The financial industry across Europe is currently undergoing significant changes. We’ll soon be witnessing the outcome of two major events that have the potential to make or break the paradigm shift in banking and data protection.
PSD2 and GDPR are the most awaited initiatives in the last couple of years. Driven by the European Commission, both regulations are setting the field for innovation and convenience in banking and more security for personal data.
The PSD2 directive encourages competition between payment providers and asks the banks to make their APIs public to allow 3rd party providers (TPPs) to directly access their clients’ account details. For those with more accounts, Account Information Service Providers (AISPs) will give customers the possibility to have their banking data into one account aggregator. In terms of security, PSD2 requires stricter controls for identity checks when making online payments or for larger payments.
If last October the banks, TPPs and even Fintech start-ups were still trying to fully grasp the requirements of the directive, on January 13th 2018, which is only a few days from now, these players will actually have to prove they are able to comply.
In addition, throughout the year the industry will welcome new players into the market and will also see banks losing their “monopoly” over customer accounts. Most of the existing banks will or have already started to develop and consolidate their position in the new era of banking services, but there will also be the case of those that can’t handle the competition or are not able to adapt easily. At this point, the only certainty is that the dynamics will definitely become more intense.
In their quest of compliance, most players did not manage to fully think of all consequences and actual aspects that need to be addressed once PSD2 enters into application, so I believe that the first half of the year will continue to be a struggle for all parties involved.
However, I will expect to see the consumers as the only ones that will not be affected by all this stress (or at least, that should be the case) as they will still be in control of their data and will benefit from more options when it comes to financial services and solutions.
Another much anticipated regulation that enters into application in 2018 is the GDPR. In a nutshell, the General Data Protection Regulation aims to protect the personal data of European consumers. Every organization that controls and processes personal data is required to abide by the GDPR. Consumers are now entitled to ask companies why they collect their personal data, how they do it, who has access to that data and how it is stored.
The GDPR deadline is still 5 months away, yet organizations that have not already designed and/or started to implement their GDPR compliance strategy, will have some tough times trying to have everything ready on time. Especially since actually putting systems and processes in place is quite challenging too.
Furthermore, the GDPR is open to interpretation which adds more stress to security teams. On the one hand, companies can be more flexible on adopting a strategy that ensures “reasonable” levels of protection for personal data. But on the other hand, the fact that “reasonable” is not the same for everyone, in case of data breach or a security control, companies can get heavier fines depending on the GDPR designated authority ‘s interpretation of “reasonable”.
The GDPR is the most important change in data privacy regulation in the last 20 years and, along with the PSD2 requirements, will impact thousands of organizations worldwide. PSD2 and GDPR have more in common than their close deadline, both initiatives encourage innovation, cooperation and put the consumers in the center by allowing them to manage their data and by making sure their data is kept secure.
Gary Southwell, VP and general manager, products division, at CSPI looks ahead to Europe’s roll-out of the the General Data Protection Regulation in May 2018, and its expected impact on data handling. Courtesy of CSO
What are your thoughts or concerns on PSD2 and GDPR in 2018?