Major areas of contention
Data portability and APIs
GDPR gives consumers the right to data portability, allowing them to transfer the data they have provided to their bank to AISPs and PISPs in a structured, commonly used and machine-readable format.
While PSD2 has no bias toward a certain technology, its regulatory technical standards recommend the use of application programing interfaces (APIs) to share data with AISPs and PISPs. APIs can allow communication standardization across incumbent banks and AISPs or PISPs, but their success across Europe will depend on whether there is agreement on these standards.
Alternatively, screen scraping allows AISPs and PISPs to access PSUs’ bank accounts via their own credentials, obscuring the ability of banks to see whether it is the PSU or a third party accessing the account. However, as this method has fewer access restrictions than APIs, it raises concerns over security, making APIs the preferred future approach for banks.
Silent party data
When financial institutions share consumers’ transaction data, this may also contain information from PSUs that have not explicitly given their consent to the third party. This is referred to as “silent party data.”
Let’s consider how this might work.
Key action points
Financial institutions should not let GDPR hamper the innovation promised by PSD2. Instead, they should act now to confirm that new services and products are compliant with both pieces of legislation. Key action points include:
- Take care with automated decisions. GDPR prohibits profiling – the automated processing of consumer data to identify and evaluate personal features. Banks increasingly use automation to deliver value-added services, such as credit scoring and expenditure evaluation. But more significant decisions, such as refusing someone a loan, can only be based on automated processing of personal data if the decision is based on a legitimate reason; for example, explicit consent, a contract or compliance with a legal obligation. Moreover, under GDPR, financial institutions must be able to justify every automated decision if asked by a consumer.
- Conduct data protection impact assessments. The nature of AISPs and PISPs requires them to process high volumes of personal data, making it highly likely that data protection impact assessments will be necessary. Assessments should take place prior to the processing of financial data and serve to map the risks of processing data and define mitigating measures.
- Design data protection into new services. AISPs and PISPs must adhere to data protection both by design and default principles. These principles require service providers to think about the impact their services will have on data protection before delivering them. Appropriate measures should be taken to achieve GDPR compliance and minimize the processing of data.
- Be ready to give consumers information about the use of their data. Data subjects have the right to know whether their information is being processed and, if so, to receive a copy. When designing services, providers need to take these rights into account so they can deliver the appropriate information when requested. If a PSU request is unfounded or excessive, AISPs and PISPs may charge a reasonable fee.
- Confirm you can erase all consumer data, if requested. Consumers have the right to ask a service provider to erase all the personal data that it holds for them in a timely manner. For AISPs and PISPs, this is particularly important in case the PSU withdraws the explicit consent on which the processing of personal data was based. When designing services, providers need to take these rights into account so they can delete personal data if requested.
Moving from obligations to opportunities
PSD2 is set to give banks unprecedented opportunities in the payment sector, primarily because of its access to accounts rule. While GDPR rules around privacy will need to be considered when developing new products or making changes, these challenges can be navigated with robust planning and sufficient expertise. When properly implemented in harmony, PSD2 and GDPR enable banks to better protect and serve consumers, move beyond compliance and to seize new opportunities for growth.
This article originally appeared in our #payments newsletter – volume 22; additional author contributions from Tony de Bos, EY Global Data Protection & Privacy Solution Owner, and Friso Dikkers, EY Financial Services Advisory.
Summary
PSD2 aims to create access to personal data while GDPR aims to protect it. When properly implemented in harmony, the legislation can enable banks to better protect and serve consumers, move beyond compliance and seize new opportunities for growth.
