19 July 2018
Stacey Small


Stacey Small - The Glue

9Posts 68,495Views 0Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

2018 - The Year of PSD2, GDPR and Innovation

20 August 2017  |  12298 views  |  2

2018 is set to be a very interesting year - particularly if your role has anything to do with payments or data. The go live date for PSD2 is Saturday 13th January and GDPR a short five months later, on Friday 25th May. Both these high profile initiatives are being driven by the European Commission and the combined implications in terms of what needs to be done in order to comply with these directives are pretty hefty. And the impacts felt by both the industry and the consumer are set to be far reaching.

The PSD2 directive is focussed on increasing competition between the payment providers. What this means is that the banks will have to open up their APIs so that TPPs can directly access their client's account data. For consumers who hold more than one bank account, the changes would also enable new businesses to display all their account information in one place for them. PSD2 will also enforce stricter controls around identity checking when making online payments and for higher value transactions.

The purpose of the GDPR directive is to strengthen and unify data protection for all individuals. This means that the individual will be back in control of their personal data. It will also provide a number of rights including access to their data and the ability to withdraw it on demand. It also means that organisations will no longer be able to simply gather data without valid cause, and must prove that they are doing all they can to protect the data they do hold.

Whilst at first glance it may seem that these two directives have different end games, the crossover should be considered.

Well - I've said it before and I'll say it again - 'Customer is King'.

While both PSD2 and GDPR appear to be unconnected, both do in fact share two common aims - putting customers back in control of their own data and keeping that data safe. GDPR and PSD2 are built on the principles that individuals own their personal data and should therefore be able to choose how it is used, and with whom it is shared.

So, if PSD2 is forcing the idea that third party providers can access client owned data directly, GDPR is ensuring that data remains the sole property of the individual. So providing appropriate controls and consent are in place then PSD2 and GDPR are in fact going to meet rather often.

I can't help but feel at the moment that PSD2 and GDPR are still being approached in a siloed manner, probably being driven by different departments. The EC are clearly on the road towards an open banking environment and the close proximity of these two directives surely highlights this.

Banks need to change, vision needs to be realigned and attitudes need to be opened up.

2018 is a year for change and should be tackled by implanting a solid foundation to build and innovate upon. 



Comments: (2)

Carlos Figueredo
Carlos Figueredo - Open Vector Limited - London 21 August, 2017, 14:37 In reading your post the one thing that stands out to me is the point on PSD2 and GDPR being viewed as silos. This is something that we have been trying to explain that they need to be viewed in conjunction with and not exclusive of each other. There is also, in my point of view, vagueness at best around how they both deal with each other in any formal aspect so there is an absolute opportunity by the relevant EU body/íes to provide a bit more guidelines. Open to discuss via this mean or privately.
Be the first to give this comment the thumbs up 0 thumb ups!
Jonathan Williams
Jonathan Williams - Mk2 Consulting Ltd - Rugby 06 September, 2017, 10:15

One key area of overlap is PSD2 Article 97-1 (c) which covers the need Strong Customer Authentication in the case of a remote action by a payment service user with a risk of payment fraud or other abuse.

This says that in those cases where a PSU is remotely requesting an action from their PSP which might result in abuse, they have to strongly authenticate it's really their customer, as I guess we'd expect.

I think this was designed for things like change of address or re-issue of bank cards but it also applies to data subject access requests under GDPR. I'd vuew this as applying to all remote channels including post and telephone.

So if you do make a request for all your data, rest assured, your bank will know it's you.

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Latest posts from Stacey

Innovation - A new world for banking or A new bank for the world?

01 November 2017  |  3831 views  |  1 comments | recomends Recommends 0 TagsInnovationFinancial inclusionGroupFinancial Inclusion

Innovation: A new world for banking or A new bank for the world?

06 October 2017  |  10666 views  |  0 comments | recomends Recommends 1 TagsRetail bankingInnovationGroupOnline Banking

2018 - The Year of PSD2, GDPR and Innovation

20 August 2017  |  12298 views  |  2 comments | recomends Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services

How large is micro?

02 June 2017  |  6568 views  |  1 comments | recomends Recommends 1 TagsEBAdayInnovationGroupDigital Banking Trends

Stacey's profile

job title Business Development
location Leigh on Sea
member since 2017
Summary profile See full profile »

Stacey's expertise

Member since 2016
9 posts0 comments
What Stacey reads
The Glue Fintech
Stacey's blog archive
2017 (9)

Who's commenting on Stacey's posts

João Bohner
Jonathan Williams
Carlos Figueredo
Ketharaman Swaminathan
Melvin Haskins