The first half of 2018 will be highly interesting for the financial services industry as both PSD2 (the second Payment Services Directive) and the GDPR (General Data Protection Regulation) will go live, one in January and another one in May of 2018. PSD2 focuses on payment services, and how data can be shared between banks and third-party providers. This means that the banks will have to expose their systems through APIs to the third party providers, which means giving them access to the banks’ data. On the other hand, the GDPR talks about strengthening data protection for individuals. The GDPR also provides a list of rights such as the right to be forgotten, the right to rectification, the right to restriction of processing, etc. just to name a few. The GDPR extends to all the European residents, failing which both data controllers and data processors must pay huge penalties.
At first glance, these seem like two different regulations, with some crossover, as both the regulations have similar features. Both talk about increasing a customer’s control on their own data. The banks may be getting confused because of the common features. PSD2 is forcing banks to expose an individual’s data to third-party providers, whereas the GDPR is asking for stricter measures in place to protect an individual’s data. PSD2 is promoting data sharing, whereas the GDPR is endorsing data privacy. There is no doubt that these two regulations will collide with each other; some such scenarios are mentioned below:
- Under PSD2, a FinTech can have access to multiple banks through an open API, and there may not be a contractual agreement between the FinTech and the banks. As a result of no contractual agreement, it remains to be seen how the banks will ensure complete security of an individual’s data, under the GDPR.
- In case of a minor’s account, the GDPR requires explicit consent from the minor’s official guardian. Some banks provide children with the online accessibility to accounts. If this is accessible through API, who will give the consent in this case?
- In case of payment processing, how will organizations deal with the payment data of their counterparties. Are counterparties also needed to give explicit consent?
These are not conflicts but more of challenges in implementing both the regulations together. Some of the scenarios need to be considered thoroughly, though there is a lot of synergy between the two regulations. A focused approach might resolve all the challenges and confusion among banks. Data is the nucleus for both the GDPR & PSD2. The GDPR demands that the banks should not only know the data being stored, but how and when the data is being shared with others. A clear approach of identifying all the data movement will give banks much more control on customer data. If one bank must share some data through an API as a part of PSD2, it should also very much be aware of how it’s taking place and how it’s been used. Additionally, banks should check a third party provider’s security control before sharing any information with them.
Both these regulations need to be implemented together and not in a siloed manner. It may be challenging initially, but this poses a great opportunity for banks to grow towards a data-driven ecosystem where all the players will share data as well as secure data.