PSD2 and GPDR – customer consent is (the) key

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

2018 will undoubtedly prove to be an impactful year for financial services. Two major EU regulations of great importance to banks will come into force in the first half of 2018. While the PSD2 is all about making the data of individuals available to third parties, the GDPR is all about keeping this data private. Surprisingly little has been said in the regulations about their seemingly conflicting coexistence.

A closer look at the regulatory landscape

On the one hand, the potential penalties are huge for an institution if it fails to comply with data breach notification under the GDPR – up to EUR 20 million, or 4% of global turnover. Being a regulation, GDPR is directly applicable within all member states of the EU. On the other hand, PSD2 is a Directive, so penalties are up to the member states to define, therefore there might not even be fines for non-compliance.

In preparing for PSD2, banks should take the GDPR guidelines at heart, applying the most rigid possible interpretation. In turn, this would limit the TPPs’ access to data and lead to strict interpretations of consent. It would also slow down the open banking movement and reduce the effectiveness of regulators’ efforts to increase innovation and competition in the payments market. Banks should ensure a common framework for an aligned and coordinated approach by taking into account the requirements of both GDPR and PSD2.

Consent – common concern of PSD2 and GDPR

Both GDPR and RTS under PSD2 lack clarity on the form of the required consent. Considering that consent in electronic form is a practical necessity for PSD2, the technical means of providing consent are also lacking (e.g. ticking a box or e-mail confirmation) – leaving much of it to interpretation.

Secondly, an area of debate in the RTS is data scraping, which is the practice of third-party providers (Payment Initiation Service Providers and Account Information Service Providers) to access bank accounts on the client’s behalf using the client’s username and password credentials. This practice was prohibited in the European Banking Authority’s final draft RTS. However, the European Commission urged the EBA not to ban data scraping outright but to hold it in reverse, as a back-up mechanism should bank interfaces (APIs) fail to function properly. It is now for the European Commission to make the final decision on the text of the RTS.

As such, when data scraping is used, it is very difficult, if not impossible for banks to give access only to consented data and simultaneously comply with the other protection requirements related to sensitive data. TPPs can obtain consent for the use of consumer data, or have it covered contractually, but such a bypass is unnecessary if TPPs utilize dedicated interface APIs. Hence, it is unlikely that banks will be able to know if and what consent has been provided by the customers. Under GDPR, banks are fully responsible for the processing performed by third parties, and lack of agreement would not be in compliance with GDPR. Furthermore, banks’ responsibility for this kind of processing remains unclear in the absence of any contractual agreement. This practice, then, goes by definition against the spirit of consumer protection and controller liabilities embodied in GDPR and PSD2.

TPPs will likely initiate the process of securing customers’ consent, including consent for their activities and the use of the data once obtained. Banks will ultimately remain responsible for confirming the consent directly with their customers. This will probably include confirming details such as the identity of the TPP, what data customers wish to share and how frequently, and when such consent will expire. Such a two-way route – obtaining and confirming consent – has the potential to provide greater protection to TPPs, banks and customers, compared to banks relying solely on the consent provided by the TPPs.

How to navigate through conflicting regulations

Banks and TPPs must create rules and processes for data breaches and build a Data-Safe culture, developing policies regarding better and frequent implementation, training, monitoring and assessment. Secondly, it is important to implement privacy by design, analyse the personal data processing framework in place and review the third-party policies, procedures and contracts.

The technical and operational process for onboarding TPPs will become critical because banks must be prepared to take on an additional financial risk, sharing liability for any breaches. Banks and API providers must start to tackle the privacy problem from the beginning, ensuring that TPPs have sound privacy certification and settings during the onboarding process. Banks and API providers must implement due diligence mechanisms and processes for onboarding TPPs, testing APIs and managing incidents.

Anticipating on (future) TPP requests, privacy design strategies need inclusion. Consent must be a top priority since sharing customer data without proper consent is a clear GDPR violation. Consent is one area where effective identity management is crucial. Identity management is making progress as more secure and user-friendly biometrics replace clunky username and password combinations in order to better verify and authenticate individuals. Banks and TPPs should develop advanced data analytics to prevent more effectively fraud and false identity representations.

Conclusion

Banks hold a monopoly over their customer’s data but – under PSD2 – TPPs will now be able to retrieve customer account information and make payments on their behalf. Further guidance is urgently needed from both EU and national regulators on how banks can reconcile the requirements under PSD2 and GDPR.

About Paul Weiss and Anupam Majumdar

Anupam Majumdar and Paul Weiss work within Accenture’s Consulting Practice, Financial Services, based out of the Netherlands. Both have worked with multinationals to define their business and technology strategy and then playing a role executing and delivering against that strategy.

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Accenture has extensive experience in payments, Everyday Banking, open APIs and digital banking strategies – and can help organizations navigate the optimal route along this journey.