This year, all European Union member states will need to have implemented the directive on payment services, commonly known as PSD2. This legislation gives users greater control over their banking data by allowing them to cede that information to new Third Party Providers (TPPs) to receive certain kinds of services.
In this way, PSD2 allows third parties to enter the payment services market and provide new services in the area of account information and payment initiation by accessing payment service users’ (PSU) financial data.
Now banks have to take this new law into consideration and the GDPR – the General Data Protection Regulation – which has been in force since 25 May 2018.
Banking institutions will have to comply with this regulation and the specific legislation on payment services because the new payment systems will require access to large swathes of personal data.
While both regulations are very different in purpose and in focus, they intersect in many areas. One law (PSD2) regulates how access is granted to personal information while the other (GDPR) seeks to protect personal data.
In this context, firms that are planning to offer Account Information Services (AIS) and Payment Initiation Services (PIS) will have to take both of these regulations into consideration.
To make it easier to comply with these two pieces of legislation, the consultancy firm Ernst and Young has identified the following challenges that banks have to tackle now that PSD2 and the GDPR have come into force.
The challenges of PSD2 with the GDPR
With PSD2, account information and payment initiation service providers (AISPs and PISPs respectively) will access and process the personal information that is stored in users’ payment accounts, such as personal data, transaction data, information on the account holder, and other types of information.
This personal data is subject to GDPR legislation, so banks and FinTech companies need to bear it in mind so as to be compliant.
Fines for GDPR breaches can be very heavy, up to 4% of a company’s annual turnover or up to €20 million.
That said, these are the main challenges that banking institutions need to tackle:
Consent
Users’ consent is the basis on which both the General Data Protection Regulation and the new Payment Services Directive ensure data protection for users.
In this respect, the GDPR stipulates the condition that must be met for consent to be granted. This approval is necessary in order to process certain data in a certain way.
PSD2 stipulates that consent is necessary to provide services to the PSUs. However, the term “explicit consent” does not appear in PSD2 and there is no proof that such law gives this matter the same meaning as the GDPR.
There is a lack of clarity regarding the necessary levels of consent that payment service providers need to obtain or provide with their services.
To shine a little light on the matter, the following table provides a breakdown of how the issue of consent affects both regulations.
Consent | GDPR | PSD2 |
Consumer consent to process data must be freely given and for specific purposes. | Yes | Yes |
Customers must be informed of their right to withdraw their consent. | Yes | No |
Consent must be “explicit” in the case of sensitive personal data or cross-border dataflow. | Yes | No |
Data processing and sharing is explicitly requested by the customer. | Yes | Yes |
Consent expires automatically. | No | Yes |
Consent must be clear, specific and informed. | Yes | Yes |
Source: EY on PSD2 & GDPR
APIs and Data Portability
Users have the right to transfer the data they have in a bank account to the provider of their choice without any obstacles. This is the right to data portability contained in the new data protection regulation, the GDPR. However, it does not appear in PSD2. Only in the technical standards that regulate the directive.
The technical standards that regulate PSD2 recommend the use of APIs to share data with AISPs and PISPs. This practice is more recommended than providing the users’ personal credentials to access the account.
The problem the API system poses today when favoring the exchange of information is that it is not uniform across Europe.
To try and get this standard in application by all British banks, the Financial Conduct Authority (FCA) in the UK and HM Treasury (HMT) are encouraging banks and TPPs (Third Party Providers) to adopt the Open Banking API guidelines from the UK Open Banking Implementation Entity to ensure the safe exchange of data between banks.
This initiative, even if just local, is relevant because the UK has been a first-mover in Open Banking and many countries are likely to model their approach on the British experience.
Silent Party Data
The third challenge posed by the application of PSD2 and the GDPR is silent party data that appears silently in bank transactions. When a user transfers bank information to another bank or platform the transaction includes information on the receiving party, but current systems aren’t set up in such a fashion that the receiver can provide explicit consent to sharing their data. Therefore, this transferral of data could be considered a breach of the GDPR. However, it seems that this also won’t be a serious problem as long as this information is only displayed silently.
Regarding the challenges listed, the report suggests that financial institutions should not allow the GDPR to hold back the innovation that PSD2 promises to bring. Instead, they should act to ensure that the new products and services comply with both regulations.
Key elements for applying PSD2 in accordance with the GDPR
- Be careful with automated processes. Banks are increasing the use of automation to provide value-added services. However, this automation cannot breach the principle of the GDPR which makes it obligatory to request explicit consent from the user. Financial institutions need to be prepared to justify all automated decision making if the customer requests this.
- Conducting data protection impact assessments. Since account information and payment initiation service providers (AISP and PISP respectively) need to process large volumes of personal data, data protection impact assessments are necessary. Such assessments must be conducted before processing financial data and should act to pinpoint risks in processing and to establish measures to ensure that data protection is complied with as stipulated by law.
- Design of data protection in new services. AISP and PISP have to respect data protection from the offset when designing solutions. They must then think about the impact that they will have on data protection before they are presented. In this design process, they must take adequate measures to ensure that they comply with the GDPR and minimize data processing.
- Preparing solutions to offer information on the use of data. With the new GDPR, users take control of their data so any application that is processing their data must notify the process to the information owners.
- Allowing users to delete all of their data if requested. Banks and third parties must develop solutions and services that make it possible for the consumer to delete all of their data when requested. The user has the right to do as they will with their data and, if they wish to delete them, they must be able to do so without any obstacles.
However, despite these recommendations, some voices are suggesting that more guidelines are urgently needed both in the European Union and from the national regulatory bodies, to indicate how companies can adapt to PSD2 and GDPR while avoiding stalling the development of Open Banking in Europe.
The Future of Open Banking within the Framework of the GDPR and PSD2
Since sanctions for GDPR breaches are greater than those for PSD2, it is likely that banks are prioritizing compliance with the former legislation, to the detriment of PSD2.
According to Deloitte, this practice will most likely lead to severe limitations on TPP’s access to data and very strict interpretations of consent. This in turn will make third-party services more difficult to use and will lead them to having less benefits for consumers. Lastly, it will stall the Open Banking movement and reduce the effectiveness of the efforts being made by regulators to increase competition and innovation on the payments market.
To stop this from happening, the consultancy firm is encouraging businesses to avoid considering programs for implementing the GDPR and PSD2 in isolation and, instead, it recommends that they ensure that they are coordinated and take into consideration what each one of them involves.
Regarding the measures being taken to improve compliance with both regulations, Deloitte believes that the development of an Open Banking API standard in the UK will provide a useful model with which to proceed. In this respect, it suggests that businesses both in the UK and the rest of the EU should check these initiatives and consider whether they could be integrated into their own planning for correctly implementing both PSD2 and the GDPR.
But they need to get to work since delays in applying both pieces of legislation will stall the development of up-and-coming companies such as FinTech firms. Roland Berger consultancy firm confirms in their research. They calculate that FinTech and BigTech companies are seeing 40% of their income under threat due to the lagging speed at which the changes introduced by PSD2 and the GDPR are being responded to.
With that in mind, the future of Open Banking in the European Union depends on how adept banks and institutions are when it comes to bringing the improvements introduced by PSD2 in line with the greater data protection for users promoted by the GDPR.