Luxembourg open banking to be aided by amendment to ‘90-day’ rule

Proposed EU rule changes could make Luxembourg’s banking sector more competitive. Library picture: Spuerkeess headquarters in the Gare district, December 2020. Nader Ghavami

Proposed EU rule changes could make Luxembourg’s banking sector more competitive. Library picture: Spuerkeess headquarters in the Gare district, December 2020. Nader Ghavami

A public hearing Thursday 11 November with the European Banking Authority looks positive for relaxing a key tenet of European open banking legislation, a move that will make accounts and payment initiation services far easier to implement for Luxembourg banks and third-party payment providers (TPP) and help to pave the way for smoother payments and banking in the grand duchy.

The so-called ’90-day re-authentication rule’, a key regulatory technical standard under Europe’s payments services directive (PSD2), is under consultation with the EBA until 25 November 2021. Proposed changes suggest that the 90 days be extended to 180 days minimum, meaning in practice that customers currently required to re-authenticate every 90 days will now have a minimum of 180 days to do so.

“Although this does not solve the core of the problem, it is a step in the right direction,” Ralf Ohlhausen, chair of the European TPP Association, told Delano in an interview.

“The 90-day rule is the reason one now needs two (rather than one) factor authentication, either every time one accesses one’s account or at least every 90 days. Unfortunately, it is not even sufficient to re-authenticate once for all accounts aggregated, but instead you have to do it separately for each account and usually at different times, because their 90-day expiry timers are not in sync,” explains Ohlhausen.

“This rule also concerns banks acting as a TPP.”

The proposed change is good news for Luxembourg banks and third-party payment providers keen to take advantage of the prospective security, innovation and competition benefits of the PSD2.

One example of this is the Luxembourg bank Spuerkeess, which has already used provisions under the PSD2 to provide its customers with access to third-party accounts through its S-net app. More recently, it has added neobanks N29 and Revolut to this offering, enabling users of the app to see and manage cross-border accounts in one place.

Spuerkeess believes there is great potential under the PSD2 regulation to improve customer experience in Luxembourg. “Over time, more and more third-party banks will be added,” Daniel Madariaga, the team manager at Spuerkeess’ Business Innovation Office said in a statement in October regarding the addition of N29 and Revolut to the S-Net app.

“A change to the 90-day rule is far less disruptive for this kind of offering,” says Ohlhausen.

What is open banking and PSD2?

Open banking is the practice of allowing third-party applications to access and control consumer banking and financial accounts, ‘opening’ financial data up to be securely shared with financial institutions. In 2018, PSD2 was introduced to create a framework around the early stages of open banking in Europe, namely, account aggregation and digital payments.

Following the introduction of PSD2, Spuerkeess along with three other Luxembourg banks--BGL BNP Paribas, Banque Raiffeisen and Post Luxembourg--founded LuxHub, which claims to be one of the largest open banking platforms in Europe. Spuerkeess went on to become the first bank in the grand duchy to offer services for the aggregation of third-party accounts, according to the bank’s statement on the integration of N29 and Revolut.