Accessability Links

Blog: GDPR and PSD2 - an opportunity for banks?

Nick Clare

In the last decade, post the global financial crisis, the banking industry has had to endure wave after wave of new regulation. Complying with these new regulations, whilst adapting the business to the new digital world is costly, disruptive and comes with lots of risk caveats.

The latest in the list of new regulations are PSD2 (Payment Services Directive) and GDPR (General Data Protection Regulation), which at first glance seem to be complete opposites of each other. It is interesting to compare the differences and the linkages in these two regulations, as experienced by ourselves and our customers.

Let's start with GDPR. By now most of us know the guiding principles i.e. giving back control to individuals of their own personal data and making businesses responsible for ensuring that privacy right. We also know the regulator (Information Commissioners Office - ICO) will punish breaches with fines. More damaging than a mere fine is the reputational damage that's done through a lack of public trust. What are the odds on a bank being the first one on the naughty step?

PSD2, however, allows payment services providers to initiate payments on behalf of consumers on accounts held by banks. It also allows similar organisations to use the bank's APIs to analyse customer's account details to offer other services. This leaves us with an environment whereby an organisation can use a bank's API to provide services to customers, given that they are under appropriate regulatory approval to be a Payment Initiation Service Provider or Account Information Service Provider.

Therefore, we are left in a situation where on one hand customer data is being utilised to provide for more competition, efficient and regulated services for customers and on the other the use of personal data is being put firmly back in control of individuals with businesses potentially looking at fines and massive loss of public trust if they don't comply. Isn't this like giving sweets to kids and saying don't eat them?

There's a lot more to say on the differences between the two regulations. The linkage, is of course the control of data. Consent must be given and must follow the rule that if it isn't written down, it hasn't happened. This has to be followed up by an audit trail to protect businesses in the case of disputes. Appropriate controls need to be implemented to comply to the 'right to be forgotten' rule whilst accommodating regulation where there is a need to hold personal data as in the case of PSD2.

There is a great opportunity here to do a lot more than 'just enough'. These two regulations represent an opportunity to transform data governance and infrastructures. As we talk to customers about the new regulations we're seeing two attitudes that are far apart. Some are speeding ahead with programmes to bring in new processes and infrastructure, recognising the opportunity so that appropriate officers are able to identify entry points for personal data, impose the necessary controls around those processes and how infrastructure can automatically ensure that risks are identified, measured and managed appropriately. Others are still prepared to play and wait and see game hoping that something will come up. The latter is clearly not a strategy!

We at Capita can help accelerate your data compliance programmes. Capita, through its customers, is one of the largest data processors in the UK. We have defined the risks and mitigated them into a framework of policy, process and actionable / auditable activities to support and demonstrate compliance.

For more information book your place at our ‘GDPR for banks – what you should know’ webinar on July 11th here.

Add new comment
Back to Top