'I Access Your Data, You Access Mine' : Requiring Data Reciprocity in Payment Services
Do we need pro-competitive regulation for Fintechs, and in particular for digital payment services? Can we say that the theory of ‘disruptive innovation’ has failed to appropriately capture the intimate potential of digitalization in the Fintech realm, and thus require more established rationales for state intervention, such as ‘market failures’? And, if yes, what type of market failure?
Scholars and regulatory institutions worldwide have started debating on the impact of the entry of Big Tech platforms on the retail banking industry and of possible policy responses. Despite the benefits for consumers stemming from an increase of competition in the short run, many doubts are raising about the risks of monopolization (de la Mano, Padilla 2018; Bamberger, O Lobel 2018) due to big platforms established ‘ecosystem’ positions, that allow them to exploit their economies of scope by further strengthening existing barriers to entry (European Commission 2019; Financial Stability Board 2019).
Articles 66 and 67 of the EU Payment Services Directive 2 No. 2015/2366 (known as PSD2) contain a much-commented norm also referred to as the ‘Access to Account rule' (or XS2A rule). The latter awards so-called Third Party Payment providers (TPPs) the right to freely access users’ payment accounts data, typically detained by incumbent banks, to provide payment initiating services (PIS) or account information services (AIS), under the customer’s consent. The stated goal of the rule is to let an infant industry develop: that of Fintech payment services.
Our paper ‘'I Access Your Data, You Access Mine'. Setting a Reciprocity Clause for the ‘Access to Account Rule’ in the Payment Services Market’ provides an analysis of the norm from both competition policy and regulatory perspectives. Because both can shape data governance in a substantive way, it is essential to keep their application consistent, and also to allow a systematic coherence with EU rules on databases.
The first part of the paper discusses why the XS2A rule was introduced in the first place, and critically assesses its stated goals. It shows that digital payment services were spurring well before the rule was introduced, as Fintechs were typically using the spaces left free by regulation. Moreover, it demonstrates that the argument that the XS2A rule was justified by privacy constrictions (Demary, Rusche 2018) leading to market information asymmetries does not hold. Furthermore, it discusses the most widespread view: that the rule remedies a lack of competition. Namely, inspired by an essential facility rationale, it covers data that incumbent banks ‘have always carefully kept strict and exclusive control over’, allowing them to ‘maintain high and stable market shares but also engage in product tying practices to the detriment of newcomers and consumer welfare.’ (Borgogno 2018; Colangelo and O. Borgogno 2018). The XS2A rule would, therefore, serve to ‘prevent foreclosure as the result of the banks’ refusal to deal with the Fintech companies’ (Vezzoso 2018).
We think that although the XS2A has indubitable pro-competitive virtues, it cannot be understood as access to an essential facility, provided that (personal) account data would hardly make a relevant market in an antitrust sense. Rather, considering its rationale and wording, what counts is the customer's consent to access his personal account data. It is, therefore, such consent that defines the boundaries of the data to be (directly and continuously) transferred to the third-party provider.
The second part of the paper shows that for the XS2A rule to really level the playing field among all the market players involved, it should be revisited to reflect three different possible relationships:
between startup Fintechs and the banks;
between ‘digital conglomerates’ (Bourreau, de Streel 2019) or Big Techs and the banks; and
In the first case (i), the XS2A rule should provide the broadest possible access to account data, so to (a) accrue start-ups’ data analytics capabilities (instead of outsourcing it); (b) dispose of greater ‘digital datasets’ over which to run analytics and offer enhanced payment services.
In case (ii), a proposal is made to complement the XS2A rule with a ‘reciprocity clause’, that is: free access to ‘behavioral data’ at the disposal of the Big Techs to be used only to enhance the efficiency of the payment service provision (in accordance with arts. 66 and 67, PSD2). The concerned data should be personal data pertaining to the same customers that have already provided their consent under the XS2A rule. The addressee (the Big Tech) should be identified through the register of TPPs, according to some quantitative thresholds (e.g. its initial capital or annual turnover, active personal or business clients). The legal rationale for introducing a reciprocity clause is clearly to differentiate and thus re-proportionate the XS2A rule. That complies with the European Commission’s position (2018), which deems proportionality as the guiding principle of Fintech regulation, allowing for differentiation if justified, inter alia, by ‘the business model, the size, the systemic significance, the complexity and cross-border activity’ of Fintech operators.
Overall, the reciprocity clause we propose would be a stimulus for the Fintech industry to grow even faster, as it would allow traditional banks to acquire and manage greater data analytics capabilities and to enhance their capacities to compete with digital conglomerates on a level playing field.
Fabiana Di Porto - University of Salento
Gustavo Ghidini - University of Milan