The primary purpose of the Austrian regulatory framework for the banking sector is to maintain a stable financial system, by doing the following:
In accordance with its EU membership, Austria has implemented a banking and financial framework that is highly influenced by European rules and regulations. The key Austrian legislation applicable in the banking sector is as follows.
In addition to Austrian law, certain EU regulations are directly applicable to Austrian credit institutions, such as the Capital Requirements Regulation (Regulation No 575/2013/EU – CRR), which, to a large extent, is based on the Basel III standards issued by the Basel Committee on Banking Supervision. The CRR includes most of the technical provisions governing the prudential supervision of Austrian credit institutions.
The Austrian Financial Market Authority (FMA) is established as an integrated supervisory institution, supervising all financial service providers in Austria. It shares responsibilities with the Oesterreichische Nationalbank (OeNB) in connection with banking supervision. While the OeNB is in charge of fact-finding, including on-site and off-site analysis of banks, the FMA is responsible for the decision-making process and is therefore empowered to act as the competent authority in the areas of banking supervision and banking recovery and resolution. The European Central Bank (ECB) is responsible for banking supervision in the European area under the Single Supervisory Mechanism (SSM) and supervises significant entities in Austria, together with the FMA as the National Competent Authority (NCA) and the OeNB. Therefore, the FMA works in close co-operation with the ECB and the OeNB. However, the exclusive responsibility for granting and extending concessions of CRR credit institutions (ie, those credit institutions that receive deposits or other repayable funds from the general public and grant loans on their own account pursuant to Article 4 paragraph 1 no 1 of the CRR) lies with the ECB. For Austrian non-CRR credit institutions and branches of foreign credit institutions, the exclusive responsibility remains with the FMA.
Types of Licence
The ECB licenses CRR credit institutions in SSM member states and those (mixed) financial holding companies for which it is the consolidating supervisor. However, the scope of the licence granted by the ECB also extends to regulated activities under Austrian law.
The FMA licenses the following:
Licences granted can be subject to conditions and requirements, and can cover one or more types of transactions listed in Section 1 of the BWG.
In Austria, licensed credit institutions may also provide banking services in other EU member states by way of using the freedom of establishment or by using the freedom to provide services.
Since 29 May 2021, (mixed) financial holding companies registered in Austria must apply for a special licence as a (mixed) financial holding company upon exceeding specified trigger thresholds relating to the equity, consolidated assets, revenues, personnel or other indicators of a subsidiary qualifying as a credit institution, investment firm or financial institution. The corresponding licensing procedure is basically comparable to that of a banking licence procedure, but its scope is somewhat reduced.
Activities and services covered, and any restrictions on licensed banks’ activities
Pursuant to the BWG, an entity requires a credit institution licence issued by the competent supervisory authority to carry out activities listed in Section 1 paragraph 1 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose:
An entity must also be licensed by the competent supervisory authority as a financial institution to carry out additional activities listed in Section 1 paragraph 2 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose in addition to their activities as a credit institution:
The licence for conducting banking activities as a credit institution or additionally as a financial institution may be granted with connected conditions and obligations, and may be restricted to the individual banking activities mentioned above. The scope of the licence(s) granted to each entity is publicly available in the company database of the FMA.
In general, the ECB is responsible for granting and extending licences to CRR credit institutions. For Austrian non-CRR credit institutions and branches of foreign credit institutions in Austria, competence remains with the FMA.
Nevertheless, all applications must be submitted to the FMA, regardless of whether the decision is to be taken by the FMA or the ECB.
The following key documents are to be reviewed by the FMA/ECB as part of the licensing process:
The licensing process for CRR credit institutions, for which the ECB is responsible, is as follows.
Before the application is submitted to the FMA, there is a preliminary discussion phase in which the receipt of the application is confirmed. After formal confirmation by the FMA, a formal ECB approval decision must be issued within 12 months. The ECB’s experts must be involved by the FMA at an early stage of this process.
The FMA assesses whether the conditions set out in the BWG are met in the application. If the applicant fulfils the conditions, the FMA forwards the application with a draft decision and the relevant documentation to the ECB for the decision-making process. The ECB conducts its own assessment of the application based on the FMA’s draft decision and makes a final decision, which is then notified to the applicant. The average timing depends on whether or not the application is for a “full” licence and therefore for major banking activities, but the process should be completed within 12 months.
Licensing applications for Austrian non-CRR credit institutions (CRR financial institutions) or Austrian branches of non-EU-based and non-EEA-based (CRR and non-CRR) credit institutions are conducted entirely by the FMA.
The licence is issued by the FMA (or the ECB for CRR credit institutions) if the following requirements are fulfilled:
The fee for an FMA licence for the operation of bank transactions amounts to approximately EUR10,000, and the extension fee for a licence amounts to EUR2,000. If the applicants engage a lawyer, further costs for the licence proceedings arise. Annual ongoing costs for the licence are also charged.
The ECB further charges annual supervisory fees to all CRR credit institutions in Austria, whereby significant banks must pay a higher supervisory fee than less significant banks.
Pursuant to Section 20 paragraph 1 of the BWG, the FMA must be informed in advance in writing by any person who has taken a decision to acquire or dispose of (directly or indirectly) a participation of 10%, or to increase or decrease a qualified shareholding by reaching a 20%, 30% or 50% threshold of voting rights or capital in an Austrian credit institution (or in such a way that the credit institution becomes a subsidiary undertaking of that party).
Furthermore, the credit institution shall immediately notify the FMA in writing of any acquisition or relinquishment of qualified shareholdings, and of any reaching, exceeding or falling below the shareholding thresholds as soon as it becomes aware thereof. In addition, credit institutions must notify the FMA in writing at least once a year of the names and addresses of shareholders holding qualified interests.
The FMA has a maximum of 60 working days from the receipt of the notification and all the documents required pursuant to Section 20b paragraph 3 of the BWG to prohibit the proposed acquisition in writing following an assessment according to the assessment criteria set forth in Section 20b of the BWG, provided there are reasonable grounds therefor, or if the information submitted by the proposed acquirer is incomplete. Thus, the FMA shall examine the suitability of the interested buyer and the financial stability of the intended acquisition.
The FMA will review and assess all information provided by the proposed acquirer in connection with the notification, focusing on the criteria set by law.
Specific information to be filed is provided for in the Ownership Control Regulation, including information about:
If the bank is listed on the Austrian stock exchange, an acquirer must also comply with the provisions of the BörseG and the Takeover Act (eg, filing and notification obligations, mandatory takeover bid, etc).
Similar requirements must be fulfilled if the proposed acquirer intends to acquire a qualified holding in an insurance company, an investment firm, an investment service provider or a payment institution.
The FMA has published a detailed set of guidelines and circular letters (FMA Rundschreiben) on the application and scope of the organisational regulations, which depend on the type of business activities envisaged by the entity. An institution has to implement and continuously monitor a comprehensive set of organisational requirements, such as organisational structure, clear decision-making processes, documentation and reporting obligations, and responsibilities.
Furthermore, the management shall define and oversee the internal principles of proper business management (“fit and proper”), guaranteeing the requisite level of care when managing the institution, and focus particularly on the segregation of duties in the organisation and the prevention of conflicts of interest and, therefore, establish mechanisms to safeguard the security and confidentiality of information, pursuant to Section 38 of the BWG.
Banks are required to ensure the suitability of their managing directors, supervisory board members and holders of key functions on an ongoing basis. In addition to an internal guideline for the assessment process, banks are also required to provide ongoing training for their governing bodies and employees.
Sections 5 (1) (6)-(13), 28a and 30 (7a) of the BWG contain requirements for the members of the management and the supervisory board of credit institutions.
Fit and Proper Hearings
The FMA and the ECB apply an increasingly strict assessment procedure when evaluating the professional suitability of functionaries. Newly appointed governing bodies are invited to a hearing, and the theoretical knowledge required for the respective company is tested in an oral examination. The material covered for credit institutions includes financial expertise, the BWG and related ordinances, applicable special laws and European supervisory laws (CRR, EBA Regulatory Technical Standards, EBA Guidelines, etc) as well as the contents of the FMA Minimum Standards and FMA circulars. Basic knowledge of corporate law and knowledge of the institution within the framework of the “know your structure” principle is also required.
Requirements for the remuneration policies and practice of credit institutions licensed in Austria are set out in Sections 39/2 and 39b of the BWG, and in the Annex to Section 39b. These provisions implement the EU Directive governing remuneration policies and practices (CRD IV and CRD V) into Austrian Law. The FMA has to take these regulations into account, according to the European convergence in respect of supervisory tools and supervisory procedures. As a consequence, the guidelines and recommendations (and other measures) that are issued by the EBA must be applied. Therefore, the Annex to Section 39b of the BWG, the circular letter (re-)issued by the FMA in January 2018 (Grundsätze der Vergütungspolitik und –praktiken; Rundschreiben der FMA zu §§ 39 Abs. 2, 39b und 39c BWG) and the guidelines from the EBA considering remuneration policies (eg, guidelines on sound remuneration policies under CRD IV and disclosures under the CRR) contain the main rules for restrictions on remuneration.
Therefore, the remuneration provisions of the BWG shall ensure that credit institutions adopt remuneration policies and practices that encourage their employees to act in a sustainable and long-term manner and align their personal objectives with the long-term interests of the credit institution.
Pursuant to Section 39 paragraph 2 of the BWG, credit institutions and groups of credit institutions need to have administrative, accounting and control procedures for the identification, assessment, management and monitoring of banking business and banking operational risks, as well as risks arising from remuneration policies and practices, that are appropriate to the nature, scale and complexity of the banking business conducted.
The Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz – FM-GwG) has been in force since 1 January 2017, transposing the international and European rules for the prevention of money laundering and terrorist financing into national law. Provisions relating to beneficial ownership are now also set out in the Beneficial Owners Register Act (Wirtschaftliche Eigentümer Registergesetz – WiEReG).
The FM-GwG imposes special due diligence requirements and defines special obligations for credit and financial institutions regarding due diligence and reporting in order to prevent money laundering and terrorist finance. Bank business may only be transacted with customers who have been identified – the “know-your-customer” principle.
Before a credit or financial institution begins a business relationship, it must verify the identity of the customer.
The Act on Deposit Guarantee Schemes and Investor Compensation (ESAEG) implements the Directive on Deposit Guarantee Schemes (Directive 2014/49/EU) and regulates the protection of deposits and credit balances, including interest on accounts and savings. The objective of the ESAEG is to ensure the rapid and comprehensive compensation of depositors’ claims in the event of a guarantee. The aim is to ensure that claims arising from security incidents are satisfied by the member institutions of the security schemes within a short period of time, so that financial obligations for the federal government can be avoided. In a guarantee case, deposits of up to EUR100,000 per customer and bank are covered. Every credit institution domiciled in Austria that wishes to accept customer deposits or provide investment services requiring guarantees must belong to a protection scheme.
Since 1 January 2019, the single deposit guarantee and investor compensation scheme limited liability company (Einlagensicherung Austria GesmbH – ESA) has assumed the responsibility for the compensation of all depositors and investors in Austrian credit institutions. Another institutional protection scheme as a limited liability company (Sparkassen-Haftungs-GmbH) is recognised as an alternative deposit guarantee and investor compensation schemes in Austria by the FMA and the ECB. In 2022, a third institutional protection scheme (Österreichische Raiffeisen-Sicherheitseinrichtung eGen) will be recognised.
Section 38 paragraph 1 of the BWG stipulates the obligation of a bank, its shareholders, corporate bodies, staff and other persons who are acting on behalf of the bank not to disclose certain information and secrets that have come to their attention based on their relationship with the customers.
Secret in the legal context means a fact that is known only to the keeper of the secret themselves or only to a relatively limited circle of persons. Furthermore, the fact must not be accessible, or can only be accessible with difficulty to persons otherwise interested in such fact. This includes circumstances where disclosure or exploitation is likely to violate a legitimate interest of the customer. Accordingly, banking secrecy includes the name and contact details of the creditor, the amount of the credit volume and the account balance information of the customer.
The concept of a secret is also characterised by the subjective component that the holder of the secret has an interest or desire to treat a fact as a business secret, as the owner of the secret would be at a disadvantage in case of disclosure. However, as this desire to maintain secrecy may not be established in some situations, the negative criterion that the existence of a secret is excluded if the owner of the secret renounces the secrecy has been supported by scholars.
Banking secrecy is intended to protect the legitimate interests of a customer in maintaining the confidentiality of facts that become known to the bank in the course of the business relationship. This includes all secrets that are exclusively entrusted, disclosed or made accessible within the scope of a business relationship; such secrets may not be disclosed or exploited. This is necessary to maintain the basis of trust between credit institution and customer. Furthermore, the access of third parties to these secret facts – of the federal state in particular, but also of private persons interested in receiving information – is to be excluded or limited to the extent that the customer only has to accept exceptions from banking secrecy under certain conditions.
Exceptions to banking secrecy are stipulated in Section 38 paragraph 2 of the BWG – eg, in criminal proceedings vis-à-vis public prosecutors and criminal courts.
Banking Secrecy and Non-performing Loans
Banking secrecy plays a key role in the sale of non-performing loans. Section 38 paragraph 2 of the BWG does not contain any express exception for the sale of non-performing loans. On the basis of the BWG, only an exception based on the customer’s express consent is possible. However, the Austrian Supreme Court has decided that a breach of banking secrecy is permissible if special requirements are met; in particular if the bank’s interest in a sale outweighs the customer’s interest in confidentiality.
A breach of banking secrecy generally results in the nullity of the legal transaction under civil law and also can lead to administrative and criminal law consequences.
Article 92 of the CRR sets out the specific capital requirements for the types of risk to be covered in accordance with Article 92 (3). Article 92 (2) of the CRR defines the capital ratio as a percentage of the total risk amount – the so-called solvency ratio (Solvabilitätskoeffizienten). The total risk amount is the sum of the institutions’ credit risk, operational risk, market price risks and the risk of a credit valuation adjustment. This total risk amount is to be compared to the own funds of the credit institution, resulting in the capital ratio of the institution.
Accordingly, credit institutions must maintain at least the following own funds requirements at all times:
In addition to these minimum capital requirements, an institution must meet certain capital buffer requirements that.
As the capital buffers contained in the CRD have been transposed into Austrian law by Sections 23 to 23f of the BWG, the capital conservation buffer of 2.5% of risk-weighted assets (RWA) therefore applies by virtue of Austrian law and is applicable to every credit institution licensed in Austria.
However, the FMA may set additional capital buffers on an individual basis, including:
The CRR (CRR II) requires entities to hold enough liquid assets to deal with any possible imbalance between liquidity inflows and outflows under gravely stressed conditions during a period of 30 days (Liquidity Coverage Ratio –LCR) and to ensure their ongoing ability to meet short-term obligations. The LCR as a short-term liquidity business ratio was fully introduced in 2018; amendments made by the CRR II have applied since June 2021. The new rules impose a binding leverage ratio requiring institutions to maintain Tier 1 capital of at least 3% of their non-risk-weighted assets. An additional leverage ratio buffer will apply to G-SIIs. In addition, the European Commission has proposed that credit institutions should also ensure that their long-term obligations will be adequately met with a diversity of stable funding instruments under both normal and stressed conditions (Net Stable Funding Ratio – NSFR – as a long-term liquidity business ratio). Furthermore, entities are required by the BWG to ensure that they are able to meet their payment obligations at any time – eg, by establishing company-specific financial and liquidity planning based on banking experience pursuant to Section 39 paragraph 3 of the BWG.
According to Section 82 of the BWG, insolvency proceedings cannot be opened in the form of reorganisation proceedings (Sanierungsverfahren); business supervision proceedings (Geschäftsaufsichtsverfahren) or bankruptcy proceedings (Konkursverfahren) can, however, be instituted. In addition, the conclusion of a reorganisation plan is not possible in bankruptcy proceedings.
In addition to the BWG, the BRRD provides central provisions in the area of insolvency, recovery and resolution.
Austria has implemented the BRRD by adopting the BaSAG, thereby creating a national legal framework for dealing with banks that are failing or likely to fail. The BaSAG contains provisions covering the following:
The following resolution tools are at the FMA’s disposal:
The bail-in is one of the core elements of the BRRD. It provides the resolution authority with the possibility to write down the eligible liabilities in a cascading contribution to absorb the losses of an institution, or to convert them into equity capital.
If insolvency proceedings are opened over the assets of a credit institution or a legal entity pursuant to Section 1 of the BaSAG, it must continue to provide services or support if the resolution authority has issued a corresponding order.
The amendments made by CRR II and CRD V regarding the capital requirements of credit institutions and investment firms shall strengthen the resilience of the banking sector by introducing more risk-sensitive capital requirements. Challenges arise in particular from the fact that these concepts designed for large institutions (“big players” and G-SIIs) – eg, total loss-absorbing capacity (TLAC) and minimum requirement for own funds and eligible liabilities (MREL) – may not be applied to small institutions without making adaptations, as Austria has a particularly large number of small and medium-sized banks.
The financial sector has faced recent challenges created by new ways of digitalisation and data processing technology within the field of banking operations and investment service providers (fintech). Traditional financial institutions in particular have to be aware of their new digital competitors. Other important issues include the rising standards of regulation, complexity and the increasing costs for the institutes. With regard to the current interest rates, the “Compliance tool” proposed by the European Commission aimed at facilitating institutions’ compliance with their Regulations and Directives may enable each institution to rapidly identify the relevant provisions with which they have to comply and improve the Cost-Income-Ratio.
The EU Sustainability Taxonomy
Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088, places sustainability at the centre of the financial system. This is intended – in accordance with the Regulation (EU) 2020/852 – to direct capital flows into “sustainable” investments. Regulation (EU) 2020/852 is addressed to companies engaged in capital markets and thus also to financial institutions that provide investment advice or portfolio management to retail clients or professionals who are therefore called upon to act responsibly. Regulation (EU) 2020/852 sets out considerable disclosure obligations for entrepreneurs as of 1 January 2022 in order to provide (potential) investors with “clear and not misleading” information about the respective company and financial instrument. To this end, the regulation contains the criteria for determining whether an economic activity is to be classified as environmentally sustainable in order to be able to determine the degree of environmental sustainability of an investment. For this purpose, the regulation defines the following six environmental objectives:
For an economic activity to be considered environmentally sustainable under the EU taxonomy, the following conditions must be met:
The rules for financial market participants and financial advisers on transparency with regard to the integration of sustainability risks and the consideration of adverse sustainability impacts in their processes and the provision of sustainability‐related information with respect to financial products are laid down in Regulation (EU) 2020/852 and Regulation (EU) 2019/2088, which provide for the following transparency obligations:
+43 1 53770 firstname.lastname@example.org www.fwp.at
Current Developments in Open Banking From the EU and Austrian Law Perspective
In the last couple of years, the bank-centric financial market has been increasingly faced with challenges related to the spectrum of choices that can be provided to customers as well as the development of new financial products and services based on the technologies which are gaining in popularity. One of the most important (and often described as revolutionary) trends is “open banking”, a banking practice that enables third-party financial services providers access to several types of data kept by banks and other financial institutions, thereby transforming the existing bank-centric financial system and, most importantly, introducing innovation and competition into the financial services sector.
Simultaneously, the (supra)national legislators and regulators have been – considering several developments that have taken place on the market – presented with new legal issues that needed to be addressed. In the context of the open banking phenomenon, these issues include, among others, defining the appropriate and sufficient regulatory response as well as concerns related to regulation of data being shared in this respect. This paper will focus on the latter aspect, namely the question of how to regulate increased data sharing while maintaining high standards of privacy and data protection as well as ensuring a level playing field between different financial services providers (including banks and fintech providers).
The key EU measure in this respect was the introduction of the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD 2) which entered into force on 12 January 2016 and started to apply on 13 January 2018. EU member states, including Austria, have transposed the PSD 2 into national legislation to establish a functioning legal framework for payment services providers as well as general rules applicable to the financial services sector as a whole.
Despite the successful implementation of the PSD 2 and its provisions, the new legal challenges combined with the new technologies that have emerged require amendment of the current legal rules. In particular, one of the main issues is the interaction of financial services rules on open banking (including PSD 2) with personal data protection and privacy law which will be discussed below.
What is open banking?
Open banking is an emerging banking practice with the purpose of providing third-party financial services providers “open access” to various types of data on consumers as well as other financial data kept by either banks or other financial institutions. In principle, the open access to such data is provided using the so-called application programming interfaces (APIs).
Open banking therefore breaks the concentration of information in traditional banks and increases networking of multiple accounts as well as data across the financial services sector merged between old and new service providers (see, for instance, F. Ferretti, Open Banking: Gordian Legal Knots in the Uncomfortable Cohabitation between the PSD2 and the GDPR, 1 European Review of Private Law 2022, 30, pages 73–102). As will be discussed in more detail below, this enables new products and services to enter the fintech market, which leads to a better overall customer experience.
Under the PSD 2 regime there are, broadly speaking, two different types of entity that are regulated and considered as third-party providers in the above sense, namely:
The aim of the AISP and their respective services is to provide a payment services user with an overall view of its financial situation immediately at any given moment (see, for instance, Recital 28 of PSD 2). Payment initiation services, on the other hand, enable the PISP to provide comfort to a payee that the payment has been initiated to provide an incentive to the payee to release the goods or to deliver the service without undue delay (ie, a low-cost solution for both merchants and consumers that provide the latter with a possibility to shop online even without possessing payment cards – see, for instance, Recital 29 of PSD 2). It should be noted that both types of third-party providers described above must be licensed and need to comply with the legal requirements laid down in PSD 2.
Legal framework – status quo
The key legal act on the EU level is PSD 2 which forms the cornerstone of EU legislation on open banking. As a successor of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, which was largely limited to the regulation of payment services and information requirements for payment services providers, PSD 2 tackles broader issues. This includes, among other things, opening up payment markets to new entrants as well as furthering the level playing field for payment services providers, leading to more (fair) competition, greater choice and better prices for consumers. In this context, PSD 2 pertains to companies offering consumer-oriented or business-oriented payment services which are based on access to the payment account and differentiates between account information services on the one hand (provided by AISP) and payment initiation services on the other (provided by PISP) – ie, both licensable payment services, pursuant to Nos 7 and 8 of Annex 1 to PSD 2.
In Austria, PSD 2 has been transposed, among other acts, into the Austrian Payment Services Act (ZaDiG 2018).
Key provisions of PSD 2/ZaDiG 2018 relating to open banking aspects relevant to this paper are
Apart from the regulation pertaining to payment services as such, open banking is subject to several other regulatory realms including EU electronic verification rules, cybersecurity legislation, the most recently adopted EU digital finance package, and, finally, privacy and personal data protection legislation.
Amending proposals for the existing legal framework
Following the European Commission’s Call for Advice on the review of the PSD 2 in 2021, the European Banking Authority (EBA) published, on 23 June 2022, an Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2) (the “EBA Opinion”). In the comprehensive EBA Opinion, the EBA’s amending proposals touch upon several aspects with the aim of contributing to the development of a single EU retail payments market as well as ensuring a harmonised and consistent application of the legal requirements across the EU. As a side note it is worth mentioning that even though discussions are currently taking place on the EU level, the amendment of the PSD 2 regime will result in amendments of the EU member states’ national payment services regimes (including ZaDiG 2018 in Austria).
One of the EBA’s proposals aims at protecting consumers’ data, more particularly, access to and use of payment accounts data in relation to account information services and payment initiation services (ie, also a special section of the European Commission’s Call for Advice). On several occasions, the EBA Opinion mentions the problem of interplay between PSD2 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). According to the EBA, legal uncertainty of interplay between PSD 2 and the GDPR pertains especially to the following aspects (as outlined on pages 113 et seq of the EBA Opinion).
Further to the above aspects, additional problems of interplay between PSD 2 and other legal acts regulating the processing of personal data may arise also in light of the specific requirements stemming from national legal regimes. In Austria, the most important national law in this area is the strict banking secrecy legislation which may affect the data protection regime under PSD 2.
Lawfulness of processing of the customer’s data by third-party providers
One of the main issues deriving from the interplay between PSD 2 and the GDPR is the nature of the legal bases for processing customers’ data. Although the EDPB Guide has provided a certain level of clarity in this respect, both the EBA and EDPB recognised that explicit consent under Article 94 (2) of PSD2 shall be differentiated from (explicit) consent under the GDPR leaving several aspects of the issue at hand unclear to a certain extent.
Consent under the GDPR
Under the GDPR, controllers that wish to process personal data must have a legal basis. Article 6(1) of the GDPR represents an exhaustive and restrictive list of legal bases for processing of personal data under the GDPR regime which includes, among others, consent (Article 6(1)(a), GDPR).
Consent of the data subject under the GDPR regime (as defined in Article 4(11), GDPR which reflects Recital 32 thereof) shall be understood as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Apart from other safeguards stemming from, for instance, Articles 7 and 9 of the GDPR, it shall also be mentioned that consent can under no circumstances be inferred from potentially ambiguous statements or actions. In addition, consent cannot be obtained through, for example, agreeing to a contract or accepting general terms and conditions (see page 13 of the EDPB Guidelines).
Despite national legal rules pertaining to consent in the context of processing of personal data (in particular, the Austrian Data Protection Act (Datenschutzgesetz – DSG)), the GDPR regime constitutes a comprehensive regulation of consent which means that the DSG provisions are in this respect, generally speaking, of no relevance.
Explicit consent under PSD 2/ZaDiG 2018
According to Article 94 (2) of PSD 2, payment services providers shall only access, process, and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment services user.
Although similar in nature, explicit consent under PSD 2 shall be differentiated from (explicit) consent under the GDPR regime, according to the EDPB Guidelines. Namely, the EDPB explicitly rejected the notion that Article 94 (2) of PSD 2 shall be regarded as an additional legal basis for processing of personal data. Accordingly, the explicit consent requirement defined in Article 94(2) of PSD2 shall be regarded as an additional requirement of a contractual nature in relation to the access to, and subsequent processing/storage of, personal data in the context of provision of payment services (see page 14 of the EDPB Guidelines). Due to the fact that the explicit consent under Article 94 (2) of PSD 2 is a contractual consent, the following aspects are implied, according to the EDPB Guidelines.
In conclusion, consent under Article 94 (2) of PSD 2 does not represent a legal ground for the processing of personal data; however, it ensures a degree of control and transparency for the user of payment service.
In Austria, Article 94 (2) of PSD 2 has been transposed in Section 90 (4) of ZaDiG 2018 without, generally speaking, any notable differences. Nonetheless, Section 90 (4) of ZaDiG 2018 goes a step further than 94 (2) of PSD 2 by stipulating that payment services providers shall inform payment services users about the processing of personal data in accordance with Article 13 (Information to be provided where personal data are collected from the data subject) and Article 14 (Information to be provided where personal data have not been obtained from the data subject) of the GDPR.
Austrian banking secrecy regulation as an additional set of requirements pertaining to processing of customer’s data by third-party providers
Apart from requirements pertaining to (explicit) consent under the GDPR and PSD 2 regime, there is one additional aspect that needs to be considered when assessing the role of customer’s consent in the context of open banking regulation, namely consent to allow access to a customer’s banking data as per banking secrecy provisions. See The Role of Consumer Consent in Open Banking: Financial Inclusion Support Framework. Technical Note; Washington, DC © World Bank (the “Technical Note”).
Banking secrecy (Bankgeheimnis), a general obligation of banks not to pass on information to third parties which they obtained because of a business relationship, is traditionally excluded from the scope of the EU harmonisation project. This means that the banking secrecy legislation is almost entirely based on national rules. In Austria, the banking secrecy rule in enacted in Section 38 of the Austrian Banking Act (Bankwesengesetz, BWG).
Section 38 (1) of the BWG sets out that credit institutions (eg, banks), their shareholders, members of governing bodies, employees, and other staff employed by the credit institutions shall not disclose or exploit secrets entrusted to them or made accessible to them exclusively based on business relations with customers. This means that the entities/persons subject to banking secrecy rules must ensure their customer’s interest in confidentiality in the form of a duty of confidentiality on the part of the obliged entities / persons (see Kammel in Laurer/M. Schütz/Kammel/Ratka, BWG Section 38 No 1-7 (Status 1.1.2019, rdb.at)).
Despite the strict nature of the banking secrecy provision, Section 38 (2) of the BWG lays down several scenarios which release the obliged entities/persons from banking secrecy requirements. These include, inter alia, the customer’s express and written consent to the disclosure of the secret, pursuant to Section 38 (2) No 5 of the BWG (whereby it shall be noted that the BWG also foresees certain exemptions from the requirement that such consent shall be provided in a written form, in particular in cases where means of distance communication with customer authentication are used). Austrian legal scholars have described express and written consent as a “non-genuine exception” to banking secrecy regulation and simultaneously emphasised its function as a protective measure to ensure that the customer does not grant premature or misleading consent (due to the requirement of written form and an express nature) (see Kammel in Laurer/M. Schütz/Kammel/Ratka, BWG Section 38 No 20 (Status 1.1.2019, rdb.at)).
In light of the above, Austrian law imposes – in addition to explicit consent-related requirements under the GDPR and PSD 2 – explicit and written consent requirements under the Austrian banking secrecy legislation, under the assumption that the entity/person in question is subject to the respective rules. This means that the relevant entities shall also observe this aspect when considering participating in open banking arrangements, in particular due to the possible consequences/sanctions that may apply in the case of a breach of the banking secrecy legal framework which range from civil and criminal to administrative sanctions.
Considering the ever-growing popularity and presence of open banking on the financial services market, it may be expected that such arrangements will become more and more important as well as increasingly used by different market participants. Although this will bring benefits to customers and the financial services market as such, it will simultaneously create challenges for legislators and regulators to ensure a safe and stable market.
Despite the issue of consent for processing data in the course of existing open banking arrangements in the EU being, for the most part, clarified, the authors believe that there are still several uncertainties which may – especially in the case of larger amounts of data and other types of data being processed – cause problems. In order to avoid any issues in the future, the amendment of PSD 2 (as well as any other legal acts) should also clarify in detail the interplay of PSD 2 and the GDPR as well as – although not important for the EU as a whole – potential conflicts with the national banking secrecy regimes.
+43 1 53178 1042
+43 1 53178 52 email@example.com www.dlapiper.com/en/austria/locations/vienna/