FinTech is getting more and more ahead in finance and almost every day it reveals new features and applications.

FinTech (Financial Technologies) is a sector of the banking and financial services market characterized by the development and adoption of emerging technologies, the application of these technologies to existing products and the consequent introduction of new business models, with the main purpose of reducing costs of services.

FinTech covers all sectors of banking and financial intermediation, including advancements that are very different from each other – the online trading market, including cryptocurrencies, the savings support based on the computational analysis of data (big data), new models of access to finance (crowdfunding, peer-to-peer lending and credit scoring), insurance products (so-called InsurTech), loans and automated financial advisory services (robo-advice), identity management based on biometric recognition systems (facial, fingerprint or iris recognition), distributed validation technologies (Distributed Ledger Technologies and blockchain) and supporting activities (cloud computing).

Furthermore, FinTech is also associated with the newly emerging market of services suitable for facilitating, simplifying and automating the KYC (Know Your Customer) and AML (Anti-Money Laundering) procedures, aimed at the knowledge, classification and control of customers: RegTech (Regulatory Technologies).

In this regard, a significant boost to innovation in the financial sector was generated by the entry into force of the PSD2 Directive, by institutionalizing actors such as AISPs, PISPs, ASPSPs and TPPs and introducing concepts such as SCA, XS2A, RTS and API.

FinTech has significantly changed the banking and financial services market, allowing the positioning of Big Tech as serious competitors for the incumbents.

For this reason, we had the idea to launch a jargon buster, the ‘PeA FinTech Syllabus’, i.e. a reasoned collection of some old and new words about FinTech, supplemented by some brief comments and comparison tables.

“Syllabus” is an “old-fashioned” term that we have chosen to remember that the financial phenomena have always benefited – at a different pace and with different accelerations – from what expertise allowed at a certain time, starting from the Babylonian mathematical tables (used for taking census and quantifying goods, as well as paying taxes), and next, inter alia, the Medieval bills of exchange and the algorithms and functions behind the financial models used for several purposes.

In this light, thus, FinTech is nothing more than the latest stage of a process underway for millennia, of which this glossary is a potential interpretative key.

Our Giuseppina D’Auria and Marco Assisi, under the direction of the partner Mario Di Giulio, will work on the project, which is open to external contributions from other professionals and experts, who will analyse the technical issues and the economic, social and cultural consequences deriving from technological innovations.
Stay tuned!


(Account Information Service Provider)

AISPs offer customers an aggregate overview via an online platform of one or more payment accounts, even if they held by them with potentially multiple payment institutions and within different countries. They are commonly known as account aggregators.
The Commission has made it clear that these services are intended to provide customers consolidated information of their financial situation and to analyse intuitively their spending habits, costs and financial needs.
Thanks to the services offered by AISPs, the client, if its payment account is accessible via online, has the opportunity to use securely its bank details to obtain personalized financial advice and diversified offers on financial products. It can also enjoy, on a single platform, an overall view of all the information regarding its bank accounts: interest rates, applied fees and charges, transaction history, balance of accounts. Finally, it has the possibility of constantly comparing different banking products.
In Italy account information service providers must face an authorization procedure (and not a mere registration procedure). This procedure ends with the registration in a special section of the Register of Payment Service Providers, when the following requirements are met (Article 114-septies, par. 2-bis TUB): form of limited liability company; registered office in Italy; presentation of the business plan; suitability of people performing administrative, management and control functions; failure to obstruct the supervisory functions; a suitable guarantee for potential damages to account service providers or payment service users. Unlike PISPs, AISPs do not need a minimum initial capital.

AISPs & PISPs: comparative table
Requirements PISP AISP
Initial Capital Provisions on initial capital were repealed (“Regulatory provisions on payment service institutions and electronic money institutions” of 17 May 2016) None
Professional indemnity insurance or comparable guarantee for damages to ASPSP or user Yes, to cover liability for unauthorised, late, defective or non-executed payment transactions, and the right of recourse of ASPSPs against the PISP. Yes, to cover liabilities to ASPSPs or clients resulting from non-authorised or fraudulent access to, or use of, payment account information.
Passporting rights Yes Yes
How they can use/hold data PISPs may not:
- Store clients’ sensitive payment data.
- Request from the payment service user any data other than that necessary to provide the payment initiation service.
- Use, access or store any data for purposes other than for the provision of PIS as requested by the client.
AISPs may not:
- Request sensitive payment data linked to payment account.
- Use, access or store any data other than for provision of account information service services explicitly requested by the client.
Restrictions to the exercise of ancillary activities Yes No
Restrictions to the exercise of other business activities Yes No
Restrictions on investments in banks Yes No
Measures for protection of payment accounts’ assets Yes No


(Application Programming Interface)

The Application Programming Interface is a set of commands, protocols, functions and objects that allow a software to communicate and access an external system. This allows developers to create applications or software without having to rewrite the code from scratch but starting from operations shared with the other associated software.
Some software houses publish their APIs in order to increase the distribution of their software. Other companies, on the contrary, allow only selected subjects to access their interface, in order to maintain final control over the offered service.
Within the framework of the open banking policy promoted by the European Union by the PSD2 Directive, API is of fundamental importance as it allows TPP to access account information maintained by a bank.
The detailed requirements and functionalities that APIs must have to comply with the PSD2 Directive will be regulated by the EBA (European Banking Authority). Banks shall have an API Management and effective security systems to manage access requests. Access through the API must in any case be guaranteed if the TPP complies with the requirements established by the Directive.

(Account Servicing Payment Service Provider)

ASPSP is a payment service provider that offers and manages a payment account for a payer: that is mainly, but not limited to, banks.
PSD2 Directive charges ASPSPs with numerous obligations, above all the duty of securely providing data to AISPs and PISPs.
The account servicing payment service provider must also ensure an equal treatment of requests for data transmitted by TPPs vis-à-vis those transmitted directly by the user, without any discrimination other than for objective reasons, in terms of timing, priority or fees.
The account servicing payment service provider may refuse access to the data to an AISP or a PISP for objectively justified reasons relating to the unauthorised or fraudulent use of the payment account. In these cases, the ASPSP, according to the methods agreed with the user, shall notify the TPP of the refusal and the reasons for it, before that the access is refused or, at the latest, immediately afterwards, unless prohibited by objectively justified reasons or by other relevant justified impediments. Once the reasons that led to the refusal cease to exist, the ASPSP shall allow access to the payment account again. The ASPSP must always refuse access to the payment account to an AISP or a PISP immediately after having received the withdrawal of consent from the user.
The Directive also provides for a precise liability regime for unauthorized and/or incorrectly executed transactions. The ASPSP carries the first line risk for unauthorised transactions and must immediately refund the amount to the payer. In the case of an unauthorized payment transaction arranged through a PISP, the latter must immediately compensate the ASPSP for sums paid as a result of having refunded its client or, in any case, by the end of the next business day, without the need for a formal notice. In any case, recourse may be available to ASPSPs via a claim for compensation from the PISP if the PISP cannot prove the transaction was authenticated, accurately recorded or not affected by a technical breakdown or other deficiency linked to the payment service which it is in charge of.
Under the new regulatory framework, the ASPSPs have seen a considerable increase in their fraud risk and, consequently, have had to reconsider some internal processes, as well as review their terms and conditions with their clients.



The blockchain is a type of distributed ledger technology (DLT) that enables secure Internet transactions and data storage without the need for a third-party authority to monitor and confirm validity.

Particularly, the blockchain technology allows a group of unrelated people (so called “nodes”) to independently form a distributed consensus regarding the validity of a transaction. The result is the decentralized public ledger, an online list of transactions that is public, permanent and resistant to fraud, because it is not maintained by a single entity.

The blockchain is the result of over twenty years of technological advancements in cryptography and computer networking. These advancements have led to the blockchain’s three key features: 1) decentralized consensus mechanism, 2) distributed data storage, and 3) cryptographic algorithms.

Before a transaction or piece of data can be digitally stored in the decentralized public ledger, the network’s members must come to a consensus regarding the transaction or data’s validity. In this manner, they supplant a centralized authority that can confirm transactions. Once a transaction reaches distributed consensus, it is permanently stored in the ledger.

Data storage is thus the second key innovation brought by the blockchain. It is understood that when a transaction requires a trusted central authority for its validation, the latter is the only authority that maintains a complete record of the transaction. On the blockchain, in contrast, when nodes reach a consensus as to the validity of a transaction, that transaction is stored in each single node’s copy of the ledger and saved on the relevant computer. Each member of the network thus retains a complete record of all transactions at all times.

The decentralized nature of the blockchain supports its third key feature: cryptographic algorithms. The blockchain utilizes a “probabilistic approach” to protect its data. When information travels over a decentralized network and can only be stored via group consensus, the information becomes more transparent and verifiable. Potential hackers attempting to flood the distributed ledger with false information can hardly do that, because it is unlikely for those data to gain distributed consensus across the network.

Further, unlike data stored in centralized networks, a blockchain’s data cannot be altered merely by gaining access to the network or server. As a ledger’s copy is stored on the computer of every node involved in the network, possible hacking or tampering with one node’s ledger will create an inconsistency that can be easily exposed and resolved by comparing it to the ledgers of other nodes.

Further reading

Blockchain and Cyberattacks: Is Blockchain a safe and hacker-proof technology?
Pierguido Iezzi, Cybersecurity Strategy Director – Co Founder of Swascan

Blockchain as a means to fight money laundering: a scenario of the near future
Massimo Masini, Manager, GPM & SAIP GROUP srl


Credit scoring

Banks and financial intermediaries use credit-scoring systems to evaluate the creditworthiness of those asking for loans by giving them a certain score in order to decide whether or not to lend them money and under what conditions. For example, a company with a particularly high score will benefit from lower interest rates as it looks more financially stable and less likely to go bankrupt.
Scoring activities consider and analyse many and various data, ranging from client’s information and its current level of indebtedness (central credit register, past financial statements, etc.) to the features of the project to be financed. Bank of Italy acknowledged the effectiveness of credit scoring by conducting an ad hoc survey about loans mainly granted to small and medium enterprises. The results pointed out that credit-scoring systems help banks choose borrowers more prudently and cut the risk of acquiring future non-performing loans.
FinTech companies might dramatically boost credit scoring reliability. In the future, Big Tech will have a huge amount of data concerning clients’ consuming behaviour, which may allow an accurate analysis of their creditworthiness. Moreover, API technologies allow access to a plethora of information, such as data about a company’s cash flow, which would allow to score potential clients based on real time information – not only past trends.
With this in mind, accessing data as much as possible is crucial for financial services companies, also from an antitrust perspective. PSD2 Directive follows on from this concern, allowing TPP (Third-party Providers) to access freely their clients’ accounts maintained by banks and payment institutions.

Further reading

Credit scoring and rating: what is the difference?
Alessandro Adamo, Pavia e Ansaldo

The myth of equal ratings among credit rating agencies
Lapo Guadagnuolo, Global Head of the Centre of Excellence for Methodologies S&P Global Ratings



Article 1, paragraph 2, qq) of Decree 231/2007, as amended by Legislative Decree 90/2017, contains a definition – largely deriving from the one already outlined by the Bank of Italy’s and the European Central Bank’s studies – of virtual currency (or cryptocurrency) as “digital representation of value […] used as a means of exchange for purchasing goods and services and transferred, filed and negotiated electronically”, emphasizing how it is not “issued by a central bank or by a public authority”, nor is “necessarily linked to a legal tender”. More recently, even the European legislator has regulated the phenomenon of virtual currencies with the Fifth Anti-Money Laundering Directive (EU Directive 2018/843).
The birth of virtual currencies coincided with the 2008 financial crisis, when a group of IT specialists decided to engage in the creation of a completely innovative financial system, which was independent of banks and in which private individuals could use among themselves a payment instrument without involving any authority or intermediary. The technological response to this need arose thanks to the use of cryptographic algorithms, from which the choice of the term “cryptocurrency”.
Despite the fact that originally cryptocurrencies had been considered a payment instrument completely decentralized and bi-directional, whose transactions had to be constructed and validated by complex methods based on cryptography where all the individuals hold an equal position (peer to peer), today there also exist currencies that can be issued and operated by a single entity, often used within virtual communities.
The most famous cryptocurrency is undoubtedly the Bitcoin, although there exist over 1600 virtual currencies on the market: Ether, Ripple and Litecoin are among the most renowned on a list that is continually evolving.
Given the novelty of the phenomenon and the critical points raised by a number of aspects, there is a lack, to some extent, of international provisions regulating virtual currencies.

Further reading

“Cryptocurrencies” are not legal currencies
Nicola Mainieri, Senior manager at the Bank of Italy, Supervision Inspectorate.


Cryptocurrency Wallet

A “Cryptocurrency wallet” is every system used to store a pair of cryptographic keys, one public and one private, required for cryptocurrency transactions. There are many types of wallets, not all of them requiring digital supports to work; they are mainly divided in two fundamental categories: “cold wallets” and “hot wallets”. Cold wallet systems are not automatically connected to a network and they store cryptographic keys, which are usually written or printed on them (hardware storages or paper wallets); on the other hand, hot wallet are always online.
Hot wallets allow both to secure cryptographic keys and to make cryptocurrencies transactions, while cold wallets guarantee higher level of security against hacker attacks. In order to combine the practical edge of hot wallets with the reliability of cold wallets, specific hardware storage were created, which allow cryptocurrency transactions by entering a “password” in the graphical interface.
“Deterministic wallets” are among the most peculiar types of wallets, as they allow backups through a “seed” (a causal string of words understandable to human language and stored outside the wallet) and a “root key” from which all other keys are obtained deterministically. After entering a seed, this allows the backup of the system without needing to enter other keys, because the root key does create and recompute them by algorithms.
Typically, cryptocurrency wallets are compatible with a limited number of cryptocurrencies (bitcoins, above all) but there are a few capable of storing more than a cryptocurrency.
Wallet providers have been recently subjected to the EU directive 2018/843, amending Anti-Money Laundering Directive (EU) 2015/849 (AMLD4). The rationale behind such decision is expressed in the recitals no. 8) and 9), which point out the potential criminal use of cryptocurrencies due to the absence of security controls on cryptocurrency operators and the anonymity of the relevant transactions.


(Payment Initiation Service Provider)

One of the services introduced by the PSD2 Directive is the Payment Initiation Service (PIS). The PSD2 Directive enables certain operators, i.e. Payment Initiation Service Providers (PISPs), to initiate a payment order to Payment Service Providers at the request of their clients, by directly logging into their payment account without any intermediation. Thus, the payer will be able to initiate a transaction on its online account without the credit card intermediation. This innovative service will cause many intermediaries to disappear, leading to potential cost savings for online transactions and to a radical change of the competitive context. Access to the payer’s account will be provided through an API (Application Programming Interface), a set of defined methods of communication between programmes and access protocols which is directly monitored and regulated by EBA (European Banking Authority).
The payment service provider maintaining the payer’s account – usually a bank – shall allow access to the payer’s account even without a contractual relationship with the PISP for that purpose (Article 66, par. 5 PSD2). The PISP shall comply with the conditions established by the Italian Law that implements the PSD2 Directive. The PISP shall not hold at any time the funds of the payer, so that it cannot perform the typical banking function by offering account services. With reference to data, the PISP is not allowed to store sensitive data or request from the payer any data other than those necessary to provide the service. The PISP, without the duly authorization, shall not use or store any user’s data for purposes other than for the provision of the service. The Account Servicing Payment Service Provider (ASPSP) maintaining the payment account shall not deny access to the PISPs; the ASPSP maintaining the payment account shall treat all the parties allowed by the PSD2 Directive to access the account, including the PISPs, without any discrimination. A denial or a discrimination in the access to the accounts can be relevant for breach of antitrust law and sanctioned by national and EU authorities. In this perspective, the payment account will be more and more similar to an infrastructure, that several operators will be able to access without any discrimination, in order to offer payment services.

AISPs & PISPs: comparative table
Requirements PISP AISP
Initial Capital Provisions on initial capital were repealed (“Regulatory provisions on payment service institutions and electronic money institutions” of 17 May 2016) None
Professional indemnity insurance or comparable guarantee for damages to ASPSP or user Yes, to cover liability for unauthorised, late, defective or non-executed payment transactions, and the right of recourse of ASPSPs against the PISP. Yes, to cover liabilities to ASPSPs or clients resulting from non-authorised or fraudulent access to, or use of, payment account information.
Passporting rights Yes Yes
How they can use/hold data PISPs may not:
- Store clients’ sensitive payment data.
- Request from the payment service user any data other than that necessary to provide the payment initiation service.
- Use, access or store any data for purposes other than for the provision of PIS as requested by the client.
AISPs may not:
- Request sensitive payment data linked to payment account.
- Use, access or store any data other than for provision of account information service services explicitly requested by the client.
Restrictions to the exercise of ancillary activities Yes No
Restrictions to the exercise of other business activities Yes No
Restrictions on investments in banks Yes No
Measures for protection of payment accounts’ assets Yes No


(Payment Service Directive 2)

The PSD2 (Payment Service Directive 2- Directive (EU) 2015/2366), entered into force on 13th January 2018, has radically modernized the European regime on payment services, making significant amendments on Directive 2007/64/EC (i.e. the PSD).
The Directive regulates the most innovative aspects pertaining to payment services, having in mind the exponentially higher usage of electronic payment systems and the radical shift to mobile technology by most users. As per the previous directive, the PSD2 aims to establish a single European market of payment services, based on principles of competition, transparency and responsibility toward costumers.
Referring to its subjective scope of application, the PSD2 applies to new kinds of service providers: they are the firms operating in the Fintech sector and, in particular, the TPP. The PSD2 allows the latter to access directly to bank accounts opened by their clients with other entities via API interfaces, finally giving them a competitive edge on traditional financial operators such as banks and payment institutes.


(Regulatory Technical Standards)

The Regulatory Technical Standards are the technical standards necessary to provide for the PSD2 Directive’s innovative services; they are set forth in the Commission Delegated Regulation (EU) 2018/389 supplementing the Directive. EBA (European Banking Authority) has developed the technical standards in close co-operation with European Central Bank.
In particular, the Regulation establishes regulatory technical standards for strong customer authentication (SCA), measures to protect the confidentiality and the integrity of the payment service user’s personalised security credentials and common open standards for the communication between account servicing payment service providers (ASPSPs), payment initiation service providers (PISPs), account information service providers (AISPs), payers, payees and other payment service providers (PSPs).
RTS will apply from 14 September 2019. However, the provisions which relate to the availability of documentation on the technical specifications of and testing facility for banks’ dedicated interfaces will apply from 14 March 2019.


(Strong Customer Authentication)

Strong customer authentication is a procedure which allows the payment service providers to verify the identity of a user when he carries out any transaction through a remote channel which may imply a risk of payment fraud or other abuses (such as when he accesses its payment account online or initiates an electronic payment transaction).
Strong customer authentication is designed in such a way as to protect the confidentiality of the authentication data, therefore it is based on the use of two or more elements, belonging to the following categories: knowledge (something only the user knows: password or user ID), possession (something only the user possesses: smart key) and inherence (something the user is: biometric and/or behavioural features). Those elements are independent of each other, in that the breach of one does not compromise the reliability of the others.
The failure by payment service providers to adopt strong customer authentication affects the relevant liability regime.
The regulatory technical standards (RTS) set forth in Commission Delegated Regulation (EU) 2018/389, published on March 13th, 2018, regulate strong customer authentication.


Smart contract

A smart contract is a computerized protocol that executes the terms of a contract. Functioning like a vending machine, a smart contract is developed to assure one of the parties that the counterpart will satisfy its obligations, with certainty (pursuant to “if-then” statements).
Lately, some platforms (first of all, Ethereum) have been designed with the aim of applying blockchain technology to the execution of smart contracts, based on the occurrence of simple (passing of time) or more complicated (future financial results) events.
In the vision of its supporters, smart contracts would be able to overcome the problems of moral hazard, discouraging the breach of contract for strategic purposes, and significantly reduce the costs of verification and enforcement: the technological structure of smart contracts (blockchain) would leave no possibility for the parties to breach the contractual provisions.
In essence, by entering into a smart contract, the party would be bound to an additional bona fide obligation, committing itself not to behaving opportunistically in the future. Like the legal system, the institutional and the market rules, the technological structure of the blockchain would assume the role of regulatory constraint influencing individuals’ behaviour.
Moreover, after having been written in the blockchain, the smart contract is self-executing and freed from the intention of the parties. Also, the structure of some smart contracts makes the performance of a party a condition of that of the other party.
Therefore, the decentralization offered by the blockchain is intended to reduce greatly the lawsuits and, thus, the need for relevant terms (such as Jurisdiction and Governing Law clauses).


(Third-Party Provider)

External operators authorized by clients to access their online data on payment transactions. This access occurs with a software API (application programming interface) that connects the provider to the client’s bank.
PSD2 Directive regulates two TPPs: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
The PSD2 Directive (Articles 66 and 67) has been drafted to open up access to clients’ payment account, provided that their payment account is accessible online, by defining the standards of communication with the Account Servicing Payment Service Providers (ASPSPs).
These new operators have one very important feature which guarantees free access to new entrants, in that the ASPSPs cannot require TPPs to enter into a contractual relationship to obtain access to the payment accounts in order to provide for the payment initiation and account information services.


User Interface

Please seeUX (User experience)


User experience

User experience (UX) is the totality of (rational and irrational) effects aroused in an individual as a result of its interaction with a specific product or system.

With regard to the people involved, UX impacts all types of customers, irrespective of their culture, age, gender, wealth and social class. With regard to the scope, the notion of user experience includes the following aspects:

  • usability, which includes features such as ease of use, productivity, efficiency, effectiveness, learnability, and user satisfaction;
  • usefulness, which allows to use the product or system in order to achieve the goal set by the user;
  • the emotional impact, which is the emotional component of user experience that influences the user’s feelings, causing pleasure, joy, fun, aesthetics, desirability, novelty, originality, appeal and also involving deeper psychological factors, such as self-awareness, self-identity, feelings of pride and a sense of belonging.

    To put it simply, a product or a system is considered as able to offer a good user experience if it is easy to use, efficient and engaging. Usually, the average user looks beyond the pragmatic and verifiable aspects (functionality and usability), looking for beauty and emotional and intellectual gratification in doing its user experience. If the experience is positive, the user is more likely to savor that memory after interaction with the product or system that caused it. The concept of interaction is also very broad and should not be limited to its material component: interacting with a product or a system means observing, touching and thinking about it, until arriving to be interested in it even before any physical contact.

UX takes on a crucial role in the digital sector, which is witnessing, on the one hand, a dizzyingly growing complexity of new technologies and, on the other hand, the constant expansion of the increasingly diversified set of users. In this specific sector, the complement of the UX is the user interface (UI), which is the designing of machines and/or software user interfaces in order to optimize the appearance and interactivity of a given product or system. Since most users access computation from mobile devices, UI designers today mainly focus on the development of effective user interfaces for these devices – ensuring immediate use, minimizing textual input, optimizing the results displayed on the screen, creating applications conforming to the main platform interface and allowing disconnected and poorly connected use.


Wallet Provide

A wallet provider is “an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies”. Wallet providers are subject, alongside “providers of exchange services between virtual currencies and fiat currencies”, to Directive (EU) 2018/843, imposing them to register or acquire licenses, thus associating them with more “traditional” entities such as check cashing offices and trust or company service providers (art. 47, par. 1, Directive (EU) 2015/849).
Italy had already forestalled European lawmakers by issuing the Legislative Decree no. 90/2017, adopted in transposition of the fourth Anti-Money Laundering Directive, becoming the first European Country to pose specific duties on wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies. The abovementioned decree amended the previous anti-money laundering legislation laid out in the Legislative Decree no. 231/2007, expanding its scope. Legislative Decree no. 90/2017 associated cryptocurrency providers with currency exchange and required them to sign in an ad hoc register held by the Organismo Agenti e Mediatori.



The Access-to-Account is the right – established by PSD2 Directive – which allows Third-Party Providers (TPPs) to obtain information or access to customer accounts from banks (or from other account servicing payment service providers), if the customers have given consent to it.