GDPR and PSD2: How banks tackle data governance in the age of fintech

By Gabe Morazan on Monday 10 September 2018

Editor's PickOpinionAlternative LendingDigital BankingSavings and Investment

Gabe Morazan, director of product management, Crownpeak says it is crucial for banks to make the link between GDPR and PSD2.

The General Data Protection Regulation (GDPR) is the talking point of 2018, but for banking professionals it isn’t the only major data management change to hit this year. The Payment Services Directive (PSD2), which came into force on 13th January, has already brought strict new rules that have transformed the financial sector.

At first sight, the PSD2 and GDPR appear to directly contradict one another. While the PSD2 is designed to facilitate the sharing of banking data with third parties, the GDPR focuses on protecting consumer data and regulating data sharing. But juggling this duo of data laws isn’t as challenging as it might seem. Focussed on meeting the same core goal — giving subjects more control over their data — both are actually part of the same movement towards greater consumer empowerment.

So, what do banks need to do to abide by both regulations, while putting consumers at the heart of their business values?


What is PSD2 and how does it sit with GDPR?

The PSD2 is an extension of the PSD legislative framework, designed to put guidance in place for the ever-evolving payment systems sector. Its main aim is to provide a fair landscape for EU payment services providers, improving competition and opening the door to fintech innovation. The directive supports the open banking movement by mandating that, with customer consent, banks must allow third parties access to account and transaction data via APIs.

Complying with both the PSD2 and the GDPR, which places a greater emphasis on allowing users more control over their data and puts restrictions in place for the collection, processing and sharing of personal information, sounds daunting. For instance, banks that refuse to share account data with fintech providers for fear of breaching the GDPR may run foul of PSD2.

While penalties for non-compliance with PSD2 are determined by individual member states, GDPR fines are fixed, with businesses found in breach of the regulation liable for up to €20m or 4 per cent of sales, so banks may be tempted to prioritise one over the other. However both regulations are working towards the sole aim of providing increased transparency in today’s digital ecosystem and must be implemented in unison.

By integrating both regulations together, banks can ensure their compliance procedures are joined up and bring the needs of consumers to the forefront of their data policies and processes, as well as focus on the areas where the two regulations overlap – namely control and consent.


The common denominator: consent

While the GDPR is committed to keeping personal data private, the overarching commonality of both the GDPR and PSD2 is consent, and at the centre of consent is the individual’s freedom to choose what happens with their data.

Consent procedures must be thorough and accurate and require commitment from both banks and third-party providers. Fintech providers may kick-start the process by reaching out to customers for permission to access their data, but it is the responsibility of banks to confirm this consent with their customers. This includes identification verification, an accurate understanding of what data consumers are happy to share, the frequency with which it can be shared and how long their consent is valid for. By taking this two-step approach, banks, third parties and customers will all benefit from increased transparency, while ensuring they are operating at an optimum level of compliance — ultimately leading to better consumer experiences.


Going a step beyond compliance

Acting in accordance with PSD2 and GDPR is about more than legal compliance. The regulations also provide a welcome opportunity for banks to enhance the service they offer to consumers at a time when they are under increased pressure from fintech competitors. The new laws encourage a greater focus on building trust-based relationships with customers and delivering convenient, smooth and personalised experiences.

To enhance their offering, banks need to gain a holistic and in-depth understanding of their customers by gathering regulation-compliant behavioural, ambient and form-based data. In addition, collecting information from Customer Relationship Management (CRM), Enterprise Resource Planning (ERP) and Marketing Automation Platform (MAP) technology, can help to build a 360-degree view of consumers. This practise provides banks with invaluable insight into the financial products customers are interested in, how they interact with these products and via which touch points.

Once a holistic view is achieved, Digital eXperience Management (DXM) platforms can assist banks in targeting customers with relevant, personalised content they know will be of interest to them. These solutions help banks tailor interactions across multiple channels and devices, and manage content and marketing campaigns simply and effectively, from one easy-to-use platform.

Where the GDPR places restrictions on automated profiling in the absence of explicit consent, A/B testing is proving a useful alternative for banks in testing many variants of a single digital touchpoint, to gain insight into how audiences react to particular changes. It allows testing of different formats, placements, calls to action, creative features and content types to discover the most effective for specific audiences, generating insight that can be applied across the wider marketing plan.

Banks can ensure they maintain the quality of personalised content across all channels by utilising digital quality management technology to identify errors and inconsistencies such as misspellings, issues with accessibility, links that don’t work, and compliance risks. Quality is important to consumers and an accurate and glitch-free experience will build trust and compel them to remain loyal to a brand or provider — particularly one that is handling their personal data.

With the introduction of two key pieces of legislation, and innovative fintech companies driving evolution in the financial sector, 2018 is a pivotal year for banks. But by understanding how the two regulations complement each other through their shared emphasis on consumer control and consent, and by using the legislation as an opportunity to focus on enhancing the customer experience, banks can make data governance work for them in the age of fintech.

Sign up for our newsletters

Your daily 7am download of all things alternative finance and fintech.

Fintech and alternative finance headlines with an exclusive Editor's Note each week. Delivered Monday at midday.

AltFi's new weekly US newsletter breaking down the ins and outs of America's burgeoning fintech sector. Delivered Monday 9am EST/ 6am PST.