9 April 2025 | Published by: Noora Haapajärvi & Evgeniya Komarova
The requirements for extending the existing consent panel are among the more substantial changes introduced by the Payment Services Regulation (PSR), which is expected to be launched by the EU later this year.1
Consent panel allows customers to control access to their data. Capco has identified four risks that are important for banks to consider when planning the work with consent panels:
1. The implementation timeline of PSR is drastically shorter (21 months) than that of PSD2 (three to five years), while the changes impact almost the entire customer base for most banks.
Even when considering only the consent panel requirements, larger banks will need to rollout functionalities to millions of customers. This requires careful planning and piloting. A further challenge for large banks with subsidiaries in multiple locations lies in providing the consent panel across the whole of the EU whenever the bank acts as an account servicing payment service provider (ASPSP) in that location. This is an expansion of PSD2 requirements.2
2. Banks will need to handle large amounts of data - two years of consent history per client.
The requirements for the consent panel imposed by PSR are challenging, especially the need to include a two-year history of all consents and the possibility to renew revoked consents. A strong data management strategy will be required to handle this. With two years' worth of consent data, the volume could reach levels typically associated with big data.
3. PSR requires withdrawal of consent to be proactively communicated to third parties and for them to delete the data acquired when consent is withdrawn.
Closely linked with the consent panel dashboard are the open banking APIs, such as the access to account (XS2A) API that allows third party providers to access data or initiate payments.
Currently, consent for payment initiation is valid for a single transaction, while access to data is granted for a set number of days, which varies by country. When consent is withdrawn, banks passively decline access to data from requesting third parties.
Many banks are both ASPSPs and third parties. PSR requires withdrawal of consent to be proactively communicated to account information service providers (AISPs), payment information service providers (PISPs) and payment issuing instrument service providers (PIISPs), who must - in the EU Parliament's version of the regulation - delete the acquired data. This further strengthens the rights of payment service users to control their data. The regulatory process is still ongoing, and the final version of the regulation may change.
4. The PSR does not contain all the requirements related to the consent panel and third party access.
Some of the most important additional requirements will come from the Financial Data Access regulation (FiDA) for other financial products.3 FiDA requires banks, wealth managers and insurance providers to allow third parties to access their clients’ information, provided consent is given, on a wider range of financial products, including mortgages and pensions. In practice, the change means that banks and other financial services providers will need to extend their open banking APIs to cover these products and find a way to source the requested information from their internal systems. FiDA is still in the regulatory process and the content of the regulation may change.
Conclusion: Early action is key
The key to succeeding with PSR implementation is starting with the analysis of the regulation and gaps now. Although the regulation is still being formulated, the implementation timeline is very short. Getting a head start with a largely finalized gap analysis will buy important months for the implementation.
Capco helps clients with PSD3 and PSR, providing advisory and implementation support to navigate the evolving payments landscape confidently and in full compliance. Find out about our expertise with a major payments transformation in this success story.
Contact us to discuss how we can help you prepare for the forthcoming changes, making the most of the opportunities available.
References
1 Payment services in the internal market and amending Regulation (EU) No 1093/2010 - Tuesday, 23 April 2024
2 https://eur-lex.europa.eu/eli/dir/2015/2366/oj/eng
3 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52023PC0360
28. March 2025
Noora Haapajärvi, Evgeniya Komarova