Are you aligned when it comes to the GDPR and PSD II?
24 March 2017
Over the last few months we have been involved in a number of conversations on the GDPR and PSD II often crops up. Some have had a light bulb moment and pushed for alignment, others have not made the connection and have moved along in silos.
Managing a growing number of regulatory projects alongside a growing book of digital and simplification initiatives is already a considerable challenge for most financial services organisations. The challenge increases with two regulations, namely the Payment Services Directive II (PSD II) and the General Data Protection Regulation (GDPR) that appear to be pulling in opposite directions. While the PSD II requires banks to open customer account and transaction data to third parties via open APIs, the GDPR imposes rigorous requirements for them to protect customer data with stringent penalties for those who fail to do so.
Actually, these two regulations are closely related and are expected to be effected into European law within six months of each other i.e. in January and May 2018 respectively. Financial services organisations will need to do really well to implement these regulations in an integrated manner.
So what makes a successful implementation strategy for the GDPR and PSD II programs?
1) First of all, stop resisting
The process of authoring PSD II technical standards has seen extensive debate and even resistance from some banks. Similarly, the gap between the current and target data infrastructures required to comply with the GDPR has led to some institutions focusing on what is ‘good enough’, rather than what good actually looks like.
While some incumbent institutions continue to resist the openness that the PSD II represents, frequently citing cybersecurity, resilience and customer data privacy as concerns, other institutions are speeding ahead by recognising the opportunity and taking this dual challenge head on.
The institutions that turn this dual threat into opportunities for digital transformation will out-compete the institutions that resist, irrespective of whether some of the provisions of PSD II get diluted, or how aggressive the courts are in interpreting the GDPR.
2) Take a risk based approach
We acknowledge the concern that a riskless implementation of either of these regulations is very difficult, if at all possible. The GDPR will be interpreted by the law surrounding the regulation, which will define the minimum standards that organisations must comply with.
Similarly, in the PSD II space, there is no current minimum standard for open APIs and each bank is left to create their own definitions. This will change as regulators recognise the need for third parties to aggregate customer data across their banking relationships, without incurring excessive cost or risk. There is considerable debate around the precise form of strong customer authentication, assigning liabilities, the ability of banks to onboard or offboard third parties and incident reporting.
For GDPR or for PSD II, it is not sufficient to have a vision and a strategy unless there is a clear understanding of the variety of risks at each stage of execution.
3) Become stewards of your customer data
We believe that the regulators’ appetite for violations of the GDPR will be relatively low, and we acknowledge that many organisations may find it challenging to achieve effective compliance within the next 18 months.
That said, based on enforcement actions surrounding other regulations such as Financial Crime rules, we anticipate that systemic or particularly egregious violations will attract steep penalties, particularly when regulators deem that the organisation in question does not demonstrate adequate steps to mitigate the relevant risks.
The most important protection against risk is a culture of privacy i.e. an environment where employees across the organisation see themselves as stewards of customer data and understand the requirements of the regulation for their particular roles.
4) Get good at data governance
Recently, regulators have recognised the need for transforming banks’ data infrastructure and governance. Aside from the steep potential for fines, the GDPR is also industry or function independent, as well as much more specific and quite rigorous in its definitions and requirements.
The GDPR provides banks with an unprecedented opportunity to transform their data governance and infrastructure. Chief Data Officers can now demand that the business and control functions understand in detail how data flows through their processes and systems, how private information is identified, what the entry points for private information are, what controls exist around these processes and how the IT infrastructure automatically ensures that the risks are identified, measured and managed.
5) Remove silos
It is now quite clear that data privacy cannot be handled in silos but requires a combination of experts from different domains; business strategy, legal, data governance, technology, cybersecurity and alliances.
The key foundations for responding to the three requirements as set out above include having a solid grasp of what data is in scope for the GDPR, where this data is held, who has access to it and why as well as what is it being used for. Having that insight at the organisation’s fingertips will go a long way toward implementing and managing compliance.
6) Integrate regulatory and innovation initiatives
Most banks have innovation initiatives designed for speed and control functions designed to minimise risk. Going forward, the innovation and transformation teams at banks must be well informed about the privacy rules and work in close partnership with control functions to achieve effective outcomes.
If you want to establish digital ecosystems based on the opportunities created by the PSD II, the solutions must be adapted to the GDPR, especially the right to be forgotten and the right to data portability. Any business model that includes consumer data must take into account the requirements of the new data protection regulation.
7) Automate onboarding and offboarding of partners
When looking for third party partners, understanding your own unique role and value proposition is key to building the right shape of the ecosystem with good governance structure.
Customers must be protected but any actions against third parties that are perceived as anti-competitive may expose a bank to regulatory risk. This is why capturing and monitoring the behaviour of third parties e.g. via complaint management systems, automated monitoring and machine learning techniques will be important.
8) Monitor your audit trail
Since banks own the customer relationships today and many third parties may be small entities with limited capital or reputational risk, monitoring the audit trail of consent and using it to assess and manage the corresponding operational and legal risk may be essential.
Get ahead of the game
At a superficial level, the GDPR and PSD II seem to conflict and PSD II technical standards are still being defined, with the industry still waiting to be see how courts across Europe will interpret the provisions of the GDPR.
This uncertainty means you should respond with a sense of urgency. A wait and see approach could put you at a serious competitive disadvantage compared to banks that are gearing up to meet this dual challenge head on and transforming their infrastructure, data governance, culture and ways of working for the impending digital era of banking.
The trend towards open APIs creates new threats from competitors in other industries but it also creates new possibilities for banks to compete and succeed in the digital era. Many banks are taking a following successful Silicon Valley organisations and reshaping themselves as platforms and marketplaces rather than monolithic, closed companies of the past. The emergence of these open business models acknowledges that success depends on creating an ecosystem of partners, which in turn requires sharing data in a safe and controlled manner.
We recommend an integrated approach to implementing both the GDPR and PSD II though, at a minimum, banks must incorporate the GDPR considerations upfront into their PSD II programs and other data and digital initiatives.