2018 is set to be a very interesting year – particularly if your role has anything to do with payments or data. The go live date for PSD2 is Saturday 13th January and GDPR a short five months later, on Friday 25th May. Both these high profile initiatives are being driven by the European Commission and the combined implications in terms of what needs to be done in order to comply with these directives are pretty hefty. And the impacts felt by both the industry and the consumer are set to be far reaching.
The PSD2 directive is focussed on increasing competition between the payment providers. What this means is that the banks will have to open up their APIs so that TPPs can directly access their client’s account data. For consumers who hold more than one bank account, the changes would also enable new businesses to display all their account information in one place for them. PSD2 will also enforce stricter controls around identity checking when making online payments and for higher value transactions.
The purpose of the GDPR directive is to strengthen and unify data protection for all individuals. This means that the individual will be back in control of their personal data. It will also provide a number of rights including access to their data and the ability to withdraw it on demand. It also means that organisations will no longer be able to simply gather data without valid cause, and must prove that they are doing all they can to protect the data they do hold.
Whilst at first glance it may seem that these two directives have different end games, the crossover should be considered.
Well – I’ve said it before and I’ll say it again – ‘Customer is King’.
While both PSD2 and GDPR appear to be unconnected, both do in fact share two common aims – putting customers back in control of their own data and keeping that data safe. GDPR and PSD2 are built on the principles that individuals own their personal data and should therefore be able to choose how it is used, and with whom it is shared.
So, if PSD2 is forcing the idea that third party providers can access client owned data directly, GDPR is ensuring that data remains the sole property of the individual. So providing appropriate controls and consent are in place then PSD2 and GDPR are in fact going to meet rather often.
I can’t help but feel at the moment that PSD2 and GDPR are still being approached in a siloed manner, probably being driven by different departments. The EC are clearly on the road towards an open banking environment and the close proximity of these two directives surely highlights this.
Banks need to change, vision needs to be realigned and attitudes need to be opened up.
2018 is a year for change and should be tackled by implanting a solid foundation to build and innovate upon.