The next 12 months will be a testing one for fintechs and established financial institutions as they co-ordinate two new regulations.
Two regulations in particular will keep the City’s legions of compliance officers busy in 2018: The Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). Both have been a long time coming, are likely to be adopted around the same time and have the potential to clash terribly making an extra digital dilemma for firms.
Under PSD2 Third Party Providers can access customers’ digital footprint in terms of their payment account data. Crucially this will be direct access, as long as firms have explicit consent from the customer. GDPR meanwhile applies to all organisations processing the data created by citizens of the European Union, emphasising the responsibility of firms to protect customers’ personal data and privacy.
Put another way PSD2 will require institutions to open up their data archives and give access to personal information related to customer accounts to third parties but GDPR forbids sharing information with third parties.
Confused? You are no doubt the only one but it is worth remembering that laws can quite often interact with each other, however, there is little guidance from the EU as to how the two regulations should co-exist. Not only this but the two regulations also come at the same time as the Open Banking launch likely prompts another wave of disruption to banking services.
Both GDPR and PSD2 are no doubt built on the same honourable principle: individuals own their data. When the idea becomes a reality, however, things get more complicated and could threaten the benefits of PSD2.
Deloitte’s regulatory team in the UK have issued warnings to this effect saying further guidance is needed. This is particularly so in determining what constitutes “sensitive payment data” and who is responsible for obtaining consent.
“This lack of clarity on what constitutes sensitive payment data creates challenges for interpretation and implementation and increases the risk of non-compliance. Without further guidance banks may need to take a very risk-averse approach and redact all data that could possibly fall into the sensitive data category in order to avoid breaching rules around data protection, both under PSD2 and GDPR,” Deloitte said in blog post earlier in 2017.
There is no reason GDPR and PSD2 cannot live in perfect harmony but the devil is in the detail and the potential ramifications are also enormous. Firms in breach of regulations are liable to huge fines. While PSD2 does not mention specific penalties, GDPR has a maximum €20m or 4 per cent of global turnover for companies.
For alternative finance platforms getting the correct balance is challenging owing to their smaller staffs and less established balance sheets. As PSD2 mandates unfettered access to reams of data using APIs, those with existing strict standards of how they manage such information will be at an advantage while those in growth mode will require urgent action.