GDPR versus Open Banking: Two sides of the same coin

Originally published on bobsguide.


Two hotly anticipated legislations of 2018, PSD2 and GDPR, are products of a new digital dawn.

The former was met with wholehearted embrace from a host of third party fintech startups and the wider banking community who envisioned a more customer-centric and competitive Open Banking sector; ripe ground for healthy innovation.

The regulators behind PSD2 and the Open Banking initiative are trying their best to change this and give the customers greater control over their financial data.

So too does GDPR, enforced on May 25 2018, have the noble aim of consolidating a person’s control over their data, with the Information Commissioner’s office in the UK pushing a proactive information campaign around the subject.

That’s the theory at least.

Data privacy has recently come to occupy the mainstream and public imagination. But it has been a headache for many years in the financial services with executives scratching their heads over how to get their organisations ready for May 25. A recent Veritas report looks to shift that focus.

“The reason we did this report was because we found that many organisations were focusing on GDPR for the organisation, rather than how consumers would view it,” Jason Tooley, VP, explains to bobsguide.

“We wanted to get a sense of what consumers were thinking but also would they exercise their GDPR rights? Financial services was top of the list when it came to exercising GDPR rights (56% of 1000 UK adults),” says Tooley.

The Veritas 2018 GDPR Consumer Research, further found that 40% planned on exercising their GDPR in the first six months (71% right to be forgotten and 65% subject access requests), with 56% claiming that they didn’t feel comfortable having their personal data on a system they had no control over. Interestingly, 27% said they wanted to use GDPR requests to test a company to see if they valued their consumer rights.

Data consent is the clear crossover between GDPR and Open Banking, though reconciling the two is certainly less clear.

“There’s a requirement and a directive that look conflicting. One of the two key issues is consent to share sensitive data with third parties,” Tooley explains.

“The second issue is that there isn’t a consistent definition of what constitutes sensitive payment data or, likewise, the technical standards of European authorities,” something that is likely to take some time to hash out.

But Tooley turns his attention to the immediate six months following GDPR: “The consumer request for consent is initially likely to come from a third-party provider (TTP), who in turn will need to request further consent from the bank.

“This potentially leads to a two phase contractual process in securing consent, which will slow down the process and conflict with what the regulators want to encourage, a much more open and agile, personalised financial services.” says Tooley.

But banks are too preoccupied with hitting the GDPR and PSD2 milestone when they should be focused on setting themselves up to stay compliant and be adaptable to change, says Nick White of Fiserv.

“There’s a clear signal that the regulators will be setting a pace of change. Banks need that adaptability to meet head on a regulatory roadmap demanding more change.”

Similarly, Francesco Simoneschi, CEO of TrueLayer, a banking API company, says “It could be that some may use GDPR as a smokescreen to reduce the speed and scope of Open Banking.”

But Simoneschi remains an optimist: “Put simply, GDPR and Open Banking compliment each other perfectly. For large banks, complying with both GDPR and Open Banking should be a straightforward process,” pointing out that banks should already have formidable data security and governance processes in place.

“Add to this the updated data privacy policies and consent procedures most will have already instituted ahead of GDPR, and there should not be any hurdles to making the most of Open Banking.”

The biggest headwind might actually be the willingness of banks to work with fintech companies to push forward innovation and the development of new financial products and services,” says Simoneschi.

But how they do that is still very much up for debate.

“My advice, banks need to react now to bring these two initiatives together and treat them consistently with approaches, strategies and policies that TTPs and banks can both adhere to” says Tooley.

“Part of the problem is that the stakeholders for GDPR and the stakeholders for PSD2 are rarely the same people. They’ve got to look at GDPR and PSD2 in a coordinated fashion rather than in siloes.

“In the last three months especially, we’ve seen customers really begin to think about how they can use technology to automate GDPR. It used to be around policy and suppliers contractual agreements, they’re now asking how do I use technology to operationalise this?”

But White from Fiserv, goes a step further to say that technology alone will not harmonise the two legislations.

“You can’t just change the technology, you need to change your culture,” says White.

“It’s about people, process and technology working in a way that makes you move quickly. The foundation of our FinKit for Open Banking was the coming together of modern tech to facilitate change but to foster new models of working.

“Banks need to start seeing APIs as the product.”

Related reading