The business model of the banking industry is undergoing a major upheaval under the pressures exerted by technological advances and new regulations.
One of the major challenges, apart from artificial intelligence, is that of open-banking. The term refers to the opening up of banking platforms to provide the new services made possible by the European Directive on payments (EU Directive 2015/2366 of 25 November 2015 or “DSP2”), but also by the now famous GDPR (EU Regulation 2016/679 of 27 April 2016).1
DSP2, which has already come into effect in the European Union, will require banks to provide access to the new players arising from the regulation, payment initiation service providers and providers of information about accounts.
Apart from the challenge to the traditional business model of the banks, hitherto used to sharing customer details only when required by law, open-banking brings with it new risks for data security due to third parties also being granted access.
To manage data transfer, applications and application programming interfaces (APIs) are being developed by the banks to avoid direct access or “web scraping” becoming the norm.2
Resorting to blockchains is often referred to as the solution for guaranteeing access to data and its security. The customer, the service provider and the bank are then members of a private or hybrid blockchain. Blockchains are already present in the payment services market, such as the one created at the initiative of the American company Ripple, used by big international banks.
However, this solution, as interesting as it might appear to be, nevertheless begs a certain number of legal questions. First and foremost, that of the qualification of the blockchain which, for now, remains an unknown legal quantity, notwithstanding the partial recognition by the law in some countries3. Secondly, due to the immutable character of the data recorded in it, the blockchain is in direct conflict with the principles required by the GDPR and, in particular, the “right to be forgotten” enshrined in Article 17. For this right to be effective the party responsible for processing would have to delete it at the end of the planned retention period. This is clearly in contradiction with the very essence of the blockchain concept.
Where is Monaco with regard to this issue?
Although DSP2 does not feature in either Appendix 1 or Appendix 2 of the Monetary Agreement4 linking the Principality of Monaco with the European Union, some of the big banks operating in the Principality have integrated it into their strategy and customer documentation. Open-banking is therefore, if not in law, at least de facto, a reality. As for blockchain, draft law number 2375 calls for a 3-year trial period to test the applications of this technology in various sectors. The draft law, if voted into legislation, should provide an innovative legal framework for its development. Nevertheless, the question of its use for open-banking remains unanswered in view of the new requirements brought about by the GDPR.
2 On 27 November 2017, the European Commission published the final version of the technical standards (RTS) regarding access to banking platforms within the framework of DSP2.
3 For France, see Order 2017-1674 of 8 December 2017 regarding the use of shared electronic recording devices for the representation and transmission of financial securities.
4 Of 5 December 2011, http://www.legimonaco.mc/Dataweb/jourmon.nsf/1d3d76afaadb3774c125656a00321782/be419586e7947752c1257967005b448d/$FILE/JO8047%20Annexe%20Accord%20Mon%C3%A9taire.pdf
5 http://www.conseil-national.mc/index.php/textes-et-lois/propositions-de-loi/les-propositions-de-loi-en-cours/item/600-237-proposition-de-loi-relative-a-la-blockchain