Fintech 2025

FRANCE Law and Practice Contributed by: Hubert de Vauplane and Hugo Bordet, Morgan Lewis & Bockius LLP

which will require approval from the relevant authority in the EU Member State where the pro - vider is based. This status will also be available to third-country providers, provided they obtain the necessary authorisation from the Member State in which they wish to offer their services. However, further clarifications are awaited regarding the feasibility of this bill. Meanwhile, the ACPR has announced that its involvement in the FiDA Regulation negotiations will be one of its strategic priorities for early 2025. 11.2 Concerns Raised by Open Banking Creation of APIs The transposal of PSD2 into French law forced banks to share certain personal data relating to their clients (eg, information relating to clients’ bank accounts) with various fintech companies. In order to share this information, banks need to create secure application programming inter - faces (APIs). It was reported recently that banks had been slow to create these APIs and justified their reluctance by invoking the need to guaran - tee the security of clients’ bank accounts and data. The deadline to implement these APIs was set at September 2019. At the end of 2020, the level of technical imple - mentation of APIs was not consistent among all actors. According to the co-founder of Linxo, an account aggregator, the potential of PSD2- compliant APIs is still “under-exploited” . At the end of 2022, in France, only 45 banks and account providers had implemented PSD2- compliant APIs. Web-Scraping Methods If they are unable to use APIs, third-party provid - ers such as account aggregators and payment initiation providers will have to keep using web-

scraping methods in order to access clients’ banking data, although these methods are not considered sufficiently secure. GDPR Compliance In addition, the obligation to share clients’ per - sonal data raises the issue of the compliance of PSD2 with the GDPR, as certain payment data may prove sensitive. In any case, both banks and fintech companies must comply with the GDPR when processing clients’ personal data. PSD2 is currently being amended at the Euro - pean level to account for recent technologi - cal developments. The European Commission is currently examining the proposals received through a public consultation launched in 2022. The PSD2 has been badly perceived by profes - sionals, who experience it as a constraint. The debates on PSD3 focus on several challenges that PSD2 failed to address (among them, the use of biometric authentication with behaviour - al analysis during a payment is discussed, for instance) while further limiting fraud. In recent years, there has been a significant increase in fraud techniques based on user manipulation and identity theft. While the intro - duction of strong customer authentication under PSD2 has enhanced the security of remote pay - ments and reduced certain types of fraud, these transactions remain a major source of disputes for clients. This issue was observed and high - lighted by the AMF and the ACPR in 2023. Regarding payment methods, on 21 January 2025, the ACPR presented fraud statistics for the first quarter of 2024. The data indicates that 12. Fraud 12.1 Elements of Fraud

276 CHAMBERS.COM

Powered by