Major areas of contention
Data portability and APIs
GDPR gives consumers the right to data portability, allowing them to transfer the data they have provided to their bank to AISPs and PISPs in a structured, commonly used and machine-readable format.
While PSD2 has no bias toward a certain technology, its regulatory technical standards recommend the use of application programing interfaces (APIs) to share data with AISPs and PISPs. APIs can allow communication standardization across incumbent banks and AISPs or PISPs, but their success across Europe will depend on whether there is agreement on these standards.
Alternatively, screen scraping allows AISPs and PISPs to access PSUs’ bank accounts via their own credentials, obscuring the ability of banks to see whether it is the PSU or a third party accessing the account. However, as this method has fewer access restrictions than APIs, it raises concerns over security, making APIs the preferred future approach for banks.
Silent party data
When financial institutions share consumers’ transaction data, this may also contain information from PSUs that have not explicitly given their consent to the third party. This is referred to as “silent party data.”
Let’s consider how this might work.