From May 2018, organizations that provide payment services in the European Union will be subject to both PSD2 and GDPR. Is your organization ready with the right approach to complying with these two regulations?
PSD2 and GDPR—an introduction
Payment Services Directive 2 (PSD2) is a fundamental piece of payments-related legislation in Europe that entered into force in January 2016, with all European Union (EU) member states required to implement the directive as national legislation by January 2018.
Briefly, PSD2 aims to bring an integrated and efficient European payments market, promote competition through a regulatory framework and improve consumer protection. It requires payment service providers (PSP) such as credit institutions, banks and post offices to make significant changes to their existing operations, paving the way for new fintechs to offer services in one or both of the following two modes:
- Account Information Service Provider (AISP)
- Payment Instruction Service Provider (PISP).
PSPs are obliged to provide their customer information in response to customer requests to these “third-party providers” (TPP).
The EU’s General Data Protection Regulation (GDPR), which replaces the earlier Data Protection Directive from May 2018, is expected to harmonize data protection regulations across the EU, protecting EU citizens regarding the processing and free movement of their personal data.
A common objective
On the surface, PSD2 and GDPR are seemingly divergent. The focus of GDPR is data protection, while that of PSD2 requires customer data to be shared with third parties. However, both legislations aim at empowering the customer—GDPR provides significant rights to data subjects, and imposes rights and obligations on data controllers and data processors, while PSD2 provides choices to customers through the services offered by the new AISPs and PISPs.
Recognizing the need to be dynamic in adapting to innovations brought about by technology, PSD2 emphasizes the need for data protection through processing personal data in accordance with Directive 95/46/EC, the precursor to GDPR. It specifies that PSPs shall only access, process and retain personal data necessary for the provision of their payment services, and with the explicit consent of the payment service user. It also provides for the following key requirements—precise purpose, legal basis, relevant security requirements, and the principles of necessity, purpose limitation, proportionate data retention, data protection by design and data protection by default
There is also significant overlap in terms of territorial scope. GDPR applies to the data of EU residents—whether captured, processed, stored or transmitted by an entity within the EU or otherwise—while PSD2 applies to financial institutions operating in the EU.
Riding the wave of customer confidence
With the advent of PSD2 and GDPR, banks and financial institutions now face two clear choices—provide customer data to TPPs and cede precious customer mindshare, or seize the opportunity to reinvent themselves to be relevant in this changing scenario. Any organization with a strategic outlook should consider the latter option.
Either way, implementation of PSD2 can only be successful within the context of GDPR. Data protection requirements under GDPR provide an overarching framework for PSD2, and organizations would do well to combine efforts towards these regulations with the goals of compliance and business growth. An integrated approach means that data protection isn’t sacrificed while trying to exploit the opportunities that PSD2 brings.
Organizations that adopt such an approach will ride the wave of customer confidence.
To learn how Capgemini’s GDPR services can help you to prepare for PSD2, contact: email@example.com
Learn how Capgemini’s GDPR services can unlock customer loyalty.
Click here to read more about the role of PSD2 in Capgemini’s Payment Trends Report 2018 also highlights.
Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.