search

openbankingspace / tpp-issues

34 stars 1 forks source link

Barclays - Joint Accounts Lockout #48

Open tobypinder opened 6 years ago

tobypinder commented 6 years ago

Joint Accounts Lockout

By default, Barclays do not provide access to accounts that have multiple owners (Joint Accounts).

PSUs who attempt to connect with Open Banking dialogues will have to cancel the process and get both parties to complete a procedure of flagging the account as "available" for Joint accounts (see images)

joint_accounts_lockout_disabled joint_accounts_lockout_option

However, this is completely at odds with all relevant legislation and regulations.

The Payments Service Regulation 2017 Section 70(2)(b) requires that providers of AIS must (emphasis added)

treat a data request from the account information service provider in the same way as a data request received directly from the payer, unless the account servicing payment service provider has objective reasons for treating the request differently;

This provision came into effect 13th January 2018 and I would seek clarification for how the current offering fits into these constraints. Joint accounts do not require multi-party authorization and either of the two parties is able to have full access to Account Information and Payment Initiation services through traditional interfaces. Yet with the provision of Account Information Services (and presumably PIS too) PSUs are subject to this arbitrary source of friction.

The PSD2 Regulatory Technical Standards Article 32(3) makes clear that (emphasis added)

Account servicing payment service providers that have put in place a dedicated interface shall ensure that this interface does not create obstacles to the provision of payment initiation and account information services. Such obstacles, may include, among others, preventing the use by payment service providers referred to in Article 30(1) of the credentials issued by account servicing payment service providers to their customers, imposing redirection to the account servicing payment service provider's authentication or other functions, requiring additional authorisations and registrations in addition to those provided for in Articles 11, 14 and 15 of Directive 2015/2366, or requiring additional checks of the consent given by payment service users to providers of payment initiation and account information services.

Therefore, under the current and PSD2 aligned regulatory frameworks, the Barclays offering is in our opinion non-compliant.

Remediation

Barclays should remove this feature as soon as is practical and ensure all PSUs can access Open Banking Services without arbitrarily introduced sources of friction. Failing this, Barclays should provide immediate justification for how these design decisions fit into the current and foreseeable regulatory frameworks (PSD2 etc.).

References

OBSD-4851

tobypinder commented 6 years ago

Response from Barclays:

Both parties can provide instructions and manage their finances independently of one another whether through traditional or OB methods. However, it’s the customers responsibility to ensure that while doing this that they do it knowing that the other party wouldn’t object to what actions are taking place. The journey design doesn’t prevent the customer taking advantage of the OB opportunities, it merely reminds them of their responsibilities.

jh-a commented 6 years ago

The advice that you can share share data only if all of he account holders agree directly goes against the advice of the ICO, this being why there is no multi authentication in the AISP spec. This should be raised to the CMA and ICO

tobypinder commented 5 years ago

Response from Barclays:

Incident discussed, Barclays position will remain unchanged at present

davidgtonge commented 5 years ago

Relevant page on Barclays site: https://www.barclays.co.uk/help/online-banking/open-banking/data-share-joint-account/

davidgtonge commented 5 years ago

Barclays response above is incorrect. This issue needs to be escalated.

tobypinder commented 5 years ago

The Customer Experience Guidelines V1.2 (section 6.2, ref 15) states

Do you apply the same access control rules to joint and multisignatory accounts when accessed through a TPP as are applied when these accounts are accessed directly by the PSU? (Answer must be "Yes")

This is further expanded upon in Section 6.2.1 which states

Functionality – joint accounts: If a joint account holder can access all account information without any action on the part of the other account holder directly with the ASPSP, then this functionality should be available when using an AISP

These reference the FCA Approach Document Section 17.33 which makes clear

ASPSPs should make available the maximum amount of information that would be available to the customer across the channels the customer uses to access their payment account directly

which indicates that such equivalence of access is expected as part of the FCA's PSD2 exemption process.

The Payment Services Regulations Section 70(2)(b) similarly states

70 Where a payment service user uses an account information service, the payment service user's account servicing payment service provider must- (b) treat a data request from the account information service provider in the same way as a data request received directly from the payer, unless the account servicing payment service provider has objective reasons for treating the request differently.

We are working with Barclays and OBIE to understand how this will evolve going forward.