Open Banking through the eyes of a lawyer

Could you please give our readers a bit on the background and activities of Bird&Bird?

Bird & Bird is a global law firm counting approximately 1,300 lawyers, with 29 offices across Europe, the Middle East, Asia-Pacific and North America.

Bird & Bird has a very strong focus on innovative sectors. Our goal is to become the go-to firm for organisations that are being impacted by technology and digital world. Innovation is the DNA of our firm from the very beginning. The firm was founded in London in 1830, and even back then, it was focused on innovative industries, which, at that time, were coal mining and iron making.

Today, we continue helping clients to transform the world through technology, with a particular focus on very exciting areas such as FinTech, Energy, Lifescience and Privacy. In countries where we dont have presence, we work with best friend law that shares our DNA, to ensure that our clients are properly served all over the world.

I believe that something that differentiates Bird & Bird from other global law firms is our sector knowledge. We understand the law like most of our competitors do, but our knowledge of the sector in which the client operates means that we always take a practical approach to solve their legal issues. This is, in part, achieved by having lawyers who have in-house experience.

What is your expertise in payments regulations? Is it possible to reveal to us what are the most challenging aspects of your work as well as the most exciting ones?

I have been working with payments companies for longer than I would like to admit in an interview. Jokes aside, I began working in the payments field as an external lawyer at Jones Day, dealing mainly with competition law issues in the financial services sector. Even then, I saw that payment services as fascinating space, and when the opportunity arose to join the legal department of Mastercard, I accepted the challenge. At Mastercard, I continued to advise on competition law, but focused more on EU payments regulation, and I also provided support to the Public Affairs (aka lobbying) initiatives of Mastercard. The opportunity to learn payments from the inside of an industry leader has been invaluable to me. Payments are complex, and when faced with a legal issue, it is extremely helpful to understand in-depth how things work if you want to give proper legal advice.

Over the past 10 years, we have been witnessing how payment services have gone from no to little regulation, to an almost fully regulated industry, which is not that different from telecoms or energy. In parallel, the technology changes every day, and the way we pay now has very little to do with the way we paid five or ten years ago – and we will pay in a very different way in five years. Watching the industry transforming every day, and trying to make that fit with increasing regulatory requirements are both the most challenging aspect of my work, and the most exciting aspect at the same time.

You will be speaking at Trustech Conference this year, addressing the PSD2 and Open Banking topic. Why do you find this subject so important for the payments industry?

The first draft of PSD2 was published in July 2013. Now,in 2018, we are still discovering new angles of this directive, and discussing it with the same interest and level of intensity. PSD2 is complicated at many levels. It deals with very complex and technical issues, and it also has a massive political angle as it forces banks to share the information of their customers with non-bank third parties. PSD2 will transform the way we pay (and get paid), and will open the doors of the payments industry to innovative players. I am looking forward to seeing how PSD2 will impact our everyday experience with payments.

How will the new Open Banking tools impact the new types of financial transactions, in terms of security and privacy?
PSD2 regulates Open Banking by requiring banks to open the information on the accounts of their clients to new players, the so-called Third Party Providers (TPPs). PSD2 also imposes strict security on payments, known as Strong Customer Authentication or two-factor authentication for all payments, irrespective of whether one of these TPPs is involved, or not. In parallel, this year we have implemented the new and extremely demanding EU rules on data protection: the infamous GDPR. When you throw all this together - Open Banking, security, and GDPR - it does not seem almost impossible to make PSD2 and GDPR work at the same time.

However, everything comes somehow together, and PSD2 will enable new services for consumers that, if well implemented, will guarantee adequate levels of security and privacy. In my opinion, a lot still needs to be done. On the one hand, banks and TPPs need to put together a system to share information of consumers that preserves privacy and security, as well as guarantees innovation. This is not easy, as security sometimes works against innovation and convenience for consumers. The more layers of security, the more complicated it becomes to use a service. On the other hand, local regulators in the EU have an enormous task ahead of them, which is enforcing PSD2 with the necessary safeguard to protect consumers. Once again, very interesting times ahead for payments regulatory lawyers such as myself.