The first half of 2018 sees the implementation of two major pieces of regulation – the Payment Services Directive (PSD2, which went live in January 2018) and the General Data Protection Regulation (GDPR, going live in May 2018), both laying important foundations to pave the way for a better and brighter digital economy.
With PSD2 key to the vision of open banking by allowing the easy sharing of customer transaction and account data with third party providers, one could take heart from the common aims of the two regulations – putting data subjects (in this case, the account holder) in control of their own data and keeping that data safe. However, move into the detail, and the trouble begins, with a minefield awaiting anyone seeking to successfully navigate through the two regulations in tandem.
Open Banking and PSD2
Open Banking aims to provide consumers with a much wider range of financial services providers to choose from. In particular, PSD2 enables customers to grant third party permission to access their banking information and initiate payments on their behalf. Third parties could range from retail businesses, telecommunications providers, payments services, financial account aggregators and fintech companies. The PSD2 regulation refers to these third parties as Payment Initiation Service Providers (PISPs).
With a PSD2 licence, the third party (including competitor banks) can, subject to the customer consents, have access to a customer’s account and transaction details, analyse these, and offer value added services based on them, such as product recommendations or financial advice. Such third-party providers are referred to as Account Information Service Providers (ASIPs) in the regulation.
At its core, by facilitating access to customer data, PSD2 seeks to create new digital products and to build an ecosystem of partnerships that better serve customer needs. Bank margins on transfers are getting smaller and smaller – there is therefore a real opportunity from harvesting and analysing customer data to offer higher value services and products.
However, the value of transaction data lies in the context of consumer purchase decisions and then seeking to influence such decisions at the right time. This could range for the reason, mode and timing of purchase, together with habits associated with the purchase (such as the weather, mood and related social media posts and who they might have been with). This then lends itself perfectly to inform the marketing and approach strategy for such a customer. But does this fall foul of the increasing data privacy and protection rules?
GDPR and the value in personal data
In a similar manner to transactional data, the value of personal data lies in being able to connect specific profiles and trends to certain purchasing decisions, demographic tendencies and educated guesses as to purchasing preferences. In a way, personal data is a great complement to transactional data in the context of informing customer marketing and approach strategies. But unlike transactional data, the use of personal data is directly regulated by privacy regulation including the impending GDPR, which creates barriers to the use of personal data so directly in identifying marketing and strategy trends.
Friends or foes?
The most serious GDPR challenge to Open Banking and PSD2 implementation, lies in consent management.
Open Banking is aligned with and supports the implementation of data portability requirements under the GDPR. However, the bank must be able to:
a) Keep track of what information has been shared, and where has it gone.
b) Obtain consent for the transfer of personal data – PSD2 permits disclosure to third parties with the permission of the individual only.
c) Ensure the API through which it shares the personal data with third parties meets security requirements under the GDPR (as well as security standards applicable to PSD2).
d) Ensure it can implement “right to be forgotten” – a clear and detailed system of notification for partners to whom customer data is disclosed.
The introduction of “open banking” through PSD2 increases the possibility of incidents involving the misuse of data and breaches of data protection laws by third parties, thus increasing the probability of an impact because of GDPR penalties. Data controllers are ultimately responsible under the GDPR for penalties for misuse of the data they control. In a context where third parties’ behaviour may cause penalties to be levied, there is a need to consider liability controls – who is liable for the behaviour of third parties?
Reputational issues are the most important: even if it is a third party that fails to manage their GDPR obligations, the reputational risk may lie predominantly with the incumbent banks because they have the reputation to lose in the first place, as opposed to a start-up using the API.
Solutions to the challenges
Fortunately, there is a means for navigating these potentially turbulent waters – and data sits at the core. Organisations are finding themselves in increased need for accurate systems and “live” data mapping that enable them to know what data goes out and to whom. Clear and GDPR-compliant processes, integrated in regular business processes, with appropriate consent text/explanation provided for obtaining consent, are also becoming a necessity.
Technology for keeping track of consents (including withdrawal and right to be forgotten requests), as well as where the information disclosed goes, is required to ensure no one’s information is used without consent, and that data subjects’ rights are enforced appropriately.
By revising their contractual relationships with third parties, organisations can ensure increased oversight over data provided to ASIPs, for example by imposing strengthened rights of audit, warranties and reporting obligations with respect of data management and GDPR compliance. In particular, contractual obligations and protocols for dealing with consent withdrawal and right to be forgotten requests should be imposed on ASIPs. Organisational solutions relating to audits and keeping a close watch on ASIPs will ensure that the latter properly manage the full range of their GDPR obligations.
Finally, solutions to promote transparency of an organisation’s processing will include public campaigns explaining the benefits of providing consent, and what the organisation is doing to ensure that data is controlled appropriately, and campaigns highlighting partnerships and why they are helpful to consumers. In addition, ensuring an organisation is sufficiently transparent as to how it processes personal data is a key tool in terms of reputational management.
Embracing the digital economy: Unlocking business value through data governance
The twin challenge of Open Banking and Data Protection offers significant advantages to those who take the opportunity to transform their infrastructure, data governance and processes to welcome the digital banking opportunities through open banking in a GDPR compliant manner.
Identifying the right data management foundational approach and business processes is key to allowing organisations to unlock business value for both themselves, their partner ecosystem, and consumers by facilitating the compliant processing of their data.