Is your business sitting outside the ‘AIS perimeter’? 🤔

FCA comments on the agent-principal relationship for Account Information Service Providers

This is THE question your business should carefully be thinking about before presenting your user’s financial data back to them if using another company’s regulatory permissions as an agency.

Why? Because the once ambiguous regulatory perimeters have now become clearer.

The Financial Conduct Authority, the UK’s financial regulatory body, has clarified its AIS perimeter guidance on the principal-agent relationship. Basically, what data needs to look like when presented back to your customers.

What kind of businesses should care about this guidance? Any business involved in providing account information services(AIS) to end-users in the UK.

In this blog post, let’s understand what the perimeter guidance means for agent businesses who currently use another company’s license.

What is an Account Information Service Provider (AISP)? Simple words, please.

An AISP is an online service provider that collects financial information from end users (accounts, balances, transactions..) from one or more banks, either in the format originally provided by the bank or after processing. This is so they can legally display this data back to the end user (eg. the person with the mobile app in their pocket📱) or to another business entity as instructed by the user (eg. a digital brokerage app that asks for your users’ banking data to pass it on to lenders of your user’s choice so that they get a quicker mortgage decision 🏦)

What is an agent of an AISP?

If you are a business who is not regulated to ask for user data from banks, you tend to rely on a regulated partner company that has FCA permissions to do so. In that case, you pass your user on to your partner’s application that manages connections to banks, gets the user’s permission and shares their data with you. For compliance purposes, in this equation, you are appointed as an agent of this regulated partner in the FCA’s eyes.

What were the Agent (you) — Principal (AISP) arrangements previously?

A regulated AISP simply outsources their permissions to service providers (agents) wishing to access open banking. Although end consumers were presented with the regulated party’s interface, this was only restricted to the initial phase of getting permission at the beginning via a co-branded interface. That meant an agent of an AISP could display data to end-users in their own way as long as they weren’t asking for permission to access the bank.

What does the FCA say as part of the agency perimeter guidance clarification?

FCA perimeter guidance emphasises that businesses need to be accountable, trustworthy and transparent to their end-users. Since multiple businesses are involved in getting user data from banks, they want end-users to know which business is asking for permission and with whom all is the data shared.

The FCA gives examples of various businesses to explain what an agent can do and cannot do.

What CAN’T you do by being an agent of your regulated partner?

As per new guidance, the following business activities CANNOT be carried out by an agent business:

  1. Your business primarily brands interactions with the end-users asking permission to access their bank
  2. Your business displays a user’s bank data in the design and format of their choice — categorised or raw — on an ongoing basis
  3. Your business provides additional and independent account information services outside the permissions of your regulated principal partner!

In summary, the new guidance means the agent-principal model is restrictive for agents because it;

  • Builds up more friction in the customer journey as there are two containers within an app displaying data to the same user
  • Limits innovative product offerings — you cannot continue to offer services outside of, or more than, what your regulated partners can provide

For example, if you are an agent money manager displaying users transactions based on their spending and data is received from your regulated partner, you cannot continue to display data in your own style or format without your own FCA permissions.

What business can continue as an agent of a regulated AISP?

To summarise, you can continue to be an agent if you don’t have a user-facing application and only use the bank data received from your regulated partner to verify and provide decisioning of some sort.

Typically, you don’t need regulatory permission (AIS/PIS) if:

  1. Your business doesn’t interact with users to ask permission to access bank data — it will be displayed in something resembling an iframe
  2. You don’t display end-user bank data to them in any format (categorised nor raw)

For example, you are a lender (or a broker who shares data with the lender) that receives your user’s bank data for eligibility/affordability checks and provides a decision such as a loan approval/rejection without displaying the transactions or balance data back to your users.

But wait. There IS an alternative. So what can you do to provide value-added services and display insightful data to your users, on your own? The silver lining is that becoming an independent regulated entity fully owning the customer interaction, app design and most importantly be the sole data protector and processor, is not too difficult! 😎

How does being regulated instead of an agent impact my customer journey?

  1. 🛡️TRUST You can increase your customer adoption! Your customer will now only see your brand end-to-end which will increase trust and transparency.
  2. 👤 USER INTERACTION You can completely own your customer interaction and reduce additional dependency on your service providers.
  3. 🔒 DATA SECURITY You can be the sole processor, protector of customer data and resolve customer concerns without dependency.

As much as I like to own customer experience and data security, I don’t fully understand how easy it is to get regulated?

FCA authorisation is not as complicated as everyone thinks and the FCA has been increasingly collaborative and efficient in order to support businesses. Based on our discussions with various TPPs, here’s what we know:

  1. Duration: Companies took anything from 2 months to 5 from start to finish!
  2. Process: 3 simple steps for authorisation:
  • A couple of weeks to a month of work to get documents together — A picture is worth a thousand words: be ready to show the visual flow of why using open banking in your app serves and benefits your customers
  • A couple of months for the FCA to ask you questions and make a decision — you don’t need to have everything figured out before you start the application.
  • You don’t even need the capital reserves in the account or the insurances when you submit the application. The FCA will tell you that being an approved subject is conditional on doing X, Y and Z, and you will do it at that point in time.

The sooner you start, the better it is!

Sounds great! Can Yapily help in any way?

Yes, we can! Thought you’d never ask! 😊

We can primarily help with what we do best — provide a robust connectivity enabler that doesn’t interfere with you, your customer and your customer’s data.

  1. Quick Integration & Expansive Coverage — We offer connectivity to all our banks in no time and keep adding new bank APIs as they become available.
  2. Easy Maintenance & Monitoring — We maintain secure and scalable API connectivity to all banks so that you can get an optimised, monitored offering from us and instead focus on your core product.
  3. Developer Focus — As a true engineering (not financial) company at our core, we focus on your developers’ needs and have everything they need to build simple and easy connectivity — check out our GitHub for guides, SDKs, a ready-to-build payments app and open source code.

Also, we can assist by sharing our regulated customers' experiences!

All you need to do is say hello@yapily.com 👋