GDPR and PSD2 – is it a contradiction in terms?

Sathish N

Senior Vice President & Head – Product Management, SunTec Business Solutions

Sathish heads our Product Management team which works on launching products in different industry verticals that we operate today. Sathish with over two decades of experience in working with enterprise world class software product companies in various roles across all departments and having led a number of large complex transformation programs globally in different markets with Tier 1 customers, can understand precisely the customer needs in an evolving marksespace. As a Techno functional expert, he brings with him a wealth of experience in driving our product innovation and new initiatives focused on building products which drive value creation and management at an enterprise level. Prior to joining SunTec, Sathish has held leadership positions at Oracle Financial Software Services, Citicorp. He holds a bachelor’s degree in electronics and communication engineering from Bharathiar University.”

You can connect with him on Linkedin and Twitter

2018 is a year on unprecedented regulatory change for global banking. The introduction of PSD2 in January was closely followed by the EU General Data Protection Regulation (GDPR) on the 25th May. EU GDPR brings tremendous consequences on the way businesses handle their customer’s data. If there are any organizations still not treating data protection seriously, they only need to look as far as Facebook and Cambridge Analytica to understand the consequences of mistreating user data. Our first article focused on the Second Payments Directive (PSD2), open banking, ecosystem and the crossroads it represents for banks. Let us now dive into GDPR, to help understand the fact that they both go hand in hand.

Banks and corporates institutions have been investing heavily on APIfication and being able to collaborate, which is one of the primary objectives of the PSD2 and open banking regulations. We see the APIs could be of three different types Public, Private and personal. Public are those that you make available for collaborations with external organisations. Private is more for intra department collaboration and personal are those that are tied to customers. Personal will have an ID linked to the customer. The idea is to be able to track any access of customer information using the personal API ID. The customer then has a choice to view that from transparency standpoint when required and monetise it by giving consent for its usage.

While regulators have been patient with banks delaying the implementation of the second Payments Services Directive (PSD2), they won’t be as forgiving if the GDPR deadline is not respected. The fines and other brand-damaging consequences for non-compliance will be immediate. The devastating effects will range from financial consequences with fines up to 4% of annual global turnover or €20 Million (whichever is greater). Under GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

On the other hand, if banks get it right, GDPR could mean a world of new opportunities for banks, like strengthening customer trust by delivering greater customer satisfaction. Only well-planned and proactive preparation with the right tools will make the difference between the success and failure.


However, PSD2/Open banking & ecosystem and GDPR seem to be contradictory, as one asks for the open sharing of consumer data, and the other asks for data to be secured. Furthermore, what constitutes sensitive data when offerings and services come beyond the core of the bank in the ecosystem world is vague and can get complex if not managed well. This creates an interpretation challenge for banks. Knowing what data is extremely sensitive, and the extent of customers’ consent will become crucial. Problems such as: for how long has the customer given his consent? To what data does it extend? Which party should obtain customer consent where the product can be a combination from internal and external partners? More importantly, when customer information is exposed, dissected and analysed, how does one remain compliant to GDPR strict privacy rules?

Being able to dissect data at granular levels while being flexible enough to restrict conditional elements from being shared is a huge challenge banks and their IT departments will have to face if they want to be compliant to both PSD2 and GDPR.

These questions bring forth an even larger one: how can financial services providers thrive in such a complex regulatory environment?

The challenges for Financial Services organizations

If high street banks, respected and trusted by its customers for the last three centuries, fail to meet this crucial deadline with the appropriate preparation, they might be faced with difficult consequences. The most immediate and damaging one being the fines to be paid out for non-compliance, followed by reputational harm to the bank.

Sharing customer data with third parties, as directed by PSD2, is already a huge challenge for banks. Not only the banking industry, GDPR impacts all other industries processing personal data; like insurance, retail, automobile etc. This also becomes relevant globally, to all business that offer their product and services to their clients in the EU, though the businesses might not specifically operate out of EU. Therefore, the outreach of GDPR implications will be across the globe.

Furthermore, the understanding of nuances related to cross-border or local transactions is critical if banks want to comply with GDPR. For example, instances where data moves from an EU member state to a non-EU member between two branches of the same bank, which happens millions of times every day, turns the subject of data ownership into a very detailed discussion. This is just one of the many administrative elements which can turn into an operational nightmare if banks cannot deliver a granular overview of the data they hold.

Among others, the right to erasure (article 17 of GDPR), requires enterprises to have a good handle on customer data to be able to delete specific information on request. The right to data portability (article 20 of GDPR) also presents its own set of challenges for businesses. This implies businesses the ability to move, copy or transfer data easily from one database, storage or IT environment to another. Regulation is not static either and is subject to revisions and change over time. This means compliance is a constant deliverable for compliance teams worldwide as they must adapt quickly.

These two major rights enunciated in GDPR means companies will need to up their game when it comes to data management. All Financial Services organizations will need to be able to look into the data of any transaction at all times. As part of regulatory audits, banks will need to be able to summon specific customer data rapidly and also understand what that data means in the broader context of their payment history.

Another element in compliance is that businesses will have to report data breaches within 72 hours once the breach is found. This could mean working on weekends or holidays, 24/7 monitoring capabilities which alerts relevant stakeholders whenever there is a breach. Current IT infrastructure within banks were designed and built in a pre-GDPR age and it is very difficult already to pull data out of legacy siloed systems.

GDPR provides the impetus for organizations to review their current IT system. However, to turn compliance into an opportunity means organizations should be capable of delivering customer-centricity and building their own marketplace economy.

Key challenge to summarize would be the ability to being more open with different APIs at the three level of Public, Private and Personal. And having the right platform or solutions to help manage these API service, define usage conditions, access rights, data split, merge , contracts linked to these business service , transparency on usage by different monitoring mechanism and different options to help monetise the consumption. There are much more complexities, having the right platform or solution which helps adopting to changing business models is key.

Going beyond compliance and towards customer-centricity

To an untrained eye it seems like PSD2, urging banks to share their customers’ data with third-parties and give customers back the ownership of their data, is in contradiction with GDPR, urging them to keep this data as controlled and secure as possible.

For banks looking at these regulations as a checklist needed to be ticked off in order to be compliant is neglecting the wider picture. It may even look like a great challenge to overcome and a difficult balance to be found between the two.

However, banks need to look past implementing compliance tools and crossing items off a to-do list before the GDPR deadline. In fact, GDPR and PSD2 do not contradict themselves, they both have the exact same objective. Both regulations want to push organizations towards customer-centricity in order for business to adapt to faster to the digital age and the rise of the platform economy. In the post-GDPR era, efficient data management will be key in order to bundle an offer as close as possible to the customer’s need.

Banks need to have a system or a platform flexible enough to dissect very specific data that is within the scope of client consent, while restricting conditional elements from being shared. This granular level of data management, which requires the platform to break a product down by various parameters as specified by regulatory demand, would truly push them towards customer-centricity.

Data management is crucial because handling customer data with efficiency and transparency will go a long way to rebuild customer trust. The benefits of GDPR can be seized when financial organizations can convince not only regulators, but also customers, that their data is in a safe pair of hands. A greater understanding of who the customer is, what the product is and the price point will require better management of tangible and intangible data in order to better meet expectations in a post-GDPR world.

Reviewing data management processes to make them more efficient can directly lead to enhanced customer loyalty. This loyalty can be created by crafting better deals for customers through the use of all the data held by a bank. This data can help create unique revenue models and pricing solutions adapted to the customer’s needs and spending patterns. This added value through efficient data management is sure to generate increased customer satisfaction as well.

Regarding the data security aspect of GDPR, organizations need to go beyond simply applying a turnkey cyber security solution. Businesses will need to keep internal records of data protection and show regulators and customers alike what has been done to keep their data safe. As regulations evolve in its demands, organizations need to be supported by a nimble technology platform which can provide detailed audit trials of changes made. An audit log of public, private and personal APIs being accessed will need to be kept in order to keep track of any access to customer data.

The multiplication of RegTech solutions might seem like good news for businesses looking to avoid fines and immediate consequences of non-compliance. However, it might be doing businesses a disservice by presenting a short-term solution to a long-term, more nuanced challenge. Banks need to manage their rich pools of data in a way that puts customers at the centre.

Being customer centric ahead of GDPR enables these organizations to reap the benefits the new regulation entails.

  • Reputational benefits: it will ensure customers their data is well-protected and showing transparency when dealing with customer data will increase trust. Avoiding disasters like Equifax and becoming an example of a company making an effort and passionately caring about the duties that comes with the custody of data could lead to immense reputational benefits.
  • Financial benefits: insights on customer data will get sharper with GDPR and help banks business in offering customers irrelevant deals, having the reputation of being an efficient, insightful business can bring immediate financial benefits.
  • Preparation for an increasingly customer-centric economy: digital transformation is leading businesses toward an increasingly customer-centric economy. GDPR implementation will bring better control and visibility of the data that the banks have, before they start attempting to being compliant. Pre-empting the intent of GDPR and being customer-centric ahead of the curve through impeccable data management could give businesses a competitive edge.

GDPR and PSD2 are in fact complementary, as both regulations guide high street banks, new banks and Financial Services organizations alike toward a much-needed acceleration of their digital transformation process.

Taking this a bit further, the whole API-based economy, coupled with data protection that banks should provide to their customers, should be addressed by a single overarching platform, and this calls for collaboration; collaboration not only between banks and fintechs, but also between banks and regulators.