This year, two new pieces of legislation will come into force that will transform data management within UK banks. The first, the Payment Services Directive (PSD2), sets out to create a new era of openness; requiring banks to allow Third Party Providers (TPPs) direct access to customer payment account information – provided customers give consent. The second, the General Data Protection Regulation (GDPR), demands that all businesses, including banks, take steps to further protect personal data, while giving data owners new rights around the access to and portability of their data.
A threat to banks?
At present, these regulations are largely viewed negatively by Tier One and Tier Two banks; they’re seen as a compliance challenge that must, begrudgingly, be overcome. There are four main reasons why many banks have adopted this ‘glass half empty’ mindset in relation to these regulations:
1. Fear of fines PSD2 is an innovation-driven legislation; in that it aims, by opening customer account data, to encourage a new ecosystem of financial services that compete with and complement those of incumbent banks. GDPR, on the other hand, is a compliance-driven legislation: it’s the fear of fines of up to as much as four percent of annual turnover that will motivate banks to follow this law to its letter. The temptation here is for banks to hide behind GDPR: using the regulation as an excuse not to participate in the more open banking environment PSD2 seeks to establish.
2. Uncertainty around ‘consent’ GDPR directs banks to act as the guardians of their customers’ data, but also to enable data portability when required by customers. PSD2, meanwhile, only lets TPPs access bank account data if the bank’s customer has given consent. What’s not clear is whose job it is to get that consent. The likelihood is that the considerable fines facing banks for GDPR non-compliance will see them take a high-line on consent, and put in place rigorous processes for ensuring that no data leaves their core banking systems without complete assurance that the data subject wants it to.
3. Uncertainty around ‘Sensitive Payment Data’ PSD2 explicitly forbids banks sharing Sensitive Payment Data with TPPs; however, beyond saying that Sensitive Payment Data constitutes information that could be used to commit fraud, we have no clear definition of what it is. Until this clarification is provided, I believe it likely that banks will define Sensitive Payment Data as broadly as possible.
4. A-symmetric risk Under GDPR and PSD2, banks have the most to lose. Even in a case where a customer has clearly given consent to a TPP to access their data and the bank, as it is obligated to, allows access; the bank stands to lose out if the TPP then goes on to misuse the data. Admittedly, the TPP would likely be liable in this instance under GDPR, but there’s no doubting the bank would suffer huge reputational damage by association.
My concern is that where banks are in doubt about how open they should be with customer data, they will take the safe course of action and choose protection over access. This is the worst approach possible as it would likely harm their ability to build the new digital services and partner ecosystems required to compete against digital-centric fintech companies.
Look for the opportunities not the threats
I believe that banks need to start focusing on the opportunities of these regulations rather than worrying only about the threats. If approached correctly, these Regulations will be a catalyst for banks to rebuild their data models to make them better suited to the emerging digital world. I believe there are three key things that banks need to do to leverage these opportunities.
1. Be proactive Banks should look to change their mindset around regulatory compliance. Rather than using GDPR as an excuse not to engage with PSD2 and open banking initiatives, banks should use the regulations as a springboard to digital transformation: to create new propositions to the market that are substantially more appealing than their existing propositions, and better able to compete with market alternatives.
2. Lead in data governance The best way to comply with GDPR is to build an organisational culture of client-centricity. GDPR therefore gives banks the chance to transform how their data is held and to really understand the data flows through their processes and systems, providing them what they need to build operational efficiencies. Since banks own the customer relationships today and many third parties may be small entities with limited capital or reputational risk, monitoring the audit trail of consent and using it to assess and manage the corresponding operational and legal risk will be important.
3. Optimise the ecosystem The opposing demands of PSD2 and GDPR are ushering in a new era where innovation activity will need to work more closely with compliance. This approach will enable new products and offerings to be launched rapidly without compromising regulatory obligations. Banks will need to understand what fintech (and other) partnerships they intend to set up, and how they can create compelling propositions without betting the bank from a risk perspective. For example, banks might choose to create an ecosystem of trusted fintech TPPs to work together with to co-create data-centric services. These ecosystems would enable banks to protect themselves, and their customers data, while still embracing the openness that PSD2 is setting out to create.
The time to act is now. Incumbent banks that turn the challenges of GDPR and PSD2 into opportunities for digital transformation will be the winners in the new world. Conversely, those that instead retreat into a protective, closed data model risk losing everything.