PSD2 v. GDPR: Navigating the differences

Two very important, but, in some respects, seemingly contradictory pieces of regulation are at the center of attention in the European financial world—the Revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). Financial Institutions within the European Union already have a strong history in complying with new regulation. They know how to take new regulatory rules and translate them into business requirements, and they have the resources to do so. However, this time is different. Many are challenged in preparing for the upcoming changes resulting from PSD2 and GDPR.

So, how are these regulations different, and how do they impact the industry? Are they set on a collision course?

The first challenge the industry is facing with respect to each is timing. While past regulations have been plentiful, compliance could be achieved at a steady pace. However, 2018 is the year in which many key regulations, in addition to PSD2 and GDPR, come into force at the same time, including the Markets in Financial Instruments Directive (MiFID) and presumably the ePrivacy Regulation. Regulators are finally catching up with the pace of innovation and market change, introducing new legal frameworks to regulate FinTechs, RegTechs and other new market players. Experienced or not, this is a lot of regulatory change to manage.

What is PSD2?

While the first Payment Services Directive (PSD) was aimed mainly at harmonizing the European market by introducing the Single Euro Payments Area (SEPA) scheme, PSD2 seeks to liberalize the market. It has two main purposes. First, it sets a new regulatory framework for players, which otherwise would face a legal void. For instance, under PSD2, PayPal will be legally designated as a Payment Initiation Services Provider, or PISP, and will require a license to operate as such.

Another example is regulating players that practice so-called “screen scraping.” Screen scraping enables the collection of customer account information simply when a customer provides credentials, without providing any privacy protection. In a way, there already were Account Information Services Providers, or AISPs, even before the PSD2 coined the concept and term. However, PSD2 defines the legal boundaries.

Second, PSD2 will break barriers to market entry by opening up financial data and payment transactions via a secured channel—the open API. Because banks are not allowed to refuse access to the open API unless they suspect fraud, it will be easier for new players to access the market, thus increasing the chances of innovators and disruptors to succeed.

What is GDPR?

GDPR is a set of rules that apply to any European resident (i.e., “Data Subject”). Its scope of application is unique. As long as you are a European resident, the GDPR applies—independently from where you, the Data Subject, or the entity processing your personal data is located.

The main aim of GDPR is to reaffirm ownership of data. Data should belong to the resident and not to the entity storing and/or processing it. The entity needs to ensure data has been collected on a lawful basis (e.g., based on direct consent, contract performance, legal obligation or a legitimate interest). In addition, the Data Subject needs to be duly informed of the purpose of the data and when the data will be shared with third parties, as well as how to correct their data or have it erased. GDPR provides EU residents with new privacy rights to gain greater control and transparency over their personal data.

What is the impact of each?

It’s important to note that that one is a directive (PSD2) while the other is a regulation (GDPR). The difference has a profound impact. A directive needs to be transposed into national legislation; thus potentially leading to differences of interpretation among countries. A regulation, on the contrary, is consistent applied throughout the European Union member states. Additionally, the PSD2 applies only to the financial sector while the GDPR applies across all industries.

Probably the biggest impact of PSD2 involves the implementation of the interface between the account holder and the third-party provider (TPP). While the directive is meant to be standard, every single bank has the option to implement its own standards, which could lead to fragmentation and a multitude of issues. While there are initiatives to drive consistent standards in some markets (e.g., the Open Banking Implementation Entity in the UK, the Berlin Group in Germany, or the STETS in France), this is not the case everywhere.

The challenge with GDPR is even more profound. Historically, banks stored and archived every single piece of data they collect. Their data architectures are not configured to allow for data to be easily deleted. Some even raise the question of whether it is even possible or advisable in today’s highly threated information economy to delete data. Is throwing away the encryption key, hence making the data unreadable, compliant with GDPR? And, what about the complexity brought about by years of outsourcing? The banks may control the fate of the data, but they don’t always process it themselves. However, banks are liable for providing transparency to Data Subjects.

What are the implications?

In the long run, the objective of both PSD2 and GDPR is to foster competition in retail banking. With PSD2, any merchant will have the opportunity to develop its own payment solution at a relatively low cost by becoming a PISP. The service offerings will be constrained by imagination alone.

However, opening up this data will require very strong protection, and it also has to reach a critical mass in adoption. This is where PSD2 and GDPR fit together perfectly. On the one hand, we open up the data. And, on the other hand, we don’t leave that same data just hanging out there, but give it back to its rightful owner, the Data Subject.

To navigate these two important regulations and market dynamics, banks will need to move from a “trusted guardian of money” to a “trusted guardian of data.” CGI is working to help banks comply with both PSD2 and GDPR. To learn more about our work or how we can help your organization, feel free to contact me.