Battling Regulations – How Banks can Navigate PSD2 and GDPR

Satya SwarupDas, Senior Solution Architect, Virtusa

Benjamin Franklin once said, ‘when you’re finished changing, you’re finished’ and nowhere is it truer than in the commercial banking sector. The industry has been beset by numerous new opportunities and challenges in recent years that it’s sometimes tough to keep track.

Many banks still recovering from the impact of digital disruption, yet now are having to contend with two new game-changing regulations in the shape of Open Banking/Payment Services Directive-Revised(PSD2)in January 2018 and General Data Protection Regulation(GDPR) in May 2018.

The challenge to adapt to both and still maintain a profitable business can be overwhelming at the onset, especially when the two seem to contradict one another.The good part is that the power balance will shift towards customers as both legislations are likely to give them greater control over their personal data and, if handled appropriately, also help banks build stronger relationships with customers.

Navigating the battle of regulations

At first blush, the goals of Open Banking –gives better service options to customers through sharing of data by banks to Third Party Providers (TPP) – is the exact opposite of GDPR that aims to help consumers limit how and where their personal data is used as they will have the chance to know, understand, and consent to the data collected about them. While the former is trying to provide customers with greater choice, better products and better service when it comes to banking, the latter represents a substantial check on how that data can be used by companies. This has left many businesses confused about how to ensure they are compliant with both simultaneously.

To make matters worse, the issue is further muddied by numerous grey areas in both legislations. Now, there are several key questions we don’t have a definite answer to. For example, since Open Banking will allow TPPs to access data and use it for customer servicing, if there is a breach of GDPR rules by a third-party provider, where does the culpability lie – with the bank or the TPP? And who does the customer take its grievances to? Can the same definition of ‘consent’ be used for both regulations? These issues, along with many others, need to be clarified by the regulators. In the meantime, it can be challenging to know the best way to stay compliant to both. Given that GDPR allows regulators to levy fines up to 4% of the annual global turnover, it may well be the case that banks are more focused on GDPR compliance than Open Banking. If so, regulators will need to pitch in so that the concerns of both banks and consumers can be reconciled.

All in the data

However, despite the prima facie contradictions between GDPR and Open Banking, the end goal for both is to give consumers greater control over their data, and at the same time, banks to gain visibility and control of the customer data they have. As of May 25^th, 2018, customers can demand that banks share their data with a TPP or delete it under GDPR – either way, unless the bank knows where all the relevant customer data is held, it will not be able to meet these requests and will end up falling foul of the regulations.

The first step in gaining this level of control is to break down all the internal data silos so that a comprehensive profile can be built for every customer. This will guarantee that no data is missed or overlooked. Once these silos are broken down, banks will review all internal data-handling processes to see if they are still fit for purpose. Chances are that in many cases they won’t be and banks will have to strategically consider how to best redesign them to ensure that the requirements of both regulations are met.

The Customer Perspective

As per Veritas GDPR Consumer Research, 2018 some interesting facts come into notice. As per this survey, 71% customers state that they will exercise their right to be forgotten under the new GDPR regulations which means they will ask their banks to delete their personal data. 56% of customers surveyed want to clearly understand how the data companies utilize their data. 79% believe that organizations will not be able to find and/or delete all of the personal data that they hold on them. These figures apply to all other industry sectors. But given the finding that 56% (Highest among all industry segments) feel the hardest sector to be hit by the regulation is Financial Services, the concern applies most to banks and financial institutions.

The above findings indicate that there is a lot of ground to cover to strike the right balance. There are some intrinsic cushions for banks within both the regulations.  e.g. PSD2 has Strong Customer Authentication (SCA), Secure Communication (SC) and Regulatory Technical Standard (RTS) aspects to take care of checks and also does not allow to share “sensitive payment data”. Similarly, GDPR defines “personal data” by taking appropriate stand on security majors and keeping banks’ interest intact.

Into the future

Alone, either GDPR or Open Banking will present a huge challenge for the banking industry. Taken together, the effect is seismic, pulling major global institutions in a dozen different ways at once, especially given that input and clarification is urgently needed from regulators on a host of issues. However, it’s important for the industry not to be reactive and wait for these clarifications.

Open Banking and GDPR represent a fantastic opportunity for banks to reshape the way they interact with customers, provided they can get full control and visibility of the data they hold. Many banks – particularly the more established ones – have huge amounts of legacy infrastructure problems that have resulted in data being stored in different places. If GDPR and Open Banking provide the final push to address that problem then everyone, from banks to consumers, will benefit.

Satya SwarupDas, Senior Solution Architect, Virtusa

Benjamin Franklin once said, ‘when you’re finished changing, you’re finished’ and nowhere is it truer than in the commercial banking sector. The industry has been beset by numerous new opportunities and challenges in recent years that it’s sometimes tough to keep track.

Many banks still recovering from the impact of digital disruption, yet now are having to contend with two new game-changing regulations in the shape of Open Banking/Payment Services Directive-Revised(PSD2)in January 2018 and General Data Protection Regulation(GDPR) in May 2018.

The challenge to adapt to both and still maintain a profitable business can be overwhelming at the onset, especially when the two seem to contradict one another.The good part is that the power balance will shift towards customers as both legislations are likely to give them greater control over their personal data and, if handled appropriately, also help banks build stronger relationships with customers.

Navigating the battle of regulations

At first blush, the goals of Open Banking –gives better service options to customers through sharing of data by banks to Third Party Providers (TPP) – is the exact opposite of GDPR that aims to help consumers limit how and where their personal data is used as they will have the chance to know, understand, and consent to the data collected about them. While the former is trying to provide customers with greater choice, better products and better service when it comes to banking, the latter represents a substantial check on how that data can be used by companies. This has left many businesses confused about how to ensure they are compliant with both simultaneously.

To make matters worse, the issue is further muddied by numerous grey areas in both legislations. Now, there are several key questions we don’t have a definite answer to. For example, since Open Banking will allow TPPs to access data and use it for customer servicing, if there is a breach of GDPR rules by a third-party provider, where does the culpability lie – with the bank or the TPP? And who does the customer take its grievances to? Can the same definition of ‘consent’ be used for both regulations? These issues, along with many others, need to be clarified by the regulators. In the meantime, it can be challenging to know the best way to stay compliant to both. Given that GDPR allows regulators to levy fines up to 4% of the annual global turnover, it may well be the case that banks are more focused on GDPR compliance than Open Banking. If so, regulators will need to pitch in so that the concerns of both banks and consumers can be reconciled.

All in the data

However, despite the prima facie contradictions between GDPR and Open Banking, the end goal for both is to give consumers greater control over their data, and at the same time, banks to gain visibility and control of the customer data they have. As of May 25^th, 2018, customers can demand that banks share their data with a TPP or delete it under GDPR – either way, unless the bank knows where all the relevant customer data is held, it will not be able to meet these requests and will end up falling foul of the regulations.

The first step in gaining this level of control is to break down all the internal data silos so that a comprehensive profile can be built for every customer. This will guarantee that no data is missed or overlooked. Once these silos are broken down, banks will review all internal data-handling processes to see if they are still fit for purpose. Chances are that in many cases they won’t be and banks will have to strategically consider how to best redesign them to ensure that the requirements of both regulations are met.

The Customer Perspective

As per Veritas GDPR Consumer Research, 2018 some interesting facts come into notice. As per this survey, 71% customers state that they will exercise their right to be forgotten under the new GDPR regulations which means they will ask their banks to delete their personal data. 56% of customers surveyed want to clearly understand how the data companies utilize their data. 79% believe that organizations will not be able to find and/or delete all of the personal data that they hold on them. These figures apply to all other industry sectors. But given the finding that 56% (Highest among all industry segments) feel the hardest sector to be hit by the regulation is Financial Services, the concern applies most to banks and financial institutions.

The above findings indicate that there is a lot of ground to cover to strike the right balance. There are some intrinsic cushions for banks within both the regulations.  e.g. PSD2 has Strong Customer Authentication (SCA), Secure Communication (SC) and Regulatory Technical Standard (RTS) aspects to take care of checks and also does not allow to share “sensitive payment data”. Similarly, GDPR defines “personal data” by taking appropriate stand on security majors and keeping banks’ interest intact.

Into the future

Alone, either GDPR or Open Banking will present a huge challenge for the banking industry. Taken together, the effect is seismic, pulling major global institutions in a dozen different ways at once, especially given that input and clarification is urgently needed from regulators on a host of issues. However, it’s important for the industry not to be reactive and wait for these clarifications.

Open Banking and GDPR represent a fantastic opportunity for banks to reshape the way they interact with customers, provided they can get full control and visibility of the data they hold. Many banks – particularly the more established ones – have huge amounts of legacy infrastructure problems that have resulted in data being stored in different places. If GDPR and Open Banking provide the final push to address that problem then everyone, from banks to consumers, will benefit.