Product Family


Head of IFL Operational Risks,and James Tuplin,Head of Cyber and TMT – International Financial Lines

Q. What is the EU’s second Payment Services Directive?

Angelos Deftereos: The EU’s second Payment Services Directive – known as PSD2 – came into force in January and effectively switches ownership of personal data from the bank to the consumer. In the UK, PSD2 has been introduced as part of a wider drive towards so-called “Open Banking”, which is aimed at putting consumers in greater control of their finances. At the consumer’s behest, a bank must provide access to that consumer’s data to an authorised third party – which might be a fintech start-up, a telecommunications provider or a retailer, among others. And under PSD2, permission for access to that data has to be renewed every 90 days, and it is the bank’s responsibility to ensure those permissions remain in place and are renewed. As part of Open Banking, the same data must be made accessible through a standardised interface, which should facilitate the development of innovative new banking products. The rules also will transform the payments industry and enable merchant businesses to retrieve payment details without the cumbersome data re-entry sometimes required.

Q. What risk management steps will these third parties need to take?

Angelos Deftereos: The European Banking Authority, in close collaboration with the European Central Bank, issued guidelines that require payment initiation service providers (PISPs)  to have a risk management framework that focuses on measures to mitigate operational and security risks and is fully integrated into the PISP’s overall risk processes. In the UK, when the Financial Conduct Authority authorises payment and e-money institutions, it will require details of business continuity plans and how those plans will be tested and reviewed, for example.

Q. What are the data security and liability implications of the move towards Open Banking?

James Tuplin: The transfer of data should be reasonably secure – client’s personal data is subject to data protection law and claimants will be able to complain to the Information Commissioner’s Office. As part of Open Banking, account information service providers (AISPs) and payment initiation service providers (PISPs) are regulated, for the first time. But this does throw up some liability questions, which are, as yet, untested.  However robust the security systems in place, there will be payments that go wrong. A PISP might – unintentionally – make an unauthorised payment on behalf of one of its customers, for example. For AISPs, a cyber breach could lead to fraud or identity theft, which could result in large financial – and reputational – losses. In the case of a data breach, businesses involved will need to show that they have met the data security requirements under PSD2 and, where the data is personal data, also under the General Data Protection Regulation (GDPR), which comes into force on May 25 and brings with it strict data breach requirements and the looming possibility of substantial fines.

Q. What is the picture in terms of cyber exposure?

James Tuplin: Nobody knows quite yet how PSD2 and the GDPR interact with each other – if, indeed, they do. It will take time, some test cases – and potential losses – for the answers to these questions to become clearer. Meanwhile, the development of artificial intelligence and blockchain mechanisms continue apace, with companies in all sectors testing the potential efficiencies these technological advances could bring. All of these factors are pushing cyber security even further up the C-Suite agenda. And as cyber underwriters, we are following this with great interest, naturally. Customer trust will be key to the development of an open banking system. It’ll take robust security and sound risk management.

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.