Blog article
See all stories »

The three Cs of PSD2 success - compliance, collaboration and consent

The measures in the PSD2 (and in the UK, the CMA banking remedies) to open up consumer banking data to third parties will undoubtedly lead to new innovations and consumer benefits, but I see three challenges:

1) a potential gap between expectations on using open banking consumer data, and the reality of what is actually allowed

2) public understanding of data privacy/protection lagging reality

3) fragmentation in the ways banks publish PSD2 APIs.

FinTechs are excited at the prospect of aggregating and mining consumer bank data and banks are eyeing how they can use data of their competitors’ customers to market their own products to them. However, the PSD2 is prescriptive on how account data can be used – only with the consent of the consumer, only for use by the third party given consent and only for the specific purpose consented to the third party.  The EU General Data Protection Regulations (GDPR) come into effect in May 2018, and further limits the use of consumer data – new rules include consent for data usage, rights to portability, erasure and to be forgotten and new accountabilities for third party data processors, with wider data protection definitions and tighter principles and fines of up to 4% of worldwide turnover for breaches. Open banking data may not be as freely usable as some expect, and its use comes with accountability and responsibility.

Data privacy and protection in the digital age, and the implications of breaches, have not yet reached the level of public understanding it should do, with many people unaware of how the data they generate is being collected and used*. Technologists tend to believe that to benefit from the digital age, you have to accept living with reduced data privacy. However, this is a convenient assumption, not a given. As Andreas Antonopoulos observes, if a company uses your private data, given up by you to get access to its products, you become the product. Consumer understanding of data generation, consumption, privacy and security will eventually catch up with reality, and the new regulations will help this process by requiring explicit consent - but how consumers will respond will not be known for some time. New business models that assume blanket consent and unrestricted use of consumer data may not be viable.

The draft EBA RTS leave it to PSPs to define their interfaces (APIs) to access accounts. PSPs recognise that it makes sense to collaborate to define common standards, and to build common processes and even infrastructure, for example on identity checking and on checking the validity of authorised AISPs and PISPs. This collaboration has started, but it is happening at country level, which risks a fragmented approach to open APIs across Europe. This will impact merchants and other organisations planning to use open banking APIs, leading to complexity and inconsistency.

Together, these challenges present the industry with uncertainty – on how to ensure data exposed to third parties is used properly and legally, on how third parties plan to use the data (what services will they provide?) and in what volume, on how consumers will consent to use of their data, and on how to keep aligned with other PSPs on standards and processes.

To be compliant and relevant, PSPs (bank and non-bank) and FinTechs have to address these challenges. Core to doing this successfully is to launch open APIs as minimum viable products and to develop them as the market grows - keeping compliant with regulation, collaborating on standards and, very importantly, keeping on the pulse of consumer behaviours and expectations in managing consent.

In summary, to be successful in Open Banking and PSD2, the three Cs of compliance, collaboration and consent need to be implemented effectively. For Open Banking, there is a fourth C – commercialisation, but that can be the subject of another blog.

* as an example, if you have an iPhone, go to settings/privacy/location services/system services/frequent locations to see how your phone is tracking your location history (assuming you have not already turned it off).


Comments: (1)

Steven Hatton
Steven Hatton - Trusek Ltd - Amersham 24 January, 2017, 11:11Be the first to give this comment the thumbs up 0 likes

Well Done!!

In all the information I have read over the past year you are the first to raise the issue of customer consent which seems to be being taken for granted.

This is another advantage the Banks will have initially over Fintech's in that I am sure the majority of customers will give permissions more freely to their existing bank than a new Fintech.

Only a short window of opportunity though?

Now hiring