gdpr & open banking: friends, not foes

An Unexpected Partnership

The financial landscape changed considerably in 2018, with the advent of GDPR and PSD2. PSD2 will open up banking to third party FinTechs and PSPs, providing new ground for innovation in payments and banking in general. This Open Banking initiative is set to create healthy competition and thus encourage better services and innovations that will improve the customer banking experience.

Control to the Customer

GDPR's aim is to increase customers' control over their own data, including financial data. It also gives customers confidence that their data will only be used for the specific purposes they have given consent for when signing up for a specific service. GDPR enforces very strict controls over data sharing. 

At heart, both regulations are about customers having more control over their data and the data being used to support the interests of the customer. This combination, however, does carry some risks. There is an increased risk of data misuse and data breach when a third party handles customer data. And when a data breach leads to GDPR penalties, who should be liable: the third party or the bank that did not carry out due diligence? Banks may, naturally, be more concerned about risks to their reputation such a breach might cause than a startup FinTech.

Sensitive Data and Data Consent

There is also the matter of how an EU country defines "sensitive data" under GDPR, which may create challenges for interpretation and implementation as well as increase the risk of noncompliance. Banks may find themselves considering simply redacting all data that might be considered sensitive so that they don't break data protection rules set up by both PSD2 and GDPR.

There is a solution to this situation and it lies in Open Banking and GDPR's natural crossover point: data consent. Open Banking allows a third party provider to use a bank's API and user data to provide customers with new services but only with the individual's permission.  At the same time, the bank itself is obligated to ensure said API meets the relevant security requirements under GDPR, keeping a clear track of which information it has shared and with whom.

A revision of contractual relationships with third parties can ensure a bank's oversight over the data it provides them: these may include warranties and protocols for auditing and consent withdrawal. Such revisions may also ensure that the third party fulfills its obligations with regards to GDPR and PSD2 once it begins handling the data provided by the bank.

Customer Apathy

There is, however, another point to consider: customer apathy. Simply put, many customers are simply not interested in banking and to them it's 'all the same'. Most might prefer any banking to be over as soon as possible and won't give much thought to their finances. This in turn may lead to them giving consent without being fully aware of what it means. Here the importance of public campaigns comes into play: simply and clearly explaining the benefits of providing consent, and what the bank is doing to ensure that data is controlled appropriately. Also, sufficient transparency with regards to how a bank processes personal data will be key to a bank’s management of their reputation.