For more than 3 years now, and on January 13th, 2018 to be precise, the world of payment has entered a new regulatory framework. That of PSD2, the Payment Services Directive, which updates the framework for payments in Europe : it extends European regulation to new payment service providers (third-party PSPs), frames the sharing of banking data and strengthens security requirements for consumers.
This regulation creates two specific types of third-party payment service providers, one for payment initiation ("PSIP") and the other for account information ("PSIC"), of which Spaycial is part, and which we are interested in here. The latter provide an aggregation service of information relating to the various bank accounts held by a customer (individual or professional) in order to offer personalized services and benefits.
"This directive was expected", says Nurgül Sivasli, Spaycial's DPO (Data Protection Officer). Although this type of service already existed before, better known as screen or web scrapping, it was not secure for the data at all. Indeed, this method obliged users to share all their banking identifiers up to the passwords of their accounts ! "PSD2 prohibits this without approval and thus creates these new regulated statuses", she continues.
So, for the past 3 years, the world of bank payments has been in the midst of a revolution, technological, but also cultural. These are important changes that take time, because they require banks to bring themselves up to regulatory standards. In concrete terms, they must now agree to communicate their banking interfaces to service providers (and thus their customers' bank account data, with the latter's express and revocable agreement) and to comply with security and technological standards.
Some countries, such as Switzerland, have more difficulty than others in moving towards this new technology of the API (Application Programming Interface), these secure interfaces that allow data to be shared. "Because the idea of communicating banking interfaces is not well accepted", explains the DPO. A difficulty in the face of innovation that can create slowdowns in the development of these services, yet intended to protect the data of their customers.
Newcomers can rest assured that these famous account information service providers cannot carry out their data aggregation activities without receiving prior authorization. In France, it's the Prudential Supervisory and Resolution Authority (ACPR), which is the consumer protection authority, that issues them. This is referred to as an ACPR registration, like the one Spaycial has got, for example.
These services must be able to meet the security and governance standards set out in article 98 of the PSD2, and in accordance with a single European RTS reference framework, created by the EBA, the European Banking Authority (see the Spaycial data sheet, on the EBA website, respecting the standards in different European countries).
This authorization is renewed every year, every April 30, it is a regular control which aims to reinforce this image of an extremely well framed market. "Without authorization, no use is possible", states Nurgül Sivasli. It is this permanent control that protects the French and their data. Similarly, if we lose our authorization, or if it is not renewed, we can no longer offer our service.
From this authorization, a French and European banking aggregator is born, a provider that can launch its solution, like Spaycial and its loyalty program application, which interfaces with banks via APIs and offers innovative services to consumers.