Cybersecurity blog header

Open Banking and PSD2 for much more than financial services

- Ciber 4 All Team
The PSD2 directive has served as a regulatory framework to ensure that financial institutions exchange information and payments securely and protect consumers' banking data

Real estate has begun to use creditworthiness assessments backed by Open Banking platforms and the PSD2 directive

The concept of Open Banking is widely used to define the mutual interconnection between banks, both for consulting customer information and for supporting payments. Under this concept, the PSD2 directive stands out, which imposes a series of requirements to improve the security of this concept, on which other financial services or even solvency services in sectors such as real estate are based.

In 2024, more than 700,000 properties were offered on the rental market and more than 20% of Spanish homes were rented, setting a historic record. These figures show that the challenges surrounding renting are enormous and affect millions of landlords and tenants.

To facilitate the process of renting homes or commercial premises with maximum financial guarantees, fintech platforms have emerged in recent years, which, among other services, also carry out creditworthiness checks on potential tenants, aggregating information from their bank accounts and automating an analysis of their financial health. These platforms also carry out credit checks for other purposes, such as validating the granting of a loan to an individual.

Given their rapid growth and the fact that they handle sensitive information about citizens, it is essential to ensure the security of the platforms that enable these credit checks to be carried out.

The security requirements for platforms that carry out creditworthiness checks are very demanding and are set out in the PSD2 directive, which must also be complied with by traditional financial institutions, such as European banks, as well as payment service platforms such as PayPal or Amazon Pay.

Below, we will explain a case that is here to stay: Is it safe for my real estate agency to ask me to open an account with a fintech company to aggregate my transactions and carry out a credit check? The quick answer is that, if they comply adequately with PSD2, yes (and all European financial institutions are obliged to do so).

1. How platforms that automate credit checks work

Credit checks are one of the fundamental pillars of the financial sector, but they are also hugely important in the real estate sector.

For years, real estate agencies have been conducting or commissioning credit checks. However, the procedure was manual and predominantly analog. This meant that tenants had to provide a wide range of documents: bank statements, employment contracts, pay slips. This required a great deal of effort, slowed down the process, and posed a major challenge in terms of personal data protection.

Hence the emergence of Open Banking platforms that enable the aggregation of transactions and balances, thereby facilitating the existence of services that carry out credit checks. This has led to a minor revolution in the real estate sector. What are the key features of these platforms?

  • Potential landlords must create an account with a financial institution (also known as AISPs – Account Information Service Providers) and authorize the landlord’s banks to provide information to that institution in order to aggregate the information from their various current accounts. This procedure is possible thanks to the interconnection between financial institutions under the concept of Open Banking and complies with security standards regulated by the European PSD2 directive.
    PSD2 itself requires:
    • That the account holder gives explicit consent to the AISP to access the minimum necessary information from their bank accounts, only for the stated purpose. Such consent may be revoked at any time and the AISP may not use the data for any other purpose without new consent.
    • Any authentication process will be carried out in the context of the bank to which the user belongs. Under no circumstances may a bank or third party have credentials from another bank.
    • The first time consent is given to an AISP to access other bank accounts, Strong Customer Authentication (SCA) is required. This requires satisfying another authentication factor.
  • Based on the financial information obtained from the tenant’s banking history, the AISP may be able to assess their credit rating with maximum accuracy, as well as calculate their debt ratio, all while safeguarding their financial information.
  • In this way, a real estate agency can obtain the credit rating of a potential tenant, as the AISP will provide this service, preventing fraud and speeding up the process of renting a house, apartment, or commercial premises.

Given that the information they handle (balances, debts, recurring expenses, payroll amounts, etc.) is extremely sensitive, the security of the platforms that carry out creditworthiness assessments is a critical issue. That is why the regulations require companies to implement information protection mechanisms.

2. Why we should trust the security of AISPs that carry out credit checks

The European Directive 2015/2366 on payment services in the internal market, commonly known as the PSD2 Directive, includes account information service providers within its scope.

Who are these providers? According to Article 4 of the regulation, they are companies that offer an «online service whose purpose is to provide aggregated information on one or more payment accounts held by the user».

Therefore, platforms that carry out credit checks by aggregating accounts fall into this category.

Article 33 of the PSD2 directive establishes that organizations that only provide this type of service are subject to fewer obligations than payment service providers, such as banks.

However, it also states that they “shall be treated as payment institutions” and shall be subject to all obligations relating to operational risk management, security, and authentication (Articles 95, 96, 97, and 98).

The PSD2 directive guarantees the security of platforms that carry out creditworthiness assessments

3. What are the main security requirements for platforms that perform credit checks set out in the PSD2 directive?

The PSD2 directive has served as a regulatory framework to ensure that financial institutions exchange information and payments securely and protect the banking data of European consumers and businesses. To this end, the PSD2 directive requires companies operating in the sector to:

  • Manage operational and security risks.
  • Report incidents.
  • Provide account holders with the ability to grant granular access to information, as well as revoke it when necessary.
  • Apply strong customer authentication.
  • Comply with the technical standards on authentication and communication developed by the European Banking Authority (EBA) with the assistance of the European Central Bank (ECB).

3.1. Operational risk management

In accordance with Article 95 of the PSD2 directive, companies must establish a framework with mitigating measures and control mechanisms that enable them to:

  • Manage operational and security risks related to payment services.
  • Establish and maintain effective incident management procedures.
  • Detect and classify operational and security incidents that are classified as serious.

In addition, they must provide the Bank of Spain annually with «an up-to-date and comprehensive assessment of the operational and security risks associated with the payment services they provide and the adequacy of the mitigating measures and control mechanisms applied in response to such risks».

3.2. Incident reporting

If serious operational or security incidents occur, organizations must notify the Bank of Spain «without undue delay».

Similarly, if the security incident may affect the financial interests of users, they must also be informed of what has happened and of the measures that can be taken to mitigate the consequences of the incident.

3.3. Authentication mechanisms

Article 97 of the PSD2 directive stipulates that EU states must ensure that companies required to comply with this provision «apply strong customer authentication» when users:

  • Access their online payment accounts.
  • Initiate electronic payment transactions.
  • Perform actions via a remote channel that may involve a risk of fraud.

In addition, to ensure the security of platforms that perform credit checks, they are required to have security measures in place to «protect the confidentiality and integrity of users’ personalized security credentials».

On the other hand, this article of the PSD2 directive also requires payment service providers that manage user accounts to allow account information service platforms to «use the authentication procedures provided to the user». This strengthens the security of platforms that perform credit checks by also focusing on access to account information.

4. What role do pentesting services play in the security of Open Banking platforms?

To ensure an adequate level of security for Open Banking platforms, companies periodically undergo advanced intrusion testing.

Pentesting allows a real cyberattack to be simulated in a controlled environment with the aim of identifying weaknesses in security mechanisms that could be exploited by malicious actors.

The advantage of pentesting is that it allows for realistic testing of a company’s security strategy, with the scope of the exercise, specific objectives, and depth of testing agreed upon in advance.

In addition, other services are also essential in ensuring an optimal level of security for platforms that perform solvency studies, such as continuous security audits, vulnerability management, and incident response.

Based on the results obtained by the pentesters, a report is prepared listing the vulnerabilities detected, prioritizing remediation tasks taking into account the impact that their exploitation could have, and providing recommendations to mitigate weaknesses and risks.

Therefore, thanks to pentesting services, it is possible to validate the security of platforms that perform solvency studies and comply with the provisions of the PSD2 directive on security risk management.

5. Conclusions

In short, the current regulatory framework requires companies in the financial sector to have robust security strategies that are validated through pentesting.

So, if the real estate agency through which you are going to rent an apartment or commercial space asks you to undergo a solvency assessment through this type of platform, you can do so with complete peace of mind.

The PSD2 directive guarantees the security of platforms that perform solvency assessments, as well as the confidentiality and protection of users’ banking data.