Navigating the Scylla & Charybdis of Open Banking & Data Protection
2018 sees the introduction of two major pieces of regulation that lay important foundations for a better and brighter data-centric digital economy.
Both the Payment Services Directive (PSDII) (which went live in January 2018) - key to the vision of open banking - and the General Data Protection Regulation (GDPR) (in May 2018) share a common aim: putting data subjects (in this case, the account holder) in control of their own data and keeping that data safe. However, move into the detail and the trouble begins, says Oana Dolea, GDPR Practice Lead, D2 Legal Technology, with a minefield awaiting anyone seeking to successfully navigate through the two regulations in tandem.
The aim of Open Banking is to provide consumers with choice from a much wider range of financial services providers. In particular, PSDII enables customers to grant third party permission to access their banking information and initiate payments on their behalf. Such third parties – known as Payment Initiation Service Providers (PISPs) - could range from retail businesses, telecommunications providers, payments services, financial account aggregators and fintech companies.
With a PSDII licence, the third party (including competitor banks!) can, subject to consent, have access to a customer’s account and transaction details, analyse these, and offer value added services based on them, such as product recommendations or financial advice. Such third-party providers are referred to as Account Information Service Providers (ASIPs) in the regulation.
With transfer margins decreasing, at its core PSDII seeks to create new digital products and to build an ecosystem of partnerships that better serve customer needs. There is therefore a real opportunity to offer higher value services and products based on actual customer data.
However, the value of transaction data lies in the context of purchase decision-making and then exerting timely influence on such decisions. From the reason, mode and timing of purchase, together with habits associated with the purchase (such as the weather, mood and related social media posts and who they might have been with), such data lends itself perfectly to inform the marketing and approach strategy for the customer. But does this fall foul of the increasing data privacy and protection rules?
In a similar manner to transactional data, the value of personal data lies in being able to connect specific profiles and trends to certain purchasing decisions, demographic tendencies and educated guesses as to purchasing preferences. In a way, personal data is a great complement to transactional data in the context of informing customer marketing and approach strategies. But unlike transactional data, the use of personal data is directly regulated by privacy regulation including the impending GDPR, which creates barriers to the use of personal data so directly in identifying marketing and strategy trends.
Scylla and Charybdis?
The most serious GDPR challenge to Open Banking and PSDII implementation, lies in consent management.
Open Banking is aligned with and supports the implementation of data portability requirements under the GDPR. However, the bank must be able to:
- Keep track of what information has been shared, and where has it gone.
- Obtain consent for the transfer of personal data – PSDII permits disclosure to third parties with the permission of the individual only.
- Ensure the API through which it shares the personal data with third parties meets security requirements under the GDPR (as well as security standards applicable to PSDII).
- Ensure it can implement “right to be forgotten” – a clear and detailed system of notification for partners to whom customer data is disclosed.
PSDII - and the introduction of Open Banking - increases the possibility of incidents involving the misuse of data and breaches of data protection laws by third parties, thus increasing the probability of an impact resulting from GDPR penalties. Data controllers are ultimately responsible under the GDPR for penalties for misuse of the data they control. In a context where third parties’ behaviour may cause penalties to be levied, where are the liability controls? Who is liable for the behaviour of third parties?
And it’s not just about the potential fines: even if it is a third party that fails to manage their GDPR obligations, the reputational risk lies predominantly with the incumbent banks because they have the reputation to lose in the first place.
Navigating the Waters
Fortunately, by putting data at the core, there is a solution. There is an increased need for accurate systems and “live” data mapping that enables organisations to know what data goes out and to whom. Clear and GDPR-compliant processes, integrated in regular business processes, with appropriate consent text/explanation provided for obtaining consent, are also becoming a necessity.
Technology for keeping track of consents (including withdrawal and right to be forgotten requests), as well as where the information disclosed goes, is required to ensure no information is used without consent, and that data subjects’ rights are enforced appropriately.
Contractual relationships with third parties must be revised as part of ensuring increased oversight over data provided to ASIPs, for example by imposing strengthened rights of audit, warranties and reporting obligations with respect of data management and GDPR compliance. In particular, contractual obligations and protocols for dealing with consent withdrawal and right to be forgotten requests should be imposed on ASIPs. Organisational solutions relating to audits and keeping a close watch on ASIPs will ensure that the latter properly manage the full range of their GDPR obligations.
Finally, transparent public campaigns explaining the benefits of providing consent, and what the organisation is doing to ensure that data is controlled appropriately, and campaigns highlighting partnerships and why they are helpful to consumers are key to the solution. In addition, ensuring an organisation is sufficiently transparent as to how it processes personal data is a key tool in terms of reputational management.
The twin challenge of Open Banking and Data Protection offers significant advantages to those who take the opportunity to transform their infrastructure, data governance and processes to welcome the digital banking opportunities in a GDPR compliant manner.
Identifying the right data management foundational approach and business processes is key to allowing organisations to unlock business value for both themselves, their partner ecosystem, and consumers by facilitating the compliant processing of their data.