The revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) have a substantial area of common concern: data protection and customer consent. PSD2 will mandate banks to grant customer account information access to third-party providers (TPPs) with whom the bank has no contractual agreement with. GDPR creates a framework for protecting data based on an individual’s consent. However, while PSD2 focuses on making the financial data of individuals available to third parties, the GDPR framework is devoted to keeping this information private - until the right consent has been obtained. Surprisingly little has been said in both regulations about their seemingly conflicting coexistence.
A Closer Look at the Regulatory LandscapeAccount Servicing Payment Service Providers) can do with their data. Failure to comply with the new frameworks can be severe. The potential penalties for data protection breaches can, under GDPR, amount to €20 million or 4 percent of total revenue. As PSD2 is a Directive, penalties for non-compliance will be defined by the individual member states, whereas the GDPR is a regulation and therefore directly applicable to all EU member states.
The new regulatory landscape fails to offer interlinked solutions, lacking detailed explanations. Even though PSD2 has included an entire chapter on data protection, GDPR does not refer to the directive at all. Moreover, the European Banking Authority’s (EBA) final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Secure Communication (CSC) under PSD2 also does not sufficiently address the necessary data protection details.
Under PSD2, banks are likely to offer a dedicated interface API for third-parties to access the data they require, allowing third parties to bypass several steps and complications in providing banking services. Not surprisingly, the vast majority of banks indicated that data protection is a significant issue yet to be dealt with under the PSD2. Nobody likes the idea of allowing strangers into your home.
"Banks should keep the GDPR guidelines at the heart of their approach, applying the most rigid interpretation possible."
In preparing for PSD2, however, banks should keep the GDPR guidelines at the heart of their approach, applying the most rigid interpretation possible. However, this will limit the TPPs’ access to data and lead to strict interpretations of consent. It will also slow down the open banking movement and reduce the effectiveness of regulators’ efforts to further innovation and competition in the payments market. Banks should, therefore, avoid initiating their GDPR and PSD2 implementation programs in silos, and set up an aligned and coordinated framework instead.
Consent: A Common Concern for PSD2 and GDPR
One commonality between both regulations is the emphasis on customer consent. In the end, the customer is in the lead: when they decide to share personal data with any (third) party, it is their freedom of choice. Despite this seemingly joint focus point for both frameworks, the execution leaves room for doubt. First, both GDPR and RTS under PSD2 lack clarity on the type of consent required. Considering that consent in electronic form is a practical necessity for PSD2, the technical details for providing consent are lacking – i.e. ticking a box or receiving an email confirmation – leaving too much room for interpretation.
Second, an area of debate in the RTS is data scraping: extracting data from human-readable output coming from another program. In this case, data scraping refers to the practice where third-party providers (Payment Initiation Service Providers and Account Information Service Providers) access bank accounts on the customer’s behalf, using their username and password credentials. This exercisewas prohibited in the EBA’s final draft RTS. However, the European Commission (EC) urged the EBA to refrain from outright banning data scraping, but keeping it as backup mechanism should bank interfaces (APIs) fail to function properly.
What does that mean for banks? They are confronted with data scraping challenges, as it essentially allows TPPs to access any information available to customers on their online banking platforms. As such, it is highly problematic, if not impossible, for banks to only limit access to data in line with the customer’s consent and, at the same time, comply with other data protection requirements related to sensitive data. TPPs can obtain customer consent, or use dedicated interface APIs to bypass contractual consent, meaning that banks will be unable to unravel if and what type of consent has been provided by the customers. And as banks are fully responsible for processing customer data by third parties, having no agreement would mean being not compliant with GDPR. This practice, by definition, contests the spirit of customer protection and controller liabilities embodied in GDPR and PSD2.
Given these interacting requirements, TPPs will likely initiate the process of securing customers’ consent, including consent for their activities and the use of data once obtained, whereas banks will ultimately remain responsible for confirming the consent directly with their customers. This will include confirmation details such as the identity of the TPP, the data customers wish to share, the frequency, and the expiration date of such consent. Such a two-way route – obtaining and confirming consent – has the potential to provide greater protection to TPPs, banks and customers alike, compared to banks relying solely on the consent provided by the TPPs.
How to Navigate Through Conflicting Regulations
PSD2 will definitely enrich and support customer experience in Financial Services and make banking a more equal playing field. Nevertheless, it will not be an easy ride for both banks and TPPs, as many related parties will have to clear several hurdles before being able to exploit APIs. They will be required to implement several layers of compliance and regulation, which can be time-consuming and costly.
Creating systems and processes that are adaptable and protect customer data is key to a successful implementation of both the GDPR and PSD2 guidelines. Banks and TPPs alike must set up rules and processes for data breaches, build a data-safe culture, develop policies, implement, train, monitor and assess frequently. Furthermore, it is imperative to implement privacy by design, analyze the personal-data processing framework in place and review third-party policies, procedures and contracts.
A crucial element for success will be the technical and operational onboarding process for TPPs. When onboarding a new TPP, the bank must be prepared to take on an additional financial risk, sharing liability for any breaches. Banks and API providers will have to tackle the privacy issue from start to finish, ensuring that TPPs have sound privacy certifications and settings in place, and that both parties have implemented proper due diligence mechanisms and processes for onboarding, testing APIs and managing incidents. Anticipating on (future) TPP requests, privacy design strategies need inclusion.
"Customer consent must be a top priority for banks."
As sharing customer data without proper consent is a clear GDPR violation, customer consent must be a top priority for banks. Consent is an area where effective identity management is crucial. Identity management is advancing, as more secure and user-friendly biometrics replace clunky username and password combinations to better verify and authenticate individuals. Banks and TPPs should, therefore, develop advanced data analytics to better prevent identity fraud and false identity representations. Only through robust and full-fledged systems that deliver a framework of trust around PSD2, it can fulfill its promises of open banking.
Further Data Protection Guidance Needed
With two major EU compliance initiatives of importance entering into force in 2018, banks have a powerful incentive to create a new data-handling paradigm. On the one hand, banks need to deliver GDPR compliance, by executing a root and branch review of how they handle, process and govern the use of customer data. On the other hand, PSD2 is a (customer) data-driven directive, which has the potential to create a whole new world of banking opportunities. Further guidance is urgently needed from both EU and national regulators on how banks can reconcile the requirements under PSD2 and GDPR. In the meantime, banks should review their data protection and consent management processes, policies and procedures and approach PSD2 and GDPR in parallel, taking each other’s requirements into account. There can be no doubt that GDPR and PSD2 will drive huge changes in the world of personal data protection and disrupt the way banks operate. For banks, the time to act has arrived.
This article was originally created for The Paypers' "B2B Fintech: Payments, Supply Chain Finance & E-invoicing Guide 2017".