The revised EU’s Payment Services Directive (PSD2) and EU’s General Data Protection Regulation (GDPR) will both come in force in 2018. Seemingly unconnected, these two regulatory initiatives share a common goal– putting customers in control of their own personal data and keeping that personal data safe.
PSD2 is an update to the original Payment Service Directive, which was adopted in 2007. The original Directive was implemented to make cross-border payments as easy, efficient and secure as national payments in the EU Member States. The major changes of PSD2 are:
- The extension of scope beyond Europe
- The definition of a “Payment Institution”
- The prohibition of card surcharges, and
- The security of online payments and account access
In addition to various modifications, two new payment services will be introduced:
- Payment Initiation Services (PISP): payment service provided by new providers that stand between the payer and his online payment account, by starting the payment to a third-party beneficiary.
- Account Information Service (AISP): information services made available to users of payment services with online access to accounts through which the payer can get a consolidated view on all its payment accounts, even if those are held on multiple PSP. It is important to note that the AISP cannot use customer data or log on to its payment accounts for any purpose other can those provided by the service.
In this context, it has to be noted that PSD2 contains its own set of rules on accessing customer personal data for payment service provider like PISPs and AISPs (Arts. 64 subseq.). The articles supplement rather than replace data protection laws. It reinforces the requirements of an explicit consent, not to ask for personal data other than those necessary to provide the service, and not to use or store personal data for other purposes. This rules are not completely consistent with data protection rules of the GDPR, and could lead to confusion. For example, service providers are requested not to store “sensitive payment data”. This is an entirely different category from the information classed as “sensitive personal data” in the GDPR, which includes information about racial or ethnic origin, political opinions, genetic data etc. Therefore, although PISPs and AISPs will need to follow the PSD2 rules, they need to make sure that they are in line with wider data protection rules under the GDPR.
Finding the Right Balance – More Questions than Answers?
EU’s policy objective to free up consumer access to new technologies is in conflict with EU’s tough stance on data protection and privacy. Payment services under PSD2 will be introduced both before and after the May 2018 deadline for GDPR. Even so, the main question for financial institutions is how they find the right balance between providing consumer account data to permit access to new applications while protecting personal data as stated in the GDPR.
Subject to an appropriate customer consent, after the implementation of GDPR, so called account servicing payment service providers (like banks) under PSD2 will be required to provide authorised and registered PISPs and AISPs an appropriate access to customer account information.
Notably, under PSD2 such payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. However, under the GDPR the data subject has increased rights where processing is based on consent. The question arises, if implementing a strong customer authentication and secure communications is enough to satisfy the requirements for data protection by design and default? Will a data protection impact assessment be required prior to implementing the third parties payment models?
Further, both PSD2 and GDPR require incident reporting. It would make sense to define one process that takes account of all of the possible notification requirements to the data subject, data protection supervisory authorities and payments services national competent authorities. How can all defined requirements be fulfilled in the right manner?
Overall, the implementation of PSD2 and GDPR will be challenging for all market players. In particular it will be challenging regarding the impact assessment and gap analysis of the two regulatory initiatives and the related revisions to (or the introduction of new) processes, the implementation of more robust systems and controls, the changes to the customer terms and conditions. In addition, it will be also challenging with respect to revisions to arrangements and agreements with third parties, such as customers, intermediaries, processors and program managers.