The introduction of the PSD2 enables innovative financial technology companies, known as FinTechs, to enter the world of payments. But coming so far – obtaining a PSD2 license – can be an uphill struggle. Eva Noordhoek and Michiel Kos from consulting firm Protiviti share five tips for FinTechs embarking on the PSD2 license journey.
The introduction of PSD2 — the follow-up legislation of the former Payment Services Directive – is one of the biggest recent developments in the regulatory environment of the financial services industry. PSD2 is often perceived as an enabler — making it possible for the wide array of FinTech companies to gain access to consumer payment data and use those data to build their products and services on, providing endless innovation possibilities.
Because PSD2 is about using payment data, one of the most sensitive types of consumer data, it is heavily regulated across Europe and nationally. For FinTechs to make use of PSD2, they need to obtain a license to operate from the respective regulator. This step can be intricately complex, and as a result many FinTechs face challenges complying with the requirements and with the process.
At Protiviti, we have supported several clients in their quest for a PSD2 license and audited several licensed companies. Based on these PSD2 interactions with our clients and the regulators, we have identified the following top learning points for the FinTech community:
The proportionality principle
Whether you are a bank with 10.000 employees or a start-up with 10, the same regulation applies. How do you deal with this? And when is good, good enough? How do you apply the principles on which regulation is based without ‘overdoing’ it and staying true to the nature of your business?
This is not a one-off static decision but requires being constantly aware of the regulatory environment concerning your business environment (and growth!) and reconciling the two. With every change, keep asking yourself what this means for your business, how should you respond? And what are the consequences of those choices? Tips that can help to stay on top:
- Stay in close contact with your regulator. Discuss what you do and why you do it, including your interpretation of the regulation, translated to your business.
- Rethink your governance. Make sure you have a solid second and third line of defense. Solid means someone (or multiple people, depending on the size of your business) that can relate to your business, stand next to it but at the same time act independently, distance themselves, and ask the right (challenging) questions. This can be done internally, or outsourced, depending on your size and business model. Such a structure will allow you to generate insights that are as objective as possible, not clouded by business dilemmas, hence both improving your business as well as your compliance success.
Align risk assessments to business activities
We often notice that companies regard obtaining a PDS2 license as a checklist exercise – check the boxes and produce a set of documents. This often means that particular items, such as customer due diligence (CDD) and transaction monitoring receive the most attention. This is not to say that those topics are not important, on the contrary, but taking this out of the context of the actual business processes might cause a disbalance of effort and risk rating. Performing risk assessments are already part of your day-to-day business life.
“What happens if I choose X”, “Will that bring me closer to my goals?”, “What is the chance of something happening that will give me a headache?”, “Is there anything I can do to prevent that?”. A proper risk assessment will help you ask and answer these questions in a structured way, enabling you to act and take precautionary measures if and when necessary. Have you, for example, considered your outsourcing, succession planning and key staff risks, just to name a few?
It is important to first visualise your business as a whole – assessing risks associated with different compliance topics (e.g. CDD) will be automatically part of that exercise.
Take compliance a step further
Despite all the differences, the one thing FinTechs generally have in common is the constant drive to innovate and improve. In that process, being compliant is often seen as a must, and not necessarily as an integrated part of their core business. When applying for a license your company is “vetted” on how compliant you are.
Don’t make the mistake of viewing this as a one-time exercise. Especially in financial services, compliance-related topics and regulations are a major part of your product and service delivery. Embed compliance as a part of your day-to-day business – not just because you have to but because it will help you.
For example, imagine that you recently released a great update to your platform and your customers are excited about the extended functionality. Then you discover a big data breach, compromising your promise to your customers that you would keep their data safe (and a privacy compliance breach at the same time). Implementing solid controls will help you prevent this; not just for big releases but also for the smaller incremental change.
Do what you said you would do
In the process of obtaining a license, it is completely understandable that you will present the best version of yourself to the regulator. Do however keep the bigger picture and longer-term in mind. Knowing how your processes work, including where you might have potential gaps, is important. Not only for obtaining and maintaining your license, but also to seize opportunities where they arise.
An external advisor, someone who knows the application procedure, can help you prioritise. What gaps should be fixed before you apply for a license? What solutions can stay ‘in development’ for now and how to discuss that with the regulator? Afterwards, make sure to embed regular review/testing activities; What actions are still open? What do we need to improve on? What are the risks associated with these actions?
The regulator does not know everything
As a final remark: the FinTech community, its participants, and regulator are evolving, and no one knows it all. Regulation is often seen as a disabler or obstacle to innovation. At the same time, and PSD2 is a great example, it can also accelerate the development and application of new technology. We believe that you have to recognise each other’s perspectives and ambitions and collaborate to harmonise those.