information Commissioner’s guidance on data sharing.

These initiatives are sufficiently flexible and adaptable to support innovation rather than to stifle it. There is no evidence that these approaches are failing to adequately address the operational issues identified.

Regulation, on the other hand, is more rigid and often has unintended consequences that are hard to rectify in a timely fashion, particularly where it is general in nature and not evidence-based. As a general principle, prior to granting powers there should be clarity concerning the basis for their exercise, applicable exemptions, sanctions and other checks and balances.

Risks or undesirable consequences from exercising a power to require certain data to be released electronically could also include:

• undermining the cooperative approach to addressing operational risks and the evolution of best practice described; 
• reducing the flexibility and adaptability of risk management measures and stifle innovation; 
• paralysing development until market participants are clear on the basis for the exercise of powers, applicable exemptions, sanctions and avenues of review or appeal. 

So, while it is worth exploring whether a power of the kind proposed might encourage industry participants to act appropriately, it is difficult to support it in the circumstances described above. Rather, in my view, the government should continue to foster (and participate in) an environment in which best practice can evolve rapidly and flexibly; survey the rate of take-up of appropriate services and the adequacy of operational risk management; and issue guidance where appropriate. This would enable an evidence-based approach to regulation in due course if necessary.

Obligations for Specific Sectors or Data Types?

While all suppliers with consumer or micro-businesses as customers should be encouraged to participate in the 'midata' trend, I would be concerned that a regulatory obligation to provide transaction data to such customers may cause some businesses to withdraw from those markets.

This trend should also naturally pick up useful data that is not currently in digital format. However, I would be concerned that any mandatory obligation that is focused only on data held electronically will discourage businesses who would ‘digitised’ offline data from doing so.

Impact of the Proposed Mandatory Approach

My concern is that the proposed regulatory approach would be too narrow in its focus and effect. The WEF process has established that Midata scenarios require a holistic approach to the various challenges inherent in returning data to customers electronically. The value and utility of personal data is a hugely complex dynamic that varies by:

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved. 

We need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. Such rules must be capable of being simplified at the customer level, understood in terms of specific rights and obligations at the legal and regulatory level, and ‘coded’ to ensure that computers handle the data consistently with these rules.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that does not make it impracticable for any necessary participant in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

By way of example, the current ambition of the WEF is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system ). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

Who Should Be Able to Request Data?

Consumers and businesses employing fewer than 10 people ("micro-businesses", most of which are owned and operated by individuals) should be entitled to request a supplier to provide their own transactional data, either to the customer or to a specified third party. Alternatively, a third party who is duly authorised by the customer should be able to seek the customer’s data in electronic format directly from the supplier.

The terms and conditions and other information that are required to be made available to the consumer under applicable law (e.g. Distance Selling Regulations) should be included with the transactional data related to the goods or services covered by those terms and conditions.

Formats and Response Times

The government should not mandate formats, since internet-based technology allows for the development of 'mark-up languages' that allow sharing of data in different formats, as described above. 

Appropriate response times will be contextual. Guidance should encourage standing ‘my account’ functionality accessible by the individual logging-in, rather than a request-and-response model. However, where a request-and-response model is adopted, the response should be ‘prompt’. 

Should Suppliers Be Able to Charge for Releasing 'midata'? 

Suppliers should not be prohibited from charging specifically for releasing transactional data, but be encouraged not to. In effect, however, ‘my account’ functionality is not really ‘free’ in any event since there is a price to the related goods or services. 

It's conceivable that some suppliers might wish to be transparent about the price of goods versus the price of supporting services. In cases where few consumers access their data, it may not be appropriate that all consumers may end up paying for the functionality. However, it is important that any directly applicable charges should be reasonably proportionate to the cost of making the data available, including a reasonable profit margin (e.g. 20%). There are similar regulatory requirements in relation to certain fees in the financial services industry, for example. 

Enforcement and Supervisory Bodies 

It is likely that access to personal transaction data will be included as a right and/or obligation in customer terms and conditions, and customers should be free to enforce these in the same manner as any other provision in that contract, including through the courts or alternative dispute resolution as necessary. 

In the event regulation  is required, any enforement activity in this area could be handled in the context of personal data regulation, general consumer regulation, or regulation related to dealing with consumers in specific sectors.  Accordingly, appropriate enforcement bodies would include those listed below, with the Information Commissioner's Office taking the lead: 

• Information Commissioner’s Office 
• Office of Fair Trading 
• Trading Standards Institute 
• Citizens Advice 
• Key sector regulators, e.g.: 
• Financial Services Authority
• Ofgem
• Ofcom

Prior to the advent of regulation, these bodies could participate in fostering an environment in which suppliers, intermediaries, officials and consumer representatives can evolve best practice in the management of those risks.

Under any necessary regulation, the enforcement bodies could be empowered to order disclosure and/or fine suppliers, intermediaries, etc for failing to disclose, security breaches and so on. 

As this trend develops, one could expect to see a decline in data subject access requests under the Data Protection Act 1998, and any related enforcement activity by the ICO. 

I'm interested in your thoughts.

Rethinking Personal Data

On Thursday I joined a World Economic Forum 'tiger team' focused on rethinking personal data, a process that aims to build on reports revealing personal data as a new asset class, and meeting the challenges this evolution brings. My thanks to Liz Brandt at Ctrl Shift for inviting me along. Apparently, as one non-legal delegate put it, "there are not enough lawyers at these sorts of events."

In essence, we are moving from a world where data about each of us is compiled into large national databases by corporations and governments (since they are the only ones with the vast resources required to do it); to a world where personal data is highly distributed and grows with every interaction with or about each of us, so that no one can keep up with it, let alone store it in a single place. 

It's therefore important to understand that a "personal data store" is not envisaged as your own personal database of all personal information about you. "Store" is not used here in the sense of 'storage' but in the retail sense of controlling what is offered or sold (which is also not exactly appropriate but does the job for now). So a 'personal data store' is really just a set of rules that determine whether and how data about you can be used - wherever that data sits. It's another type of 'personal information management service'.

The WEF process involves first 'unpacking' the big notions of 'identity', 'privacy' and the imagined benefits to be gained from sharing personal data. These concepts are too static, theoretical - and too emotive - to use as the basis for establishing detailed rules for the responsible use of personal data. The significance and value of personal data can't be captured in a single dollar amount or 'yes'/'no' answer to whether it can be used. Instead, the value and utility of personal data is a hugely complex dynamic that varies by: 

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved.

So in order to ensure that our transactions and other day-to-day activities are as frictionless and seamless as possible, we need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. And those rules must be readable at various levels by humans, lawyers (legislature, courts, regulators, governance panels) and machines (computers, microchips).  

A previous tiger team session identified business, legal and technology as the three primary stakeholders or perspectives in agreeing such a set of rules. The business rules must first be established clearly at the outset, then vetted from a legal and governance standpoint, then coded in such a way that everyone can be confident machines will handle the data in accordance with the rules.

The current ambition is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that doesn't represent a deal-breaker for anyone in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

An earlier tiger team had proposed a useful set of rights and duties from the standpoint of the data subject. So we focused on the rights and duties of the service provider operating the personal data store on that data subject's behalf. We also made a start on the rights and duties for the governance role. The full write-up is due in the next few weeks, but some of the key issues we covered were: 

• the need for transparency as to whether the provider of a personal data store is acting as a full agent in the fiduciary sense or as a lesser form of agent or broker; 
• the need to ensure co-operation in the timeliness, accuracy, integrity and authenticity of the personal data accessible via the service; and
• security protocols for data access and sharing. 

From a governance standpoint, it seemed critical to have both the public and private sector represented on the governance panel - just as they were both represented in the tiger team process itself - to ensure not only that the public laws are obeyed at a minimum, but that official guidance can support the additional contractual standards that are agreed to 'fill in the gaps'.

The most immediate next steps would be to flesh out the governance aspects and to address the rights and duties of businesses relying on the data. Having allocated all the necessary rights and duties amongst each of the participants should make the final step of determining the liability and accountability for each of the participants a far less combative process than I've seen in other forums ;-)

Overall, I'm very optimistic that a cohesive global framework for the responsible use of personal data is achievable. Specifically, it was very encouraging to witness how much easier it is to address the overall personal data challenge when you commit to 'unpacking' the big notions of identity, privacy and public benefit, as described above. It was also a huge relief to hear that it is considered feasible by those who've introduced data standards previously to implement a personal data mark-up language to link the flow of personal data to a set of permissions and rules. I'm also hoping this can help achieve dynamic, momentary user identification that minimises the need for large, vulnerable repositories of personal identity material.

Of course, political and commercial acceptance and 'take-up' are where all this rubber hits the road. But the fact the discussions are taking place globally via the WEF is clearly very helpful.