In a year of new regulations, banks are faced with the double-challenge of implementing two policies that seem to run opposite one another: GDPR and PDS2. Why is it happening, and how should banks approach it?
As Europe plunged into the full-scale implementation of GDPR just last Friday, it can be helpful to step back and see the larger regulatory world in which companies now find themselves. Data is clearly in the mind of the European Commission, as they have implemented several groundbreaking policy changes that are likely to have long-lasting impacts on how banks operate.
One such regulation in the banking industry, Payments Service Directive II (PSD2) which went into effect on January 13th, contains provisions that will likely have a large impact on the relationship banks have with their users’ data. Combine that with the already complex restrictions imposed by GDPR, and even the most established banks will find themselves in a regulatory minefield.
What is PSD2?
Generally speaking, the PSD2 hopes to promote competition and encourage innovation by leveling the playing field when it comes to user data. It mandates that banks allow third-party service providers (TPSPs), typically FinTech companies, to gain access to user account information through open application programming interfaces (APIs).
These APIs should allow third-party providers to operate on top of existing banking infrastructure. This sharing of user information is mandatory, meaning that there does not have to be a formal contract signed between the two parties in order to gain access. The implications of this policy are significant -- it effectively removes the monopoly banks have over their users’ data.
Wait, Huh? What About GDPR?
Exactly. PSD2 can be a bit confusing when it comes to complying with both it and the regulations that GDPR has simultaneously put into place. While they both work to give users power over where their data goes, they go about doing this in almost opposite ways. The biggest challenge for banks is going to come from complying with PSD2 regulations within a GDPR world.
Who has responsibility for data when third-party providers are required to be given access? How do you define data governance in situations where contracts spelling that out aren't needed? These questions are significant and should be in the minds of any data-focused bank.
Why Do Both of These Even Exist?
To understand these two somewhat contradictory policies, you must first understand two large goals of the European Commission. On one hand, they want to progress innovation in Europe as much as possible. By opening competition in the financial services industry to non-banks, they plan to do just that.
On the other hand, the European Commission is committed to protecting the data rights of all European citizens. More than anything, GDPR tries to define in clear terms the ownership user should have over their own data.
While PSD2 recognizes the value that data can bring in terms of innovation, GDPR recognizes the limits there must be on the use of data. In that sense, these two policies seek to balance each other out, by expanding the availability of data while also regulating the ways in which it can be used.
So, How Should We Approach This?
The silver lining here is that the solution to the problem doesn't have to be risky non-compliance -- it is taking control over the data that you have. By having a full understanding of where data is being sent and how data is being used, it becomes much easier to make smart decisions that will keep you away from fines. Some good places to start would be:
- Having one central place where anyone at the company accesses and works with data. This can be rooted in a data science platform (read more about what they are and why they’re essential) or some other central tool. Being able to organize the data you have and clearly document what it’s being used for will make its monitoring infinitely easier.
- Coming up with a single plan for simultaneous implementation will always be better than coming up with independent plans for both. This guide to GDPR implementation through governance is a helpful base for GDPR as well as PSD2.
- Fostering a well-managed data science team who know the ins and outs of the policy and are held to a high standard of data governance practices will save companies future headaches.
It’s clear by now that regulation is not going away anytime soon in Europe. While it may seem daunting, companies that are compliant will not only avoid costly fines, but also will find themselves with the organizational structure necessary to use data for other more creative purposes, like new products or services.
For more on how to implement good data governance practices that will make compliance and audits manageable (no matter what the regulation), check out the GDPR white paper.