Putting GDPR and PSD2 in silos may be problematic: AccessPay execs

This article was originally published on our sister site, GTNews.

While GDPR and Europe’s revised Payment Services Directive (PSD2) are not contradictory, the fact that the regulators and many banks work on them in silos is problematic, AccessPay executives argue.

“These two pieces of legislation are generally being dealt with in separation in the banks,” argued James Higgins, AccessPay’s product director in an exclusive interview.

“Whilst the regulator shouldn’t give prescriptive guidance on implementations, sometimes they can play a role in bridging the gap between the two standards. This hasn’t really happened in the case of PSD2 and GDPR,” said Higgins.

Under the UK’s General Data Protection Regulation (GDPR), every 90 days a business must ask customers to reauthorise the use of their data, for example. When combined with PSD2, this may not be a great customer experience.

Anish Kapoor, AccessPay CEO, argued that a lot of the resolutions will come through trial and error, once PSD2 functionalities are being utilised. The two regulators are likely to work together over the next couple of years of early implementation.

There are already plenty of industry conversations between the industry and PSD2 regulator.

PSD2’s technical standards have already changed a lot, said Higgins.

“They are still changing and will constantly evolve I think as people realise that the way particular parts are written may not make any sense,” he added.

Despite this Kapoor insists there is no an ideological contradiction between GDPR and PSD2 in terms of protecting and sharing data.

“There is a lot of talk about people tying in access to banking services to accessing the banking data. They are not necessarily linked.”

There is a lot of talk about people tying in access to banking services to accessing the banking data. They are not necessarily linked,” Kapoor told GTNews.

“If you want to be a Payment Initiation Service Provider (PISP) you don’t need to have access to all the data in somebody’s bank accounts.

“You might request it because you’d quite like to have the data but under GDPR there is a requirement to be clear about what data you’re asking for. You have to explain which data sets you are going to use and how you plan to use them,” he said.

Under GDPR, if a business was trying to “grab data and use it for purposes other than something the customer values, then they’re going be less likely to give you that data which I think is a good thing. I don’t see the problems with that,” told GTNews following their recent roundtable, ‘PSD2 and Open Banking. Big threat or big opportunity?’

PSD2 is largely built on the same framework as GDPR’s general overarching sets of rules, according to Kapoor.

“For example, if we want to access account information for one of our corporate customers, they have to give authority for that to happen and we have to be clear on what authority they’re giving and what we’re going do that,” he said.

Staying abreast of regulation is a full-time job

Treasurers are struggling to implement all the innovation taking place in the payments industry, according to Kapoor.

“They are really busy with their day jobs. What they don’t want to do is get bogged down in the complexity of connecting with various banks using PSD2 of SWIFT GPI, for example.

“There is so much innovation that’s going on in the payments industry that treasurers are now looking for partners who can help them to take care of these things,” Kapoor said.

This is partly because the role of the corporate treasurer is now much broader than it was 15 years ago.

The corporate treasurer is being consistently asked to play a far more strategic role in the running of the company.

“Staying abreast of GDPR and PSD2 may not be a treasurer’s core competency and it is a full-time job to be on top of so much regulatory change,” said Kapoor.

Pulling the puzzle pieces together 

Part of the complexity of adopting PSD2 is that different parts of the payments ‘ecosystem’ are all looking at PSD2 in a different way, said Higgins.

“There is clearly a focus on consumer payments under PSD2 from banks and bigger consultants,” Higgins argued.

“Real-time information is clearly a big challenge for the corporate perspective which supports our views,” he added.

Both Higgins and Kapoor agreed that there was still a lot of education to be done on PSD2.

The AccessPay roundtable highlighted PSD2’s complexities. “We are industry experts and there is an awful lot of unknowns, even for us,” said Kapoor.

“There is a lot of education to do in the wider market on what things mean generally and what it means for consumers, small businesses and corporates,” he said.

Will customers want to give up their data under PSD2?

While many people may not want to give up their data to third-party providers initially, Higgins argued that early-adopters will win resistant consumers over.

He compared it to take up with apps such as Uber and Airbnb. Initially many people did not want to give up their data or participate, “but then you get these early adopters who prove that the tool has real benefits too,” he said.

AccessPay is currently developing products and tools for the accounting space that take advantage of PSD2.

“If we can prove that we’re complying with GDPR, which we will, if we can prove that it’s delivering bottom line value to those consumers, then word gets out,” Higgins told GTNews.

Will PSD2 be ready for its January 1st launch date?

Some in the industry have said that PSD2 lacks the necessary infrastructure and enforced regulatory standards to be actively enforced when it comes into play in January 2018.

There is an accreditation process to become an Account Information Service Provider (AISP) or a Payment Initiation Service Provider (PISP) in the UK, which AccessPay has recently submitted an application for.

However, Higgins said: “The process of a third-party provider (TPP) being able to deliver services to consumers or corporates is much more challenging. If you approach a bank as an AISP looking to connect to its APIs, you will find they have got different API, different standards of APIs and different technical specifications.

“Some of them don’t even have APIs. They may have a different solution, such as host to host.

“The development overhead for people like us could potentially be quite significant to get these PSD2 projects off the ground.”

“This is going to be a slow burn because the providers are going to find it really difficult, not to register, but to actually deliver the services that our customers want,” he said.

This challenge will be exaggerated if a customer has ten bank accounts and another customer has ten completely different bank accounts, for example.

“The development overhead for people like us could potentially be quite significant to get these PSD2 projects off the ground,” said Higgins.

Related reading