In the aftermath of global privacy breaches like Equifax and Facebook, banks and financial technology companies are rethinking their approach to data security. As consumers increasingly express concern over how enterprises are handling their personal information, banks find themselves having to comply with two European regulations — or risk paying a hefty fine.
While most organizations are aware of the General Data Protection Regulation (GDPR), financial institutions also have to concern themselves with the updated Payment Services Directive (PSD2). Designed to improve competition and innovation within the EU markets for payment services, the PSD2 requires third-party providers to gain explicit consent from customers before accessing their payment account data. Although the PSD2 shares several commonalities with GDPR, the two regulations differ just enough to make it important for financial institutions to double check they remain compliant with both.
PSD2 vs. GDPR — Are they really that different?
First proposed by the European Council in 2013, the Payment Services Directive was revised several years later to enhance consumer protections and to promote innovation within the payment services industry. This directive is exclusive to the financial industry that must be transposed to national regulations, and is set to regulate new forms of payments through the opening of banks’ APIs to third parties. EU member states had until January 2018 to implement the PSD2 into national laws, which includes key updates such as:
- Requiring banks to grant access to third-party payment service providers
- Leveling the playing field for all payment service providers by encouraging competition
- Strengthening consumer protections by increasing transparency, efficiency and security of retail payments
On the other hand, the GDPR is a regulation that is applicable in its entirety to every member state in the EU, without local interpretation. The GDPR, which went into effect on May 25, 2018, controls access to European consumer data and banks must comply to avoid massive fines. The GDPR also states consumers must give consent to banks to use their data and have the right to be forgotten, and any breaches of personal information must be reported within 72 hours to the consumer and the authorities.
Another area where PSD2 and GDPR differ is how each defines ‘personal data.’ Because PSD2 is localized, it’s up to the discretion of individual member states to define personal data. GDPR, however, defines what could be considered sensitive information and does not refer to the updated payment directive at all. For the payments industry specifically, the introduction of both GDPR and PSD2 will slow the rate of innovation as banks and financial organizations focus on strengthening user security.
How financial institutions can navigate the complex regulatory landscape
As regulations tighten around data privacy, banks and other financial enterprises must approach PSD2 preparation with GDPR regulations top of mind.
One way banks can remain compliant is to implement privacy by design. In other words, financial organizations can build privacy into the design and management of a given system or process. Banks can set up rules and policies for data breaches, develop a culture built around security and improve the onboarding process for third-party providers (TPP). Rethinking onboarding processes is especially important as open banking and real-time payment processing becomes more widespread.
Other best practices, like appointing a data protection officer (DPO) and reviewing consent management processes, will help those in the payments space uphold the highest level of data security. In the interest of transparency, banks should also prepare clear, easy to understand privacy notices before citizens start requesting access to their data. With customer consent the focal point of both GDPR and PSD2, banks and TPPs will want to develop robust authentication programs to better prevent identity fraud.
When in doubt, financial institutions should default to the principle of least privilege (PoLP). For banks, this means looking for the lowest common denominator and granting the least amount of privilege as absolutely necessary. If GDPR clearly defines ‘personal data’ but PSD2 does not, for example, then banks must adhere to the definition as stated by GDPR. Until further guidance is provided from the EU on how to reconcile the differences between GDPR and PSD2, financial institutions must be ready to meet the requirements of both.
For banks and financial organizations, the time to respond to GDPR and PSD2 expectations is now. As data privacy laws tighten and consumers grow increasingly aware of who is handling their personal information, banks will find it worth their while to revisit the way they manage data and prioritize building a culture of security.