ZealiD was surprised at the news that Trustly AB postponed its IPO due to objections by the Swedish Financial Supervisory Authority (FI) over the identity verification methods of their end users. [full disclosure: ZealiD is a happy customer of Trustly AB account information services].
At this time, the only information available is Trustly’s press release meaning exact reasons for the FI objections are unknown to us. However, here are some thoughts on how this could affect the FinTech Industries dependent on the Revised Payment Services Directive (PSD2). Specifically Third Party Providers (TPPs) and the future of Know Your Customer ("KYC").
Under PSD2, payment initiation services are designed to facilitate consumers to initiate payments (PIS) and transfer account information (AIS) to third parties. The payment initiation is typically executed between a consumer (the user) and a merchant with a TPP in between. The benefits are clear: lower transaction costs for the merchant and a simple way to initiate payments for the users (no need to scramble for credit cards or type in numbers). All maintained in a reliable process built on a secure exchange between the user bank and the merchant bank.
Do Payment Initiation Services need KYC?
ZealiD's view is that an intermediary executing payment initiation services is not required to perform a remote identification of the user and should not be required too.
ZealiD has understood that the Bafin (German FSA) guidance is clear on this point. It would defeat the purpose of the law if all PIS had to redo a KYC performed by the users' banks. This should mean that Trustly, one of the inventors of the practices that today constitutes PSD2 PIS, need not perform KYC on users for the sake of payment initiation. The only KYC obligation is vis a vis merchants.
Where are the Swedish FSA´s objections coming from?
On a purely speculative basis, ZealiD believes that the explanation may lie in four underlying factors.
1. Removal of personal identifier
The European banking authority (EBA) has advised that holder name, IBAN and transactions must be in the API. However, unique identifiers such as personal code and address can be omitted according to the EBA. This, of course, creates many issues in what used to be a "light" KYC performed at every PIS by the likes of Trustly, Instantor and Klarna/ Sofort. With the implementation of PSD2, many banks that fear disintermediation have opted to hide data in their emerging PSD2 bank APIs.
With the personal identifier no longer present in an ever-growing portion of the PIS transactions, the FI may feel that what used to be a precise identification is no longer dependable at all.
2. Trustly's infrastructure
Many forget how important Trustly were as pioneers of the PIS type transactions. Trustly were not only pioneers of screen scraping for payment initiation services (overlay, secondary integrations). They also set up an ingenious system of Trustly accounts in both user and merchant banks, which allowed them to reduce transfer times, payout times and cost related to cross border transfers. Again only speculating, it could be this system that suggests that Trustly is more involved in the transactions (holding the funds) than your average fintech PIS provider. Trusty holds higher licenses (PSP etc).
3. Tightening of KYC across EURelatively speaking, FI has some of the most relaxed remote identification regulation in the EU. For example, FI allows for eIDAS eID substantial (BankID). Whereas, Germany requires eID High (Geldwäschegesetz). FI also allows for advanced electronic signatures where Germany not only requires qualified electronic signatures, but the signatures must also be accompanied by a bank transfer with verification of holder name against signature. There is good reason to believe that with higher volumes of cross border transactions, the FI is tightening controls and requirements.
4. Nature of Trustly user base
It is well known that Trustly is a highly successful payment method in gambling and the gambling industry is best known for money laundering.
The combination of this as well as the previous points mentioned above should make FI much more alert to the motivations of some of the push back.
- The FI has not yet made a formal decision - this is a disruptive guidance in the middle of an IPO process. It may well be set aside going forward.
- ZealiD does not believe that the FI push back on Trustly KYC reflects a general trend in the EU of increased KYC requirements on PIS services.
- Banks intentionally hiding data in the bank APIs defeats the purpose of identifiable data for a bulk of use cases (e.g. credit). It is highly problematic that the commission/ EBA allows for this to continue and that national regulators do not take sharp action against these bank practices. They affect the whole fintech ecosystem (including Trustly) adversely. And ultimately deprive users of their rights (guaranteed by both PSD2 and GDPR).
- Trustly is much more than a PIS. Although we have no real knowledge of its infrastructure, Trustly most probably has elements of its infrastructure that resemble PSP or even banking.
- Expect tightening of KYC - and the migration to eIDAS type KYC to be future proof.