Voice of the Industry

Regulatory preview: it will be a busy 2020 in Europe

Friday 22 November 2019 08:43 CET | Author Anda Kania | Voice of the industry

Charles Gaddy from Global Data Consortium depicts how the regulatory landscape will look in 2020 and what businesses should consider in order to be prepared form a compliance perspective.

The 2020 landscape for implementation and enforcement of regulations and legislation is heavily slanted in the areas of Privacy Protection and Securing/Regulating Financial transactions.  Most of our customers and partners have dealt with the 4th AML (4MLD), GDPR, and the beginnings of PSD2 & Open Banking. 


What does 2020 hold? 

2020 will be all about data: management of data, use of data, and compliance. Right out of the gate in January, EU member states must implement the 5th AML Directive (5MLD) provisions into their national laws by January 10, 2020. More PSD2 is also coming into force in January 2020, as card networks will begin to implement fines or refuse transactions which have not implemented SCA (Strong Customer Authentication). And of course, both requirements have the filter of GDPR to consider as we continue to interpret and understand this regulation’s business impact.

5th Money Laundering Directive (MLD)

Customer Due Diligence is at the core of 4MLD, and the requirements only increase with 5MLD. Again, to comply leveraging the proper use of data is critical. Beyond CCD, a new key provision for consideration is the regulatory requirements for identifying and tracking Ultimate Beneficial Ownership (UBO). It will be interesting to see how “ready” the different member states are for this requirement as UBO appears to be at varying stages of implementation in each country.

With both CDD and UBO, the other additional “heavy lift” is the lowering of thresholds for identity verification.  In 4MLD, the threshold was EUR 250, but with the coming January 2020 date, that will be reduced to EUR 150. As well, 5MLD will require verification of previously anonymous prepaid cards.  This is driven by the understanding of recent money laundering and terrorist activities being financed by smaller prepaid financing activities. And we also need to check the UBO and CDD, not just the individuals in financial transactions at these levels. Business data and individual personal data are required to implement solutions here which comply and are “low friction”, because customers demand for a hassle-free experience in the process. 

PSD2 – Secure Customer Authentication 2020

The regulation is designed to force banks and other payment service providers to improve customer authentication processes and to also bring in new regulation to manage third-party involvement. PSD2 went into effect on September 14, 2019, and so it is by far the “youngest” of the regulations in focus for 2020. This also means that its interaction and interplay with 5MLD and GPDR are still being refined.

Financial institutions are already conducting KYC and CDD functions as described previously, so why is this likely to be a challenge or an effort in 2020? Well, it is because of the specific mandate that focuses on SCA to improve security for consumers. Under PSD2, PSPs are required to implement SCA on certain transactions. One type of SCA is two-factor authentication. For this, the consumer is required to enter a piece of information from two or more of the following:

Knowledge: This is something only the customer knows, such as a password or PIN, but specifically does not include the card number, expiration date or other values on the card.

Possession: This is something the customer has – the most common example here is the mobile phone.

Inherence: This is something the customer inherently “is,” - a fingerprint, behavioural biometrics or facial recognition, for example.

Most organisations have settled on implementing two-factor authentication to solve the challenge of SCA. However, the same financial organisations have not actively collected verified mobile data, as this is not part of the required AML and KYC guidelines. So, this leaves a challenging problem to solve in 2020: how do I two-factor a financial transaction without a mobile number?

GDPR - General Data Protection Regulation

There has been so much, talk, research, speculation and implementation regarding this regulation, it almost seems like we could just say GDPR and everyone would have their story of “dealing with”, understanding, implementing and documenting its compliance. To put it simply, GDPR aims to protect personal data, making it easier for consumers to know where their data is being used and raise objections about its use. 

The important aspects of GDPR as it relates to PSD2 and 5MLD revolve around consent. GDPR requires that financial institutions cannot process consumer data without consent, which must be obtained under specific conditions. While PSD2 requires “explicit consent” to provide services to consumers, the concept is not clearly defined, and there is no suggestion that it has the same meaning as in GDPR. 5MLD does not specifically mandate consent, but the bar of “high quality and independent” data sources requires the consideration of consent-based data and the GDPR requirements that accompany such data.

Bringing it all together – 5MLD, PSD2, SCA, and GDPR

“SCAPSD25MLDGDPR” – this mash-up is the challenge organisations like GDC are looking to address for our customers and partners. How to best deal with secure authentication, compliance with GDPR, data regulations, and the different money laundering regulations?

The issue is that 5MLD, PSD2 and the GDPR as they aredescribed above have different goals, and there are or have been national approaches to each of them, which have impacted companies operating across borders.

It may be an understatement to say that the drafting of these three regulations has not been coordinated amongst the relevant regulators. In many cases, there are contradictory provisions regarding the same matters. In other instances, there is a lack of guidance on how to implement both the GDPR and PSD2, or GDPR and 5AMLD, or all three. Nonetheless, each provision rolled out in 2019 and 2020 will only see an expansion of the regulatory environment. 

The violation of such provisions carries the risk of penalties and other liabilities, such as civil litigation. For example, breach of the GDPR can lead to fines of up to EUR 20 million, or up to 4% of an undertaking’s total worldwide annual turnover, whichever is higher. Under PSD2, Member States are free to determine penalties that may be imposed by national authorities following an infringement of the law.

To address these issues and mitigate risk, companies will need to rigorously assess the interaction of the provisions and develop a robust and defensible position for why they are adopting certain interpretations of each regulation. Companies also need to assess the operational implications of such decisions.  Any strategy for working through this dense thicket of law and regulation will require expertise in numerous areas of law, the ability to analyse competing outcomes and to create a series of priorities, which then need to be implemented and complied with through the organisation.

About Charles Gaddy

Charles has specific experience in banking, insurance, and direct marketing technologies as well as substantial experience in the data quality sector. His past positions include work in Fintech/Insurtech and global data over 25 years as VP of Product Management, Alliance Manager, and Director of Information Technology.


About Global Data Consortium

Global Data Consortium provides real-time electronic identity verification to help businesses comply with AML and KYC checks through a single API.  GDC leverages its high quality in-country partners to consistently add new data sources, expand country coverage, and provide customers with the best results possible.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: GDC, regulation, PSD2, GDPR, 5MLD, money laundering, compliance
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: Europe
This article is part of category

Securing Transactions