PSD2 came into force in January 2018, while the GDPR came into effect in May 2018. So how can the two seemingly conflicting regulations work together?
This year marks the arrival of two important EU regulations that will impact the financial sector: The update to the general data protection regulation (GDPR) and the Revised Payment Services Directive (PSD2).
GDPR, which comes into force in May, introduces new guidelines for how data is handled and shared, with fines of up to 4 percent of company turnover for those that suffer a breach.
Unlike GDPR, which impacts all businesses that control or process EU citizens’ data, PSD2 applies to payment services providers – including banks, credit card providers, e-money institutions and payment institutions. More broadly, it is very different from GDPR because it requires banks to open payment data via APIs so third parties can develop services for customers.
On the face of it, GDPR and PSD2 are conflicting regulations: The first is about protecting sensitive data from third parties and the other is about opening it up. So, can the two co-exist within a business?
Where the two regulations combine (and where they don’t)
Although GDPR and PSD2 appear very different, one thing the two regulations have in common is the issue of “consent”. In other words, a customer has rights over how their data is used and shared.
However, there are problems with the specifics of consent in the context of implementation. So much so, that according to a blog by Deloitte’s David Strachan, EMEA Lead, Centre for Regulatory Strategy: “Once one moves from the high-level principles to implementation, the challenges of reconciling the details of each regulation quickly become apparent.”
In fact, Deloitte’s view is that, if left unattended, these challenges “have the potential to jeopardise the successful implementation of PSD2”.
Definition of payments data
Another complication is the definition of ‘sensitive payment data’ under PSD2 – which is left for PSPs to decide. Contrastingly, GDPR is clear on this issue, defining ‘personal data’ as that which can identify a person indirectly or directly, such as a name, ID number or location data.
According to Deloitte, the disparity between GDPR and PSD2 on this matter could lead companies to take a risk-averse approach. Yet this might be over-cautious and could forfeit some of the benefits provided by opening up data. At the same time, restricting data access is not an option: It could lead to PSPs being reported to the regulator.
Nevertheless, it is still possible for the two regulations to co-exist. But if the right approach is taken. The solution lies in finding the right balance between utilising data and respecting the individual’s privacy.
Among recommendations made in a PwC report, financial companies should take a risk based approach, but also remove silos and “become good at data governance”.
Taking this advice into account, it might make sense to align with the stricter requirements of GDPR. But when regulations are this complex to combine, another approach is to outsource core processes to a trusted, regulated entity. Why manage these issues yourself when an external company can provide that expertise for you?