Preparing for PSD2 and GDPR - how to develop a compliant strategy
By Mike Wake, Head of GDPR Solutions, SAS UKI
In the first half of 2017, two major new pieces of regulation will come into effect - the revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR).
Designed by the European Union and an evolution of the existing PSD (Payment Services Directive), the PSD2 will revolutionise the payments industry, changing the way we pay online and what information we see when making payments.
The PSD2 directive will break down the traditional banks' monopoly on their users' data, allowing third-party merchants, such as Amazon, to retrieve a customer's account data directly from their bank - with their permission, of course - and make payments on their behalf without redirecting to another service like PayPal or VISA.
In contrast to the open approach of PSD2, GDPR aims to unify and strengthen data privacy laws across Europe, formalising concepts such as the 'right to be forgotten' and giving EU citizens greater control over their personal data online. It also requires that businesses take a more considered
approach when it comes to capturing data from their customers and processing it.
PSD2 and GDPR - a compliance conundrum?
While seemingly unconnected at first glance, both regulations deal with a crucial element: data. On the one hand, the PSD2 is about making the financial data of individuals available to third parties, whilst the GPDR is about protecting individuals' data and keeping it private.
Undoubtedly, there will be a conflict between the two regulations, one focusing entirely on data protection and the other on data freedom. And yet, despite the overlapping scope and conflicting targets of the two pieces of legislation, very little has been said about their coexistence. One legislation will protect consumers, while the other will benefit businesses.
The discord between the two is terribly apparent, so what can businesses do to prepare?
Managing customer consent and data purpose
The first element to address in the PSD2 and GDPR conundrum is the matter of consent, including for other forms of data processing. In order to transfer customer data under PSD2 and be compliant under the GDPR, businesses must first acquire specific consent from customers to be able to transfer data to third parties. The next step is validating the customer request to share information under PSD2; how do banks prove customers are who they say they are and trigger their consent? Also, has the third party verified the customer's information and obtained their consent? In this instance, customer authentication and consent need to be a two-part, end-to-end process. Banks will need to implement a verification process that ensures customers are who they say they are, without inconveniencing them with multiple checks and authentication barriers, and third-party merchants will need to obtain customer consent as well. The process would, potentially, have to take place in a single environment to validate both elements of consent. As it stands, the question of 'who' should acquire consent is unanswered. Both parties - the financial services firm and the third-party merchant - must clearly describe the purpose for which the customer's data is to be used.
Data governance, stewardship and a risk-based approach
PSD2 allows third-party merchants to access financial data and services that would have traditionally been under the control of the bank. Undoubtedly, this increases the possibility of data breaches and incidents arising from poor data management. PSD2 says little in the way of contractual liabilities, i.e. should the bank or third party fail to do x, y will occur. In addition, banks have little control over how third parties will operate (there is no set “standard” at present) – and should, therefore, take a risk-based approach and develop better data governance.
Financial services firms will need to take a holistic approach to data governance, protection and consent to ensure they meet the requirements of both the GDPR and PSD2. In any instance, the bank is the chief custodian of a customer’s data and therefore responsible for how that data is managed and distributed. If possible, every employee should exercise quality data controls and management, ensuring only quality data is collected as well as overseeing the transition of data and assessing the risks involved at every stage. By building an underlying understanding in the firm that ‘privacy’ is of the utmost importance, financial services firms will be able to develop good data governance practices. Privacy and data control must work in tandem.
Remove silos and build audit trails
Businesses will need to unify their data across operations and update legacy systems to ensure information is transferred seamlessly. In unifying data and systems, financial services firms will have a better understanding of where their data is, why they have it, and what it is being used for. Complete data privacy cannot be achieved with silos present in the business – and Shadow IT solutions (technology outside the business’ standard IT infrastructure) will also present problems. The unification of data and the standardisation of data management systems will help financial services firms to meet the requirements of both GDPR and PSD2.
It’s important that financial services firms remember that GDPR demands data portability, whereas PSD2 requires open access to information. Having information consolidated in a central location, in a machine-readable and electronic format, will make it easier to transfer data, monitor it and document any changes. In addition, juggling two regulations will require financial services firms to keep detailed and comprehensive records to protect themselves against possible implications.
Ultimately, in implementing both PSD2 and GDPR, financial services firms will need to be cautious and meticulous – and take a measured and comprehensive approach to how they manage and distribute data. As precedent is built and standards fleshed out over time, managing both PSD2 and GDPR will become significantly easier. But for now, a risk-based approach – one where every aspect is scrutinised and recorded – is the best approach. Coming up with a strategy and establishing a framework now will put financial services firms in an excellent position to do business come 2018 and beyond. Also, as new financial services start-ups enter the market, many of which are app-based, the issue of legacy data becomes less and less prominent. With this in mind, financial services firms can take a lead on compliance and start collaborating with third-party vendors to provide more value to their customers and gain a further advantage over those who do not. By taking the challenge head-on and demonstrating that they are ready, they will naturally attract more and more business in the future – sitting and waiting will only put the competition ahead!