United Kingdom

PSD2 vs GDPR: Can finance firms reconcile the incompatible?

In 2016, Boris Johnson and the ‘Leave campaign’ led with the slogan ‘take back control’, suggesting that leaving the EU would reward Britain with greater sovereignty and ‘control’ of its laws and economy. This year sees this powerful slogan championed once again, but this time it’s not the politicians talking, but regulators. Enter two new, significant regulations: PSD2 and GDPR.

Both regulations aim to enable customers to ‘take back control’ of their personal data and ensure it is kept safe. However, there are arguments to say that they are in fact incompatible, indeed contradictory in places. If this is true, how are firms meant to cope and remain compliant with both despite the conflict, especially given the threat of significant noncompliance penalties?

Dichotomy

The inconsistencies between the PSD2 and GDPR regulations mean companies could find implementation tricky.

One sticking point concerns the definition of sensitive data. PSD2 stipulates that ‘sensitive payment data’ must not be made readily available to Third Party Providers (TPPs) without consent, yet what is meant by this ‘sensitive data’ is left undefined.

GDPR however makes reference to ‘sensitive personal data’, defining this extensively to include information regarding race and ethnic origin, as well as information such as an individual’s political opinions. The lack of clarity created by the two regulations when it comes to the notion of sensitive data creates a risk of noncompliance.

Another inconsistency lies in the effort by companies to keep sensitive data secure. ‘Screen-scraping’ by authorised TPPs is allowed under PSD2. But financial institutions could find it difficult to guarantee that any data ‘scraped’ is in line with customers’ consent and is not in fact ‘sensitive payment data’.

They therefore, despite having potentially little to no control over what data is shared, may then find themselves contravening GDPR rules on sensitive data. If a financial institution is unsure about the provenance of a TPP request, it can always restrict sharing access. However the company then faces the choice between breaching PSD2 rulings though the denial of access, or accept and run the risk of a data breach, leaving them open for a GDPR sanction.

The timeframes for compliance and sanctions also differ. PSD2 is unclear: it was enacted in the UK on 13th January 2018, though most financial institutions have until October 2019 to be fully compliant. Additionally, there are no concrete sanctions; these will be formally set by each EU Member State.

With GDPR, it’s a different story. GDPR has now come into force with sanctions up to €20 million or 4% of annual turnover (whichever is greater). This disparity generally creates uncertainty and therefore the risk of fragmented compliance implementation activity, which could lead to customer confusion.

False dichotomy?

Despite these differences, there is a crucial overlap in how companies handle customer data and the rules governing customer data demanding explicit customer consent and the proper use and storage of that data. Significantly, both give back customers ownership and control of their data, and help them to safely and securely manage their digital lives. These are the aims of both regulations, so companies overlook these at their peril.

The main question is how can firms find the balance between providing customer account data, whilst protecting and handling it correctly? Companies implementing PSD2 must address the more expansive GDPR data protection rules in parallel, without treating the regulations as separate entities.

How could this done?

A new data handling paradigm is needed. Technological changes and the more effective uses of customer data have already led financial services to become more agile and customer-focussed. What they need now is to link this customer-centric methodology with a robust security, data protection and destruction mind-set.

This approach involves good data governance and a new open system of transacting online. Consequently, companies should transform their data infrastructure and governance to make sure customers can access this more agile financial system with total control of their data.

Business and control functions should understand (in detail) how customer data flows through their processes and systems. Not just how data is identified, but where its entry points are, what controls exist and how IT infrastructure automatically ensures that the risks are identified, measured and managed.

Correct PSD2 and GDPR data handling procedures should be embedded within any new infrastructure. IT and compliance departments should be closely allied and in constant dialogue so that when implementing new systems PSD2 and GDPR customer data rules are top priority. It’s essential that companies focus on on-boarding and off-boarding customers securely - using only salient data required for the purpose.

Conclusion

PSD2 and GDPR can be seen as a dichotomy due to inconsistencies on sensitive data and timeframes, which makes implementation difficult. However to navigate this, could companies at least comply with GDPR’s wider definitions?

Vitally, both have a strong emphasis on customer data handling rules and how it should be processed. This dichotomy can therefore be falsified. Companies can be in breach of both regulations; both regulations give customers’ back control regarding the use and storage of their data, so it makes sense for this to be dealt with in tandem - ensuring accuracy and efficiency in this process.

There is an opportunity to get ahead of the game. Uncertainty remains around some PSD2 technical standards yet to be finalised. Meanwhile, the industry is still waiting to see how the different authorities across Europe will interpret the provisions of GDPR. Yet these regulations are here to stay and so a passive approach could leave companies at a competitive disadvantage against proactive peers, once the regulations are enforced.

At Aon, we are sensitive to both regulations’ requirements and have developed solutions which take them into account. Understanding and complying with them can be a minefield, especially as they continue to develop.

Helping clients navigate this regulatory maze and prepare for unforeseen events will be our focus over the turbulent months to come.

Further reading

Fillmann, A (October, 2017), Squire Patton Boggs, “Compliance to PSD2 and GDPR – A New Challenge”. Retrieved at: https://www.securityprivacybytes.com/2017/10/compliance-to-psd2-and-gdpr-a-new-challenge/

FinTech Futures, (December, 2017) BankingTech, “GDPR vs PSD2: a challenging contradiction or two sides of the same coin?”. Retrieved at: http://www.bankingtech.com/2017/12/gdpr-vs-psd2-a-challenging-contradiction-or-two-sides-of-the-same-coin/

PWC. (Spring, 2017), “Customer centric banking. Aligning the GDPR and PSDII”. Retrieved at: https://www.pwc.co.uk/banking-capital-markets/assets/documents/customer-centric-banking-aligning-gdpr-psd-ii.pdf

Strachan, D., et al. (August, 2017) Deloitte, “PSD2 and GDPR – friends or foes?”. Retrieved at: http://blogs.deloitte.co.uk/financialservices/2017/08/psd2-and-gdpr-friends-or-foes.html

Swanson, N. (October, 2017) FINTECH Circle, “ PSD2 and GDPR: Opposition and Unity”. Retrieved at: http://fintechcircle.com/insights/psd2-gdpr/

Trulioo, (August, 2017), Trulioo, “PSD2 vs GDPR: How to Navigate Through Conflicting Regulations”. Retrieved at: