PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

The Future of the Payments Industry in a Post-GDPR and PSD2 World

Ed Price by Ed Price
July 13, 2018
in Featured Content, Industry Opinions
0
GDPR

GDPR

18
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

In the aftermath of global privacy breaches like Equifax and Facebook, banks and financial technology companies are rethinking their approach to data security. As consumers increasingly express concern over how enterprises are handling their personal information, banks find themselves having to comply with two European regulations — or risk paying a hefty fine.

While most organizations are aware of the General Data Protection Regulation (GDPR), financial institutions also have to concern themselves with the updated Payment Services Directive (PSD2). Designed to improve competition and innovation within the EU markets for payment services, the PSD2 requires third-party providers to gain explicit consent from customers before accessing their payment account data. Although the PSD2 shares several commonalities with GDPR, the two regulations differ just enough to make it important for financial institutions to double check they remain compliant with both.

PSD2 vs. GDPR — Are they really that different?

First proposed by the European Council in 2013, the Payment Services Directive was revised several years later to enhance consumer protections and to promote innovation within the payment services industry. This directive is exclusive to the financial industry that must be transposed to national regulations, and is set to regulate new forms of payments through the opening of banks’ APIs to third parties. EU member states had until January 2018 to implement the PSD2 into national laws, which includes key updates such as:

  • Requiring banks to grant access to third-party payment service providers
  • Leveling the playing field for all payment service providers by encouraging competition
  • Strengthening consumer protections by increasing transparency, efficiency and security of retail payments

On the other hand, the GDPR is a regulation that is applicable in its entirety to every member state in the EU, without local interpretation. The GDPR, which went into effect on May 25, 2018, controls access to European consumer data and banks must comply to avoid massive fines. The GDPR also states consumers must give consent to banks to use their data and have the right to be forgotten, and any breaches of personal information must be reported within 72 hours to the consumer and the authorities.

Another area where PSD2 and GDPR differ is how each defines ‘personal data.’ Because PSD2 is localized, it’s up to the discretion of individual member states to define personal data. GDPR, however, defines what could be considered sensitive information and does not refer to the updated payment directive at all. For the payments industry specifically, the introduction of both GDPR and PSD2 will slow the rate of innovation as banks and financial organizations focus on strengthening user security.

How financial institutions can navigate the complex regulatory landscape

As regulations tighten around data privacy, banks and other financial enterprises must approach PSD2 preparation with GDPR regulations top of mind.

One way banks can remain compliant is to implement privacy by design. In other words, financial organizations can build privacy into the design and management of a given system or process. Banks can set up rules and policies for data breaches, develop a culture built around security and improve the onboarding process for third-party providers (TPP). Rethinking onboarding processes is especially important as open banking and real-time payment processing becomes more widespread.

Other best practices, like appointing a data protection officer (DPO) and reviewing consent management processes, will help those in the payments space uphold the highest level of data security. In the interest of transparency, banks should also prepare clear, easy to understand privacy notices before citizens start requesting access to their data. With customer consent the focal point of both GDPR and PSD2, banks and TPPs will want to develop robust authentication programs to better prevent identity fraud.

When in doubt, financial institutions should default to the principle of least privilege (PoLP). For banks, this means looking for the lowest common denominator and granting the least amount of privilege as absolutely necessary. If GDPR clearly defines ‘personal data’ but PSD2 does not, for example, then banks must adhere to the definition as stated by GDPR. Until further guidance is provided from the EU on how to reconcile the differences between GDPR and PSD2, financial institutions must be ready to meet the requirements of both.

For banks and financial organizations, the time to respond to GDPR and PSD2 expectations is now. As data privacy laws tighten and consumers grow increasingly aware of who is handling their personal information, banks will find it worth their while to revisit the way they manage data and prioritize building a culture of security.

Tags: GDPRPSD2
18
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    instant payments, real-time payments, RTP

    Banks Developing Instant Payments Products in the U.S. Should Focus on Billers to Generate New Revenue Streams  

    May 31, 2023
    Digital Wallet Use Delivers on Convenience and Security

    Digital Wallet Use Delivers on Convenience and Security

    May 30, 2023
    5 Ways to Protect Your Financial Institution from a Cyberattack

    5 Ways to Protect Your Financial Institution from a Cyberattack

    May 26, 2023
    traditional banks

    How Traditional Banks Can Modernize Without Risk

    May 25, 2023
    identity fraud

    Javelin’s Identity Fraud Study Highlights the Changing Nature of Fraud

    May 24, 2023
    SASE, security-as-a-service

    Security-as-a-Service Secures
    Distributed IT Models

    May 23, 2023
    mule. real-time

    Early Detection of Mule Activity Requires Real-Time Solutions

    May 22, 2023
    embedded finance, ecommerce

    How Retailers Can Enter the World of Embedded Finance Confidently 

    May 19, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result