PSD2 (Payment Services Directive 2) is an incoming EU directive which promises a major shake-up for retail banking, primarily due to its stipulation that banks share their customers’ data with third party providers (TPPs), such as challengers or non-bank rivals such as PFMs.
Arriving in parallel is the EU’s new data protection legislation, the GDPR (General Data Protection Regulation) – which promises a common framework for the collection, management and processing of customer data by companies. The fines for non-compliance with GDPR are particularly significant, set at €20m or 4% of an organisation’s global turnover, whichever is greater. For a bank, this would be a notable sum.
At first blush it seems these two directives are at loggerheads, one promising to aggressively increase the sharing of customer data, the other promising to place much tighter restrictions on its usage. But are they? At their core, both pieces of legislation focus on giving customers greater control over their information – PSD2 in terms of who they would like it to be shared with, and GDPR in terms of what will be done with the data once companies have it.
Some analyses of the ‘clash’ between the two have suggested that the combination presents a risk for banks – that they will be forced to share customer data with TPPs, and then be liable if those TPPs suffer a data breach (or, worse, if the TPPs are fraudulent and setup primarily to harvest customer data). If they don’t share the customer data then they will be in breach of PSD2, which comes with its own privations.
But these suggestions aren’t seeing the big picture. Open banking is a movement which is very unlikely to be going away any time soon. In fact, it’s crucial to implementing the recommendations made by the Competition & Markets Authority in their investigation into retail banking earlier this year, and it promises to significantly speed up innovation in banking generally. While there may be some elements of conflict between GDPR and PSD2, they won’t cancel one another out – and working out how to achieve effective simultaneous compliance should be of the highest priority for banks as they approach 2018 (and it’s not all they should be doing to prepare).