2017 was a landmark year for cyber-security, with a number of high-profile data breaches making news headlines and multi-national organisations being affected, it was in the forefront of many people’s minds. Trends suggest that 2018 will see a continuation of this and with a number of data regulations set to become law, individuals will gain more rights around their data and organisations of all sizes will be presented with new challenges. One such piece of legislation will be the Open Banking regime and the updated Payment Services Directive.
What is Open Banking and the Second Payment Services Directive?
The Open Banking regime is an innovative change in the UK financial markets. It is being introduced because Competition and Markets Authority (CMA)has decided that the “traditional” banks have become uncompetitive and slow. Furthermore, new banks find it very hard to break into the market. To rectify the market failure, they have created some new legislation. This new Open banking standards will force all banks to share a lot more digital information when their customers ask them to.
Another piece of legislation being introduced is the Second Payment Services Directive. The Second Payment Services Directive (PSD2) is a fundamental piece of payments related legislation in Europe, which was entered into legislation in January 2016.
PSD2 is the product of a review of the original Payment Services Directive from 2009 and requires payment service providers (PSPs) to make a significant number of changes to their existing operations. The Directive would require that all member states implement these rules as national law by 13 January 2018, with the exception of certain rules around strong customer authentication and secure communication, implementation of which will run to a different timetable. However, even with the two-year notice period, there are still major banks who are not ready for the transition – Barclays, HSBC, RBS and the Bank of Ireland reportedly will not be ready.
The Open Banking standards will only be mandatory for the nine largest UK banks and apply to a more limited product range compared to PSD2; however, the Financial Conduct Authority (FCA) and HM Treasury (HMT) are encouraging banks and TPPs to adopt these standards as the basis for the safe and effective sharing of banking data.
Why is this important and how will it be possible?
Another flagship piece of legislation that is being introduced in 2018 is the General Data Protection Regulation (GDPR). GDPR will strengthen user rights around data. Under GDPR users will have the right to ask for their data. Even though they appear unrelated, both regulations have two common aims – to ensure that customers have control over their data and to ensure that the data is kept safe and secure. The question that is raised is whether the PSD2 will be able to coexist with GDPR. Organisations should be looking to implement these regulations in an integrated manner.
Once you look past the shared aims of both Open banking and PSD2, you have to look whether they can work together. One of the main core concepts for both is consent, it helps to form the core of a GDPR compliance PSD2 implementation. It can be believed that digital marketers will naturally be looking forward to being able to cross-sell services to consumers by capturing data and context metadata, the GDPR essentially does not allow them to do so without clear consumer consent. Above all, the consumer can withdraw consent they provided earlier, and want the removal of all personal data in the possession of a bank or a third party.
Banks will have a responsibility to ensure that data is still kept secure and cannot be accessed by unauthorised persons, additionally they have the added responsibility to ensure that any TPP they work with or have knowledge of is behaving in adherence to GDPR – this is because of the cost that they will face both financial and reputational.
This will be a substantial change with significant impact for the banks.
What will the impact be?
The intended impact of the introduction of the legislation is to make the market more competitive. To date, financial information has been held by your bank – and most people stay loyal to the one they are with. The Competition and Markets Authority (CMA) found that just 3% of personal customers move their accounts each year. One of the changes is that it does not limit banks the sole ownership of the customer financial data; furthermore, customers can electronically share their financial information with other businesses offering certain services in an attempt to get a better deal on financial products, such as getting a cheaper overdraft with another supplier.
In addition to this, the financial data will not be limited to the banks/ financial organisations – there is nothing stopping technology behemoths such as Amazon, who would act as a third-party provider (TPP), requesting access to your bank account and initiate payments on your behalf – this could be incentivised by supplementing existing services such as Amazon Prime, for example. It’s not just Amazon who will be able to request access – social media companies such as Facebook will be able to request information around bank accounts and payment infrastructure. The resulting developments allowing users to transfer money through apps such as Facebook or WhatsApp.
This may seem to benefit customers – not having to transfer money through a convoluted banking app but instead simply typing ‘+£10’ in WhatsApp to transfer money. But it has the potential to be highly detrimental to the banks themselves. The majority of a banks transactions are their customers making transactions – this is the data that they use to develop new value-added financial services, more importantly, the data around transactions helps the bank develop its risk management strategy, which is at the core of modern-day banking. However, this is nothing new – this type of banking already exists in China through apps such as WeChat a service developed by Tencent, a Chinese multinational technology and investment holding conglomerate. If successful, the change in legislation will see new developments in the banking sector that take advantage of new technologies and will be set to benefit both users and the banks in turn.
Just as they are doing for banks the Financial Conduct Authority (FCA) and HM Treasury (HMT) are encouraging TPPs to adopt these standards as the basis for the safe and effective sharing of banking data.
How will banks ensure data protection?
Data protection is of vital importance and the banking and financial sectors have understood this for many years, the Financial Services Authority and the Financial Conduct Authority both lay out firm guidelines on data protection. These guidelines primarily, however, lie in line with the Data Protection Act, the act which will be updated in line with the GDPR this year. This being the case it will be vital for these institutions to understand the GDPR and the responsibilities they will have under the regulation. As they undertake largescale processing of data, these responsibilities will include assigning a Data Protection Officer.
To learn more about the GDPR and understand if your organisation will need a Data Protection Officer, download the free GDPR whitepaper here, now.