In 2018, two large pieces of European Union regulation will enter into force: the PSD2 on Jan 13 and the General Data Protection Regulation (GDPR) on May 25.
Preparation for the PSD2 is underway: see the Irdeto Security Compliance guide and the Paypers report on Open Banking. Open banking requirements will change how financial services institutions view and use customers’ data. Processing of personal data will also be affected by the GDPR. Here’s what you need to know about how the two new regulatory schemes will work together.
What you need to know
The PSD2 and the GDPR share two common aims. Both these new regulatory schemes aim to put customers in control of their own data and keeping that data safe. The PSD2 aims to harmonise payments regulations and consumer protections. Similarly, the GDPR aims to harmonise personal data protections. Both will be applied to financial transactions as personal data is inevitably involved.
Penalties are serious. The GDPR imposes significant penalties for breach of data protection: up to four percent of the offending institution’s global turnover. This calculation is of revenue not profits. The potential fines are colossal. In contrast, the PSD2 is not reinforced with fines. As a directive, it will require domestic implementation by member states. The GDPR and its penalties will be directly enforced.
Banks are no longer the gate-keepers to data. The PSD2 requires banks to share customer’s personal data with third parties at the customer’s request. The data sharing economy will give greater power to the consumer (or the data subject). Financial institutions are no longer the gate-keepers of data. Open banking via APIs will trigger an evolution of consumer choice. This reflects the right to data portability in Article 20 GDPR. The more dynamic financial industry requires greater security, privacy and consent mechanisms for the sharing of personal financial data.
Consent requirements will change dramatically. Simultaneous application of PSD2 and GDPR makes consent a complex issue. Open banking means that the GDPR is strict on privacy rights. The consent requirements make sense when there is one customer and one bank. As also explained by Deloitte, how the consent requirements will work is not clear when multiple financial services or customers are involved. This poses problems for management of consent forms and accountability. Regtech will provide important support for the adjustment and automation of compliance processes.
KYC data triggers GDPR application. Data management, specifically in industries such as insurtech, will become increasingly harder with the introduction of the GDPR. KYC data must be securely stored to avoid fines under the GDPR. Furthermore, better processes for deleting of data and data obfuscation will be needed for compliance with GDPR principle of data minimisation and consent requirements.
While the GDPR is not as extreme an overhaul of the regulatory framework as the PDS2, it provides important safeguards for privacy and data security in an open banking industry. They two new regulations will need to be applied together to ensure harmony between customer, technology and financial service. Remember to consider the GDPR when adapting to the PSD2.