5 minute read 13 Feb 2019
ey men raising sail yacht

How banks can balance GDPR and PSD2

By Jeroen van der Kroft

Partner, Financial Services Consulting, Ernst & Young LLP

Transformation leader helping clients transform and sustain improved business performance.

5 minute read 13 Feb 2019

Show resources

  • #payments insights. opinions. Volume 22 (pdf)

Learn about key actions financial institutions can take to ensure that GDPR doesn’t hamper the innovation promised by PSD2.

This article originally appeared in our #payments newsletter - volume 22.

Europe’s second payment services directive (PSD2) is reshaping its banking sector. At the same time, the introduction of the General Data Protection Regulation (GDPR) has had a huge impact on how companies must protect data. As financial institutions work to comply with both pieces of legislation, how can they balance innovation and protection?

Conflicting approaches?

PSD2 and GDPR both were introduced in 2018 as comprehensive sets of legislation focusing on consumer data. However, despite these similarities, these regulations were developed from very different perspectives.

PSD2 aims to create access to personal data. Through its access to accounts rule, PSD2 can gain entry to the financial data of consumers – or payment services users (PSUs) – allowing third parties to enter the payments market and provide new account information and payment initiation services. These services are offered by account information services providers (AISPs) and payment initiation service providers (PISPs), respectively.

GDPR aims to protect personal data, making it easier for consumers to know where their data is being used and raise objections about its use.

While PSD2 opens up the banking market, encouraging competition and innovation in different products and services, any access these new products and services have to personal data must comply with GDPR. Non-compliance carries heavy fines and reputational damage. So far, most traditional banks have prioritized the protection of consumer data over major plans to innovate. But as more new players enter the open market, they face a choice of mere compliance or harnessing PSD2’s opportunities to create competitive advantage.

processing of PSUs data transfer requests

It all comes down to consent

Despite their different aims, both PSD2 and GDPR hinge on the issue of consent.

GDPR rules that financial institutions cannot process consumer data without consent, which must be obtained under specific conditions. While PSD2 also legislates that “explicit consent” is necessary to provide services to consumers, the concept is not defined and there is no suggestion that it has the same meaning as in GDPR. This lack of clarity around consent presents an issue to parties offering payment services as they juggle implementation of both legislations. The table below summarizes the key differences.

psd2 vs. gdpr the consent element

Major areas of contention

Data portability and APIs

GDPR gives consumers the right to data portability, allowing them to transfer the data they have provided to their bank to AISPs and PISPs in a structured, commonly used and machine-readable format.

While PSD2 has no bias toward a certain technology, its regulatory technical standards recommend the use of application programing interfaces (APIs) to share data with AISPs and PISPs. APIs can allow communication standardization across incumbent banks and AISPs or PISPs, but their success across Europe will depend on whether there is agreement on these standards.

Alternatively, screen scraping allows AISPs and PISPs to access PSUs’ bank accounts via their own credentials, obscuring the ability of banks to see whether it is the PSU or a third party accessing the account. However, as this method has fewer access restrictions than APIs, it raises concerns over security, making APIs the preferred future approach for banks.

Silent party data

When financial institutions share consumers’ transaction data, this may also contain information from PSUs that have not explicitly given their consent to the third party. This is referred to as “silent party data.”

Let’s consider how this might work.

psd2 payment processing scenario

Key action points

Financial institutions should not let GDPR hamper the innovation promised by PSD2. Instead, they should act now to confirm that new services and products are compliant with both pieces of legislation. Key action points include:

  • Take care with automated decisions. GDPR prohibits profiling – the automated processing of consumer data to identify and evaluate personal features. Banks increasingly use automation to deliver value-added services, such as credit scoring and expenditure evaluation. But more significant decisions, such as refusing someone a loan, can only be based on automated processing of personal data if the decision is based on a legitimate reason; for example, explicit consent, a contract or compliance with a legal obligation. Moreover, under GDPR, financial institutions must be able to justify every automated decision if asked by a consumer.
  • Conduct data protection impact assessments. The nature of AISPs and PISPs requires them to process high volumes of personal data, making it highly likely that data protection impact assessments will be necessary. Assessments should take place prior to the processing of financial data and serve to map the risks of processing data and define mitigating measures.
  • Design data protection into new services. AISPs and PISPs must adhere to data protection both by design and default principles. These principles require service providers to think about the impact their services will have on data protection before delivering them. Appropriate measures should be taken to achieve GDPR compliance and minimize the processing of data.
  • Be ready to give consumers information about the use of their data. Data subjects have the right to know whether their information is being processed and, if so, to receive a copy. When designing services, providers need to take these rights into account so they can deliver the appropriate information when requested. If a PSU request is unfounded or excessive, AISPs and PISPs may charge a reasonable fee.
  • Confirm you can erase all consumer data, if requested. Consumers have the right to ask a service provider to erase all the personal data that it holds for them in a timely manner. For AISPs and PISPs, this is particularly important in case the PSU withdraws the explicit consent on which the processing of personal data was based. When designing services, providers need to take these rights into account so they can delete personal data if requested.

Moving from obligations to opportunities

PSD2 is set to give banks unprecedented opportunities in the payment sector, primarily because of its access to accounts rule. While GDPR rules around privacy will need to be considered when developing new products or making changes, these challenges can be navigated with robust planning and sufficient expertise. When properly implemented in harmony, PSD2 and GDPR enable banks to better protect and serve consumers, move beyond compliance and to seize new opportunities for growth.

This article originally appeared in our #payments newsletter – volume 22; additional author contributions from Tony de Bos, EY Global Data Protection & Privacy Solution Owner, and Friso Dikkers, EY Financial Services Advisory. 



PSD2 aims to create access to personal data while GDPR aims to protect it. When properly implemented in harmony, the legislation can enable banks to better protect and serve consumers, move beyond compliance and seize new opportunities for growth.

About this article

By Jeroen van der Kroft

Partner, Financial Services Consulting, Ernst & Young LLP

Transformation leader helping clients transform and sustain improved business performance.