This article was written by Sebastião Barros Vale from Viera de Almeida & Associados, Sociedade de Advogados, SP, RL.
The revision of the payment services European legal framework operated by the Second Payment Services Directive (PSD2) deems to respond to the challenges set forth by the thriving innovation in the industry. Its aim is to allow Fintech companies and incumbent players (aka banks) to keep creating novel business models, while ensuring the enhancement of consumer protection and electronic payment safety.
When providing payment services to natural persons, those players – in particular, TPPs accessing banks’ client databases – will have access to their customers’ transaction data which, in some cases, may reveal sensitive aspects of their personal life (notably, through the analysis of customers’ spending habits). In this respect, customers’ consent could play a central part, as consent is mentioned in both the PSD2 as a pre-condition to provide payment services, the GDPR as one of the legal grounds allowing for the processing of personal data, and in national banking regulations as one of the derogations to the secrecy obligation applicable to banks and other financial institutions.
However, this article will show that the concept of “consent” under the PSD2, the GDPR and the Portuguese regulations on matters of banking secrecy do not match, thus bringing legal uncertainty to payment service providers concerning compliance with all three regimes.
The regulatory landscape
- Consent under PSD2
Under PSD2, customer consent is cited as a necessary condition for the initiation of a payment order or the execution of a payment transaction. Consent to the initiation of a payment order can be given to the payment service provider by the customer (or “payment service user”) after the execution of the payment transaction, if agreed between the latter and the earlier (for instance, in the context of a framework contract).
The fact that consent under PSD2 may be given in any form and through any procedure agreed between the client and the provider, and that the client’s consent for the initiation of a payment order or the execution of a payment transaction may only be revoked under certain conditions and inside a specific timeframe, is relevant for differentiating the concept of consent under PSD2 and the GDPR, as under said Regulation, so-called data subjects are entitled to withdraw their consent at any time.
Furthermore, upon obtaining consent from payment service users, TPPs may request and obtain from banks (included in the PSD2 definition of “account servicing payment service providers”) access to their customers’ payment accounts “on an objective, non-discriminatory and proportionate basis. Such access shall be sufficiently extensive as to allow [TPPs] to provide payment services in an unhindered and efficient manner.” The extent of said access shall be limited to what is strictly necessary to provide the payment service requested by the payment service user.
Upon receiving an access request from a TPP that has obtained customer consent, banks may only reject providing said access for duly justified reasons, which must be communicated to the competent supervisory authority. PSD2 specifies that those “duly justified and duly evidenced reasons” must relate “to unauthorized or fraudulent access to the payment account by that [TPP], including the unauthorized or fraudulent initiation of a payment transaction”.
It is relevant that PSD2 does not mention the need for banks to obtain their clients’ consent to grant TPPs access to their payment accounts through banks’ APIs. Thus, it appears to be sufficient that duly authorized TPPs obtain customers’ consent for banks to be bound to grant said access. Thus, banks are not, in principle, entitled to ask TPPs for assurances that their clients have consented to the requested access.
Finally, PSD2 states that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user”. In the meantime, the European Data Protection Board (EDPB) has clarified that the “explicit consent” referred to in PSD2 is a contractual consent, as payment services are always provided on a contractual basis between the payment services user and the payment services provider. Therefore, as set out below, the concept of payment service user “consent” for purposes of PSD2 should not be confused with the concept of data subject “consent” under the GDPR.
- Consent and other legal grounds for processing data under the GDPR
As data controllers for the purposes of the GDPR, both banks and TPPs, when providing payment services to natural persons, must ensure that their personal data processing is conducted lawfully, fairly and in a transparent manner in relation to the data subject. It is where the GDPR demands processing of personal data to be “lawful” that the data subject’s consent may play a decisive role.
Under the GPDR, “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Regulation establishes further requirements with regards to data subjects’ consent, which deem to ensure its validity, such as: (i) consent must be obtained by data controllers separately from other matters (if it is obtained in the context of a complex written declaration); (ii) it must be revocable by the data subject at any time (unlike, for instance, consent to initiate a payment order under PSD2), as easily as it is given; and (iii) the data controller may not make consent a contractual condition for processing personal data which is not necessary for the performance of said contract.
Competent data protection authorities have published extensive guidance on the above‑mentioned consent requirements. For instance, for consent to be considered as being “freely given”, consent must be granular (in the sense that separate consents are required for different data processing purposes) and it must be possible to refuse or withdraw consent without detriment to the data subject.
However, consent is only one of the six eligible legal bases which data controllers may rely upon for lawfully processing personal data under the GPDR. For companies which are regulated under PSD2 this means, in practice, that they will not be required to rely upon data subjects’ (which includes customers, silent third-parties or beneficial owners) consent in a variety of situations, such as when personal data processing is strictly necessary to perform the payment service framework contract, when it is required to comply with customer due diligence or reporting obligations under Anti-Money Laundering Regulations, or even in certain cases where they wish to send direct marketing messages to their clients (as long as the ePrivacy Directive’s requirements on direct marketing are respected).
There will be, of course, cases in which payment service providers will not be able to avoid relying on data subjects’ consent, such as when they deem to take automated decisions regarding their clients based on their transaction data (e.g. the value of the transactions or the types of purchased products), or when they apply strong customer authentication on their client interface and use their clients’ inherence elements (i.e., biometric data) therein.
In conclusion, payment service providers are not required to collect GDPR-aligned consent for every envisaged data processing operation in the payment service provision lifecycle. However, banks and TPPs alike (at least in Portugal) are bound by banking secrecy obligations which, among other scenarios, may only be waived upon their customer’s authorization. But should banks rely on said “authorization” when granting access to TPPs to their clients’ payment accounts?
- Consent (“authorization”) under Portuguese banking secrecy laws
The Portuguese banking regulations establish that credit institutions, their management, staff, legal representatives, agents and other persons providing services to them shall not reveal or use information on facts or data regarding the activity of the institution or its relationship with customers which come to their knowledge solely as a result of the performance of their duties or the provision of their services. Said facts or data include, notably, “the names of customers, deposit accounts and transactions in those accounts, as well as other bank operations.”
The Portuguese PSD2 implementing act extends said banking secrecy duties to payment service providers regulated under PSD2 (notably, TPPs which are not banks).
There are exceptions to said duties. In the PSD2 context, notably when it comes to banks who are requested to grant TPPs access to their clients’ payment accounts, one of two of these exceptions could, potentially, apply: (i) obtaining the clients’ authorization for revealing their transaction data to third parties or (ii) arguing that PSD2 contains norms that expressly limit banks’ secrecy obligations.
One could argue that banks should not, in said context and as a rule, rely on their clients’ authorization to ensure they do not breach their secrecy obligations. Under PSD2 and its Regulatory Technical Standards (RTS), it seems that the Union’s legislator’s intent was to avoid having banks placing obstacles to the provision of payment services by TPPs, which includes “requiring additional authorizations” or “additional checks on [the] consent” given by customers to said TPPs. This was confirmed by the European Banking Authority (EBA) in its June 2018 Opinion on the implementation of the RTS and in its late 2018 Single Rulebook Q&A on PSD2 consent for the provision of account information and payment initiation services. Therein, EBA has taken the view that banks could not “ex-ante ask their [payment service users] whether they want TPPs to access their accounts or not”.
So, should banks and Fintechs rely on “consent”, after all?
Both traditional banks and TPPs, as payment service providers under PSD2, will need to expressly state in their payment services’ T&C which data (including banking data) are strictly necessary for them to provide their services. When accepting said T&C, customers will be expressing their PSD2 contractual consent, which differs from the concept of “consent” under the GDPR.
However, payment service providers will resort to a GDPR-aligned consent request for other data processing purposes, such as when profiling customers based on their purchasing history or using customer’s fingerprints for purposes of strong customer authentication to their interfaces.
Additionally, as traditional banks are not allowed to pose obstacles to TPPs’ access to their clients’ payment accounts, which includes requiring from TPPs proof that their clients have consented to said access, the applicable GDPR legal basis for banks when granting access to TPPs could be article 6(1)(c) of the GDPR: banks are, indeed, required to facilitate said access, unless they present duly justified and evidenced reasons.
Nonetheless, banks are likely to remain concerned about breaching their GDPR and PSD2 security obligations and banking secrecy duties when granting access to TPPs. Further to ensuring TPPs abide by their secure open standards of communication, it will be difficult for banks, though, to impose on TPPs additional requirements for granting them access to their clients’ payment accounts, especially because PSD2 states that banks cannot impose contractual obligations on them.
Thus, banks should be getting ready (as the RTS fully enter into force in September 2019) to: (i) explain to their clients they are obliged to grant TPPs access to clients’ payment accounts upon TPPs request, though warning clients about the risks of consenting “lightly” to such an access; (ii) implement appropriate authentication procedures for TPPs to their APIs, notably by ensuring TPPs rely on eIDAS Regulation electronic seals or website authentication; (iii) trust competent authorities will only authorize or passport TPPs who comply with all PSD2 authorization requirements.
TPPs will need to obtain “consent” (in the meaning of PSD2) from their clients to access their payment accounts in order to provide their services, which does not mean that the appropriate legal basis under the GDPR for TPPs to process personal data in said context is “data subject consent”. However, when TPPs’ processing of clients’ personal data goes beyond what is strictly necessary to provide their services (notably, when they sell their clients’ transaction data to third parties), TPPs likely will need to rely on a GDPR-aligned data subject consent.
Banks are, in turn, under a legal obligation to grant TPPs access to their clients’ data, which could also amount to the applicable legal basis under the GDPR to pass-on client personal data to said TPPs. What is more, banks may not (in principle) create obstacles to said access, including requiring additional checks on the consent given by their clients to the TPPs.