14 minute read 19 Jun 2020
Photographic portrait of share market graph in mobile and big screen

How data can become a source of power

By Carlo Di Giangiacomo

Senior Manager, Financial Services Consulting, EY Advisory S.p.A

Digital enthusiast and innovator. Interested in digital transformation cyber risk. Believes that the human behavior is a key factor to trust and secure the digital world.

14 minute read 19 Jun 2020

Data is power, and both customers and payments providers want to increase their control over that data.

Payment providers are now utilizing customer data not just to change how they provide payment services, but also to delve into the content of that data which is increasingly regulated. Payment providers receive data directly through their customers as well as from third-party providers.

By examining large amounts of data, it’s possible to uncover valuable patterns and correlations. And the data that payments providers analyze allows them to use the data as a main driver for success by providing more detailed and additional services to their customers. Given how important a role that data has, payments companies need to understand their obligations on how to use that data.

Payment providers must navigate complex regulations that differs from jurisdiction to jurisdiction. Sometimes within the same jurisdiction, regulation can overlap incongruently. For example, both Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) regulate data usage in the financial services sector, but how data is regulated could potentially conflict.

It is not enough for payment providers to look at data usage from a regulatory point of view. Payment providers must also consider their customers who are becoming increasingly sensitive to how their data is used. When data is used by payment providers, customers expect value in exchange.

The correct management of data exchange between customer and payment provider must be established in order to gain the trust of customers. This is crucial as trust is an enabling element for customer business choice.

(Chapter breaker)

Chapter 1

The use of the data in financial services

Data allows financial services companies to gain an advantage over their clients by offering tailored services and anticipating needs.

Data use impacting other sectors

The way we use data has already made an enormous impact in other sectors.

In the past, people used to believe fervently that:

  • Phones had to be black and connected with wires
  • Movies can only be seen on big screens in a theater
  • News can only be delivered via black newsprint on white paper

But if we think of phones, movies and news today, they are very different due to how they interact with their customers through data. Today, movies can be watched from a palm-sized screen or at your home with providers giving clients personalized suggestions based on their history and data provided. Data is changing our world and the world of business.

Today, data allows organizations more effectively to determine the cause of problems and to visualize relationships between what is happening in different locations, departments and systems.

How is the use of data impacting financial services?

Financial services will continue to evolve radically with advances in data use. The forces that are driving the evolution are:

  1. Fragmented ecosystem
  2. Radically changing consumer
  3. Pace of technology change
  4. Decline of trust

With the aid of data, financial services can look at someone’s life span and help them financially plan for the moments that will be most important to them. Data use allows financial services to provide a significant additional benefit to clients — a benefit that helps a person save for what is important and insure to avoid loss.

For example, account aggregators pull a customer’s financial information together in order to help the person save month to month or long-term. And if the account aggregator has all of the information on the person, that company can also offer improved services.

As customers move towards an economy that will provide these types of additional services, the types of customer information sought continues to increase.

Which data is used?

The study below shows that artificial intelligence (AI) in the financial services (FS) market utilizes a wide variety of data, including publicly available information such as the weather, insights from payment providers and even customers’ social media.  

Data used by AI in the FS market

Do people know which data they are giving up?

Although most people are broadly aware that companies collect data on them, they’re surprisingly uninformed about the specific types of data they give up when they go online.

Percentage of people who realize they’re sharing their data:

Percentage of people who realize what they are sharing

Harvard Business Review ran a survey that showed that 97% of people were concerned about their data being misused (identity theft, govt. misusing information, privacy issues) but that people generally didn’t understand how companies were using their data and which data is collected.

Impact of FinTechs on data use

The impact and regulation of data use in financial services have not yet been fully developed. FinTechs have disrupted — but not yet revolutionized — the industry. Sometimes high-data tasks have been taken over, whereas, in other cases, niche services have dominated certain parts of the market in competition with bigger financial institutions. Big tech will have a potential impact, but could also get additional regulatory control based on past consumer protection concerns.

(Chapter breaker)

Chapter 2

The use and misuse of customer data - can GDPR and PSD2 protect customers?

Despite regulations, such as GDPR and PSD2, there are unregulated scenarios on data use that could lead to a loss of consumer confidence.

Regulation of data

We are starting to ask not: “What data is available?” but: “What data should be available for use?” We are likely to start seeing increased litigation on what data is ethical. We can already see the beginnings of this in American litigation with social media and tech firms, as well as Australia’s law on data exchange that stipulates ethical requirements on data use.

Given the broad concerns around data use, we have started to see two types of regulation in the market:

  • Regulation that allows customers to control their own data.
    Customer question: Do you want companies to be able to hold all this information on you and share it with third parties?
  • Regulation that opens that data to allow additional parties to offer improved support.
    Customer question: Do you want services that are faster, cheaper and better adapted to you?

Globally we are seeing an ever-increasing trend of regulating data use — from the California Consumer Privacy Act to Australia’s Privacy Principles, not to mention the ever-increasing jurisdictions that have implemented open banking laws (see graphic below).

Country wise open banking laws

In this new environment, data is the asset that customers manage and laws on data use have become stricter. European regulation has harmonized across countries to behave as a single market (equivalent in size to the US market) with the introduction of the GDPR and PSD2. Looking at these two regulations within the same market allows us to compare how a single market may have different objectives on data use.

GDPR aims to protect data on financial services

GDPR sets out a common legal framework for governments, public authorities, businesses and consumers when interacting with each other within the European Economic Area (EEA) and also applies to all entities processing personal data of EEA residents.

GDPR represents the most significant change in the payments’ environment in terms of risk to merchants (data controllers) and entities supporting data processing (data processors and sub-processors). The most important concepts that GDPR introduced are:

  • Storage limitation and data minimization
  • Transparency
  • Breach notification schemes
  • Privacy by design (ensuring data security)
  • Accountability for personal data
  • Accuracy of stored data
  • Data portability
  • Methods of data collection
  • New individual rights

PSD2 aims to open payments to third parties

PSD2 sets out a common legal framework for businesses and consumers when making and receiving payments within the EEA.

Customers have a right to use payment initiation service providers (PISPs) for initiating payments and account information service providers (AISPs) to allow access to information on a bank account where the payment account is accessible online and where they have given their explicit consent (as stated by article 64 of the directive).

This means that, under PSD2, traditional payment service providers like banks will need to share certain data with those third-party providers to access payment accounts (e.g., current accounts) and statement details. PSD2 enables a radical change in the financial industry by forcing banks to open up their data to third parties.

The most important concepts that PSD2 introduced are:

  • Enhanced security of online transactions via strong customer authentication (SCA) and fraud reporting
  • The creation of a level playing field for market players and an open market for third-party providers (TPPs) to encourage competition and innovation
  • Enablement of new business models through account information and payment initiation services (through development of APIs)

GDPR and PSD2: common and discordant elements

GDPR and PSD2 are both laws focused on the processing of consumer data, but with different objectives.

The trend in PSD2 is to make customer data more accessible to third parties. GDPR aims to ensure that the data subject is always adequately informed about how personal data is processed and gains more control over how that data is used.

To compare them, it is necessary to identify a key element of both legislations; in this case, it is the requirement for consent as a legal basis to process data.

Both for GDPR and PSD2 customers, consent to process data must be freely given and for specific purposes. It must be clear, specific and informed and must be “explicit” in the case of sensitive personal data or transborder dataflow.

GDPR also specifies that when giving consent, customers must be informed of the right to withdraw that consent, whereas PSD2 doesn’t clarify this aspect.

For PSD2, the consent is valid for the contract that has been signed by the payment service user, but it is required again every time the payment service company initiates a new payment. For GDPR, consent is no longer valid when the data is no longer used for the purposes it was gathered for.

In addition, PSD2 also provides that data processing and sharing can be explicitly requested by the customer.

The contradictions in the consumer consent management, present in both regulations, can lead to misuse of customer data.

An example of the possible misuse of data

Even though GDPR and PSD2 aim to protect data and payment transactions, in financial services there are still unregulated market scenarios that can lead to misuse of data — and loss of consumer trust as a possible consequence.

With PSD2 in force, thousands of banks in the EU are sharing data with TPPs. This would allow possible third-party data sharing from people who have not consciously given consent, to parties who may have never requested all of the types of data received. When a person initiates a payment through a service provider in order to transfer money to another person, the service provider must necessarily process the data of that other person in order to perform its service.

The question is raised whether the TPP has the legal grounds for processing such personal data. The GDPR Regulator has expressed its point of view on the issue of personal data of other natural persons that could be legally processed on the basis of the legitimate interest. Due care should be taken not to override the interests or fundamental indiv and freedoms of data subjects. The processing also has to be:

  1. Necessary
  2. Proportional
  3. In line with other principles of the GDPR.
(Chapter breaker)

Chapter 3

The importance of building a relationship of trust with customers

Customers see data transparency as an essential. For companies this becomes a factor influencing success in the market.

The majority of customers consider data protection as something the companies must do and they are willing to ask for compensation and lose loyalty to the brand after a data breach.
John Greenwood
Director of Thought Leadership at Compliance3

GDPR, with the aim of protecting the personal data, has produced favorable adoption rates from organizations and consumers. In particular, following the indications of GDPR has led companies to receive positive feedback on the trust relationship with customers and improvements in secure data management.

Consumers also use trust in organizations as an additional decision-making factor.

Businesses are now playing catch-up to establish trust in their data practices and to demonstrate that they are respecting consumer privacy.

Sounds simple? We haven’t reached the most important part: protecting this data. If customers are willing to share their personal information, they expect the brands they engage with to protect it, respect it — and use it to improve their experience. Consumers see transparency with data as an essential, non-negotiable part of their brand relationships.

This is one of the reasons why so much attention on cybersecurity and data protection has increased in the financial sector.

GDPR Changing customer trust and data security across Europe

Source: Ian Banker, “GDPR is changing consumer trust and data security across Europe”, October 2019. Edelman Trust Barometer Special Report, “In Brand we Trust?”, December 2019.

Despite the positive aspects introduced by the GDPR in data protection, it’s still necessary to take a step forward in the world of financial services to avoid possible misuse of data.

What risks do payments companies need to navigate?

Guidelines are complicated and inconsistent between each other and working practices need to try and anticipate regulation.

A good foundation will include:

  • A data governance program that clearly defines appropriate sources, uses, access, maintenance and protection across lines of defense
  • Trust by design practices that enable a controls chain to align data with correct business use
  • A strengthened cybersecurity strategy to increase digital protection on payments and use of data
  • Clear allocation of responsibilities to ensure strong accountability and to demonstrate to both internal and external stakeholders that the program is working as intended
  • A review of all vendor agreements and contracts to determine whether practices with respect to third parties conform to data governance policies
  • Processes for responding to deletion or opt-out requests, verifying and determining access rights internally and addressing access requests

How do I successfully navigate data use?

Once a company has achieved a good foundation it can then seek to be best in class. A best-in-class payments company needs to build customer trust in order to anticipate future needs.

With built-up trust, customers will feel secure with the organization and become more likely to increase their engagement throughout the entire buying process. Companies can gain trust by providing transparency around the information collected, allowing the customers to manage use of their own data, and giving customers something of value for the data provided.

Companies that are transparent about the information they gather, give customers control of their personal data, and offer fair value in return for it will be trusted and will earn ongoing and even expanded access.
Timothy Morey
Vice president of innovation strategy at Frog

Customer data has become a source of power and driver to success for payment providers. However, with great power comes great responsibility. It is not enough for payment providers to just navigate the various regulatory requirements on customer data use, they must use the data in a way that gains customer trust in order to be successful in the market.

The views of third parties set out in this publication are not necessarily the views of the global EY organization or its member firms. Moreover, they should be seen in the context of the time they were made.


The article analyzes the new role that data has acquired as a strategic asset that allows companies in the financial sector to anticipate the behavior of their customers and anticipate their needs. In this new context, new regulations like PSD2 and GDPR are emerging with the aim of protecting data and regulating online transactions.

Despite this, there are also unregulated scenarios that can lead to data misuse, resulting in loss of customer trust for the payments providers. And it is precisely this customer trust that payment service providers today are trying to focus on with the aim of building customer confidence and loyalty.

About this article

By Carlo Di Giangiacomo

Senior Manager, Financial Services Consulting, EY Advisory S.p.A

Digital enthusiast and innovator. Interested in digital transformation cyber risk. Believes that the human behavior is a key factor to trust and secure the digital world.