Open banking and GDPR, is there a clash?

On the face of it, the two regulations are complementary. The Payment Services Directive, known as PSD2, but popularly referred to as open banking, means that the larger banks are legally obliged to make certain data available to third-party providers (TPPs). But, and this is the key point, only with the customer’s permission.

The idea behind PSD2 is to provide customers with better products by encouraging greater competition in the provision of financial services. PSD2 will work to the benefit of many Fintechs, such as Monzo Bank, which provide services which help you manage your money.

The problems with PSD2 seem to be in two main areas. Firstly, by forcing banks to make this data available, do we see an increase in the risk of that data being stolen or open to fraud? So, this is a cybercrime issue. Secondly, might unscrupulous companies use the data to sell inappropriate products to vulnerable people?

The General Data Protection Regulation (GDPR), coming into force on May 25th, concerns customer privacy. It means data cannot be collected pertaining to a customer without their explicit and voluntary permission – with certain exceptions.

At heart, both regulations are about customers having more control over their data – about the data being used to support the interests of the customer.

But the combination of GDPR and PSD2 does carry risks.

For one thing, there is the risk of cybercrime – and for the third parties, the TPPs, there is massive onus on what they do with the data they collect on your behalf and how well it is protected. And if a TPP does fall foul of GDPR, might a bank that supplied it with data be found culperable because it had carried out insufficient due diligence into the third party?

There is also the issue of customer education. Customers may give permission for their data to be used, but are they fully aware of what this means.

In a report published last year, Deloitte looked into potential conflict between the two regulations. It highlights a ambiguity over how GDPR defines sensitive data, in which each EU country is given latitude “for the processing of special categories of personal data (‘sensitive data’)” Deloitte stated

“This lack of clarity on what constitutes sensitive payment data creates challenges for interpretation and implementation and increases the risk of non-compliance. Without further guidance banks may need to take a very risk-averse approach and redact all data that could possibly fall into the sensitive data category in order to avoid breaching rules around data protection, both under PSD2 and GDPR. This in itself could pose challenges, as redacting such contextual data through “fuzzy logic” techniques tends to be complex, costly and less than 100 per cent reliable.”

Meanwhile, McKinsey focused on a subtle implication of PSD2 that relates go GDPR. There are of course two sides to any transaction. Sometimes one party might be a large company, the other an individual,, on other occasions, it might that both parties are individuals, and while one party might give permission for their data to be used, the other party is afforded privacy under GDPR. McKinsey stated:

“There exists a silent counter party to every financial transaction conducted by that holder; does a right to privacy exist for the corresponding payor/payee? If so, the consent process becomes infinitely more complex – particularly when parties to the transaction bank with different institutions and there is no central repository of permissions granted.”