GDPR vs PSD2 – Banks may abandon PSD2 due to conflicting policies

KEEP-CALM-AND-PREPARE-FOR-GDPR

Image Source

About a year ago, Bernard had written a post on PSD2, and discussed different levels of maturity in regulations. He highlighted that PSD2 was a regulation meant to open up the market for innovative consumer banking use cases and solutions. However, the same regulator (EBA) have set a timeline for General Data Protection Regulation (GDPR) in 2018 alongside PSD2.

We have discussed PSD2 and its implications for banks, fintech firms and consumers at length in the past. So, let me focus on GDPR and what it means to firms and consumers. The purpose of GDPR is to ensure consumers give informed consent before companies can share their personal data with third parties. Pre-ticked check boxes and inactivity from consumers can no longer be assumed as their consent to data sharing post GDPR.

Unlike PSD2, GDPR applies to businesses in the EU processing consumer data, not just Financial services firms. Also, for non-EU businesses GDPR applies, if an EU resident’s personal data is processed in connection with goods/services offered.

The Data Protection Act (DPA) provided consumers with right of subject access – which meant consumers can request a company for data that the firm had collected about them. Currently many businesses charge a fee to provide this data to consumers, but post GDPR, firms can’t charge this fee.

As consumers, we can instruct firms when to collect our data and stay on top of it using the right of subject access. Now what does this have to do with PSD2? PSD2’s purpose is to enable consumer data sharing, where as GDPR’s purpose seems to be to try and cut down on data sharing.

GDPR

PSD2 is about financial services firms sharing customer data with third parties who they may not necessarily have a contractual agreement with. These third parties may then come up with innovative use cases by processing consumer data.

So, to be compliant with PSD2, banks should ask for customer’s consent to share their data with third parties. But to be compliant with GDPR, data processing by third parties will also need explicit customer consent. How is a bank supposed to be responsible for the processing of consumer data performed by a third party, it has no contractual agreement with?

While this hasn’t been explicitly mentioned as a process required to be GDPR compliant, my guess is, it would be upon the Banks to ensure third parties (that they share consumer data with) have consumers’ consent to process their data.

Unlike PSD2, that doesn’t have any punitive charges, violation of GDPR might result in a fine of upto €20 Million or 4% of Global turnover. And knowing the way banks deal with regulatory compliance, nothing motivates them more than a fine hanging over their heads.

This means, where there are conflicting regulations, and lack of clarity on a standard approach to data sharing, banks will focus completely on implementing the punitive GDPR. In someways, GDPR may also become an excuse for banks for not implementing PSD2 and avoid sharing what they feel is their asset – consumer data. Watch this space!!


Arunkumar Krishnakumar is a Fintech thought leader and an investor. 

Get fresh daily insights from an amazing team of Fintech thought leaders around the world. Ride the Fintech wave by reading us daily in your email.