Blog article
See all stories »

2018 - The Year of PSD2, GDPR and Innovation

2018 is set to be a very interesting year - particularly if your role has anything to do with payments or data. The go live date for PSD2 is Saturday 13th January and GDPR a short five months later, on Friday 25th May. Both these high profile initiatives are being driven by the European Commission and the combined implications in terms of what needs to be done in order to comply with these directives are pretty hefty. And the impacts felt by both the industry and the consumer are set to be far reaching.

The PSD2 directive is focussed on increasing competition between the payment providers. What this means is that the banks will have to open up their APIs so that TPPs can directly access their client's account data. For consumers who hold more than one bank account, the changes would also enable new businesses to display all their account information in one place for them. PSD2 will also enforce stricter controls around identity checking when making online payments and for higher value transactions.

The purpose of the GDPR directive is to strengthen and unify data protection for all individuals. This means that the individual will be back in control of their personal data. It will also provide a number of rights including access to their data and the ability to withdraw it on demand. It also means that organisations will no longer be able to simply gather data without valid cause, and must prove that they are doing all they can to protect the data they do hold.

Whilst at first glance it may seem that these two directives have different end games, the crossover should be considered.

Well - I've said it before and I'll say it again - 'Customer is King'.

While both PSD2 and GDPR appear to be unconnected, both do in fact share two common aims - putting customers back in control of their own data and keeping that data safe. GDPR and PSD2 are built on the principles that individuals own their personal data and should therefore be able to choose how it is used, and with whom it is shared.

So, if PSD2 is forcing the idea that third party providers can access client owned data directly, GDPR is ensuring that data remains the sole property of the individual. So providing appropriate controls and consent are in place then PSD2 and GDPR are in fact going to meet rather often.

I can't help but feel at the moment that PSD2 and GDPR are still being approached in a siloed manner, probably being driven by different departments. The EC are clearly on the road towards an open banking environment and the close proximity of these two directives surely highlights this.

Banks need to change, vision needs to be realigned and attitudes need to be opened up.

2018 is a year for change and should be tackled by implanting a solid foundation to build and innovate upon. 



Comments: (2)

Carlos Figueredo
Carlos Figueredo - Open Vector Limited - London 21 August, 2017, 14:37Be the first to give this comment the thumbs up 0 likes In reading your post the one thing that stands out to me is the point on PSD2 and GDPR being viewed as silos. This is something that we have been trying to explain that they need to be viewed in conjunction with and not exclusive of each other. There is also, in my point of view, vagueness at best around how they both deal with each other in any formal aspect so there is an absolute opportunity by the relevant EU body/íes to provide a bit more guidelines. Open to discuss via this mean or privately.
Jonathan Williams
Jonathan Williams - Mk2 Consulting Ltd - Rugby 06 September, 2017, 10:15Be the first to give this comment the thumbs up 0 likes

One key area of overlap is PSD2 Article 97-1 (c) which covers the need Strong Customer Authentication in the case of a remote action by a payment service user with a risk of payment fraud or other abuse.

This says that in those cases where a PSU is remotely requesting an action from their PSP which might result in abuse, they have to strongly authenticate it's really their customer, as I guess we'd expect.

I think this was designed for things like change of address or re-issue of bank cards but it also applies to data subject access requests under GDPR. I'd vuew this as applying to all remote channels including post and telephone.

So if you do make a request for all your data, rest assured, your bank will know it's you.

Stacey Small

Stacey Small

Business Development

The Glue

Member since

10 Nov 2016


Leigh on Sea

Blog posts


More from Stacey

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all