GDPR vs PSD2 – Banks may abandon PSD2 due to conflicting policies

KEEP-CALM-AND-PREPARE-FOR-GDPR

Image Source

About a year ago, Bernard had written a post on PSD2, and discussed different levels of maturity in regulations. He highlighted that PSD2 was a regulation meant to open up the market for innovative consumer banking use cases and solutions. However, the same regulator (EBA) have set a timeline for General Data Protection Regulation (GDPR) in 2018 alongside PSD2.

We have discussed PSD2 and its implications for banks, fintech firms and consumers at length in the past. So, let me focus on GDPR and what it means to firms and consumers. The purpose of GDPR is to ensure consumers give informed consent before companies can share their personal data with third parties. Pre-ticked check boxes and inactivity from consumers can no longer be assumed as their consent to data sharing post GDPR.

Unlike PSD2, GDPR applies to businesses in the EU processing consumer data, not just Financial services firms. Also, for non-EU businesses GDPR applies, if an EU resident’s personal data is processed in connection with goods/services offered.

The Data Protection Act (DPA) provided consumers with right of subject access – which meant consumers can request a company for data that the firm had collected about them. Currently many businesses charge a fee to provide this data to consumers, but post GDPR, firms can’t charge this fee.

As consumers, we can instruct firms when to collect our data and stay on top of it using the right of subject access. Now what does this have to do with PSD2? PSD2’s purpose is to enable consumer data sharing, where as GDPR’s purpose seems to be to try and cut down on data sharing.

GDPR

PSD2 is about financial services firms sharing customer data with third parties who they may not necessarily have a contractual agreement with. These third parties may then come up with innovative use cases by processing consumer data.

So, to be compliant with PSD2, banks should ask for customer’s consent to share their data with third parties. But to be compliant with GDPR, data processing by third parties will also need explicit customer consent. How is a bank supposed to be responsible for the processing of consumer data performed by a third party, it has no contractual agreement with?

While this hasn’t been explicitly mentioned as a process required to be GDPR compliant, my guess is, it would be upon the Banks to ensure third parties (that they share consumer data with) have consumers’ consent to process their data.

Unlike PSD2, that doesn’t have any punitive charges, violation of GDPR might result in a fine of upto €20 Million or 4% of Global turnover. And knowing the way banks deal with regulatory compliance, nothing motivates them more than a fine hanging over their heads.

This means, where there are conflicting regulations, and lack of clarity on a standard approach to data sharing, banks will focus completely on implementing the punitive GDPR. In someways, GDPR may also become an excuse for banks for not implementing PSD2 and avoid sharing what they feel is their asset – consumer data. Watch this space!!


Arunkumar Krishnakumar is a Fintech thought leader and an investor. 

Get fresh daily insights from an amazing team of Fintech thought leaders around the world. Ride the Fintech wave by reading us daily in your email.


 

4 thoughts on “GDPR vs PSD2 – Banks may abandon PSD2 due to conflicting policies

  1. I think you may miss the critical thing. For quite a while each Financial Institution customer is requested to provide his/her consent for personal data sharing during account opening procedure. It was introduced years ago when Banks faced an issue with cross-border personal data transfers and passing the personal data to the third parties for credit and background checks. I’m sure there is nothing PSD2 will require in addition, as probably all of us as bank customers already holding our signed consent allowing the bank to transfer our data to their third party partners. Anyway, FinCom start ups will have some kind of data access agreements between them and the banks. This may be well enough to close the loop. I believe GDPR do not abandon PSD2

    Like

    • Good challenge, that might well be a solution for Fintechs to have a contractual agreement with Banks. But we all know how long it takes to get through the bureaucracy in banks. So banks may very well take a stance that they wouldn’t open up their APIs to Fintechs they haven’t got a contractual relationship with to be GDPR compliant!! And that to me is killing the spirit of PSD2!! They may demonstrate compliance to both PSD2 and GDPR!!

      Like

  2. No obvious conflict between both regulations if (1) banks notice consumers/data subjects their data may be shared with named third parties and (2) if those ones does allow customers to claim for all the rights GDPR grants them…Full compliance to both EU regulations does not mean no information sharing with start ups.

    Like

    • Agree.. banks may be able to demonstrate compliance to both regulations.. but if I were a bank I would try and use GDPR to raise the bar when sharing customer information with Startups. If a startup trying to build a PSD2 inspired aggregator has to go through the red tape across 6-7 banks (or more), it is a huge barrier to enter that space !!

      Also from a banks perspective it would be better to go through a check box exercise for GDPR and spend a couple of hundred million of operating budget to be compliant with that.. but if PSD2 is implemented in its true spirit, that will eat into the revenues for the bank!!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s