Navigating the PSD2 and GDPR challenges

Europe’s second payment services directive (PSD2) is reshaping the banking sector. Another important piece of legislation went live in 2018: the General Data Protection Regulation (GDPR). GDPR is a comprehensive regulation designed to protect personal data and support the digital economy. As financial institutions work to comply with both pieces of legislation, how can they balance innovation and protection?

PSD2 and GDPR were both introduced in 2018 and are two comprehensive sets of legislation focusing on consumer data. But despite these similarities, these regulations were developed from very different perspectives:

- PSD2 aims to create access to personal data.Through its access to accounts rule, PSD2 opens up access to the financial data of consumers – or payment services users (PSUs) – allowing third parties to enter the payments market and provide new account information and payment initiation services. Providers of these services are called account information services providers (AISPs) and payment initiation service providers (PISPs)respectively.

- GDPR aims to protect personal data, making it easier for consumers to know where their data is being used and raise objections to this use.

Any access to personal data by the PSD2 new services must comply with GDPR. Non-compliance with GDPR requirements carries heavy fines and reputational damage. Both regulations support the digital economy, therefore there should be no excuse anymore to embrace an innovative approach towardsPSD2 that enhances the customer experience and creates fair competition.

Despite the different aims, both PSD2 and GDPR deal with the issue of consent. From a GDPR perspective, data cannot be processed without alegitimate basis. Consent of the data subject is one legitimate basis. GDPR stipulates the conditions that must be satisfied for consent to be granted. This consent is necessary to process certain data or process data in a certain way. PSD2 dictates that consent is also necessary to provide services to payment services users. In this case, an“explicit consent” is needed.

GDPR gives customers the right to data portability, allowing them to transfer the data they have provided to their bank in a structured, commonly used, and machine-readable format. From its end, PSD2 via its Regulatory TechnicalStandards (RTS) recommend the use of application programming interfaces (APIs)to share data with AISPs and PISPs. APIs can allow communication standardization across banks with payment accounts and AISPs and/or PISPs. In any case, screen scraping practice raises concerns over security, making APIs the preferred way forward for banks.

GDPR provisions influence PSD2 services, and stakeholders should act now to ensure that new services and products are compliant with both pieces of legislation. Key action points to consider:

- A data protection officer should be appointed.

- Be cautious with automated decisions.

- Consider data minimization as a key element in the processes.

- Conduct data protection impact assessments.

- Services should adhere to data protection by design and by default principles.

- Clearly inform consumers about the use of their data.

- Data subjects always have the right to access information.

- Obey the respective retention periods as defined by law, ensure consumer data can be erased if requested.

How far do you consider these important legislations? Do you follow the innovative and protection driven needs of your customers who think and live the digital revolution daily? PSD2 is set to offer unprecedented opportunities in the payment sector. GDPR rules around individual data privacy systematically need to be considered. Both, PSD2 and GDPR enable stakeholders to better protect and serve consumers, to move beyond compliance, and to seize new opportunities for growth.

Patrice Fritsch, Principal, Associate Partner, Advisory Services, EY Luxembourg

Anton Christov, Senior Manager, Advisory Services, EY Luxembourg