PSD2 vs GDPR: How to Navigate Through Conflicting Regulations
In this corner PSD2 (the second Payment Services Directive), the EU payments directive to open up payments. In the opposing corner GDPR (General Data Protection Regulation), the laws to strengthen and unify data protection for all EU citizens. Who will win in this battle of heavy weight compliance rules? Or, in reality, how can your business comply with both regulations simultaneously?
We’re pitting these rules against each other, as they cover fundamentally different regulatory areas, but overlap and conflict in many of their rules. The complexity of these rules creates confusion amongst banks and other covered entities about their obligations. With the implementation date for each coming up soon, it’s a good time to determine what procedures and policies to implement to ensure compliance.
Here’s a reminder of the main points:
The implementation date for PSD2 is January 12, 2018. The major change is the requirement for banks to open up access to customer accounts, allowing third-party providers to access that information via APIs (application program interface). This signifies the dawn of open banking, where a whole new host of financial products and services can be built on top of the existing bank infrastructure and data.
If you do business with Europeans, your business needs to develop and implement proper data privacy handling procedures by May 25, 2018. These rules involve how you collect, share, manage and destroy private information. Each step of the Data Lifecycle requires specific strategies of acceptable data use. For example, what data is acceptable being put on storage, or to archive? Who can use that data? When will the data be destroyed?
The two rules seem philosophically opposed to each other; PSD2 is about making a person’s data more accessible, while GDPR is about controlling access to that data. Of course, it’s the actual implementation of those rules, as opposed to philosophy, that matters. How can organizations create PII (Personally Identifiable Information) procedures that satisfy both rules?
As research firm Oliver Wyman states in their GDPR white paper, Future Proofing Privacy, “for the first time, sensitive, private, and personally identifiable information will be exchanged outside of the traditional payments system, requiring a fundamental rethink of the infrastructure and governance that needs to be in place.”
One commonality between both regulations is the emphasis on individual consent. If an individual asks you to share their PII with a third-party, PSD2 requires you to share that information. If an individual asks you to delete PII information, GDPR requires you to delete that information. In both cases, consent dictates your actions.
Of course, it’s not the clear-cut situations that are causing headaches for compliance, but rather all the potential scenarios that require consideration. What if a consumer asks you to share their PII with a third-party bank, but then asks you to delete that information? You can ask the third-party to delete the data, but how can you ensure its deletion and what are your responsibilities?
Unfortunately, there’s no mention of PSD2 in the GDPR or vice-versa. PSD2 includes a section on data protection, but it mentions laws that are now out of date. There’s also little guidance at this point, so there’s no clear path forward.
One consideration is the potential fines of non-compliance. GDPR is a Regulation and failures have serious financial consequences, up to €20M or 4 percent of global turnover. Considering that some multi-nationals make billions, GDPR fines are potentially massive. As PSD2 is a Directive, penalties are up to the member states to define, so there might not even be fines.
According to Kieran Hines, Head of Industries at research and consulting business Ovum, “In effect, a bank not 100 percent certain about the provenance of a TPP (third-party provider) requesting customer data will need to decide between declining the request (and being noncompliant with PSD2) or accepting it and, if there is a data breach, becoming liable for a sanction of up to 4 percent of global turnover under GDPR. As things stand, the outcome would presumably be to risk noncompliance with PSD2 and reject the request.” (Emphasis ours)
Regardless of the specific scenario, creating systems and processes that protect PII and are adaptable is a key to successful implementation of both the GDPR and PSD2. Here’s a reminder of GDPR considerations:
- Prepare for data breaches
Create rules and processes, so if it does happen you’ll know what to do and limit the damage
- Build a Data-Safe culture
Develop policies, implement, train, monitor and assess
- Build privacy by design
Have privacy in mind from the beginning of any new project
- Analyze your personal data processing framework
Is consent freely given, specific and informed? Or do you have legitimate interest in processing personal data that overrides right to privacy?
- Have clear and understandable privacy notices
Be ready for citizen requests
- Citizens have the right to be forgotten or to move their data
Check your third-party policies, procedures and contracts
- Watch cross-border data transfers
Transferring private data to countries that don’t uphold the same data protections can end up in significant fines
As all of these are good compliance factors in general, applying these considerations to PSD2, where applicable, makes sense. If all companies are taking these steps and there is effective communication between parties, then compliance is ensured for all.
For example, if a bank gets a TPP request they can check the privacy policies of the TPP to see if they fit with their privacy requirements. Their third-party policies should explicitly state their data policies, procedures and expectations, so that a TPP has clear, defined rules to act on.
Consent by Design
Understanding that there will be TPP requests needs inclusion in any privacy designs. A special consideration for consent is necessary, as sharing PII without proper consent is a clear GDPR violation.
Consent is one area where effective identity management is crucial. Do you know they are who they say they are? Only through robust systems that deliver a framework of trust around PSD2 can it achieve its promises of open banking.
The good news is that identity management is advancing to meet the challenges of upcoming and future regulations. More secure and user-friendly biometrics is replacing clunky username and password combinations. Advanced data analytics is developing to better prevent fraud and false identity representations. New identity sources are combining with traditional data sets to better verify and authenticate individuals.
With two major compliance initiatives coming in the next year, EU compliance teams have a powerful incentive to create a new data handling paradigm. On the one hand, they need to deliver GDPR compliance to avoid hefty fines. On the other, PSD2 has the potential to create whole new banking opportunities. Combining those requirements with one system that delivers both data safety and controlled open access is a victory for consumers, regulators and businesses that want to optimize their European operations.