keep calm and carry on regulating

The Turmoil of Tight Regulation

The year 2018 promises to be very challenging for banks, as GDPR tightens data security in the European Union while, implemented at the same time, PSD2 opens up the financial industry to the innovations of the digital world. 

The Changes of GDPR

Starting from May 2018, the General Data Protection Regulation should bring about sweeping changes to data security in the European Union. All organizations and businesses that collect personal data or behavioral information from anyone in an EU country will be subject to GDPR requirements, as will all those who export user data outside EU. Understanding and implementing customer data protection is set to be an expensive undertaking but one that will also lead to greater security and increased customer trust. 

The aim of GDPR is promotion of responsible data use which aligns the law with customer expectations - expectations in this instance being that user data will not be collected or indeed shared with outside parties without user knowledge and valid consent. Health and genetic data, biometric data and information such as race, ethnicity, political views or sexual orientation also falls under the stricter privacy protection requirements. Customers and partner organizations will also have a right to demand their data to be erased from a business's data repositories once they've revoked consent or a service and agreement came to an end.

The Focus on First-party Data

A recent study showed that more than half of consumers would "switch half or more of their spending to a provider that excels at personalizing experiences without compromising trust.” GDPR will effectively reduce the use of third-party data, also known as "data gossip", which is user or behavioral information aggregated from multiple websites that businesses obtain by purchasing it, rather than collecting it themselves.

This, of course, means focus on first-party data: collecting information on how your customers use your products or services, how often they visit your website, use your mobile app or even access your CRM data. Such data must be collected and used in line with GDPR principles: transparency, accuracy, fairness, minimization, purpose limitation and security.



Compliance with GDPR will be the responsibility of several roles within a business. Data controllers will define how and for which purpose personal data is processed, as well as ensure compliance of any outside contractors. 

Data processors (internal or outsourced) will maintain and process personal data records and will be liable for breaches or non-compliance, while data protection officers will oversee data security strategy and GDPR compliance.

With regards to outsourcing data collection and processing, all businesses must be aware that, should a breach in data management or data protection occur, both the business and its processing partner will be liable for penalties. This means all existing contracts with such partners and customers will need to spell out responsibilities and define consistent processes for how data is managed and protected, and how breaches are reported - and there will be a mandatory 72-hour deadline for reporting said breaches to both EU authorities and their customers.

Non-compliance with GDPR may result in two distinct penalties. The first is the loss of customer trust and with it, the possible loss of customers. The second are steep penalties that GDPR allows for: up to €20 million or 4 percent of global annual turnover, whichever is higher.

The Revolution of PSD2

It will affect online payments and information seen while making them and it will also mean a person must give permission to businesses to retrieve their account data from their bank. Also, there will be stronger identity checks when paying online. PSD2 also prohibits the use of non-transparent pricing methods for international payments and its aim is to improve innovation, reinforce consumer protection and improve the security of internet payments and account access within the EU and EEA.

PSD2 is set to enable bank customers, both consumers and businesses, to use third-party providers to manage their finances, which effectively means customers may be able to pay bills using social media like Facebook or their Google account, make P2P transfers and analyze their spending, while still having their money safely placed in their current bank account. On the other hand, banks will be obligated to provide these third-party providers access to their customers’ accounts through open APIs (Application Program Interface). 

This will enable third-parties to build financial services on top of banks’ data and infrastructure. In effect, banks will now be competing not only with other banks but also with every other financial service provider.

Marko Marijanovic.jpg


We have talked with Marko Marijanović, Compliance expert about the sweeping changes to data security in the European Union, due to GDPR applying in May 2018.

Service Providers

Two such service based providers, enabled by the PSD2, are Account Information Service Providers, which will have access to the account information of bank customers and use that data to analyze a user’s spending behavior or aggregate a user’s account information from several banks into one overview, and Payment Initiation Service Providers which will be able to initiate a payment on behalf of the user. No doubt P2P (person-to-person) transfer and bill payment are PISP services we are likely to see more often when PSD2 is implemented.

PSD2 is why banks are experimenting with APIs and focusing on customer centricity and setting up innovation labs - all strategic choices for dealing with the evolving payment landscape once consumers begin choosing whether to stick to traditional banks or entrust their payment needs to alternate payment service providers. Since tech savvy consumers demanding services that are fast, less formal, easy to access, cheap and more personalized, non-banks currently have an edge over banks when it comes to attracting such consumers.

PSD2 will also make access to the financial market easier for non-banks by removing some entry barriers, while an increase in new financial service providers will enable customers to create their own collection of smaller service providers instead of choosing one specific bank for all financial needs. This will also most likely lead to an open market and a unified European financial market, which is the aim of the European Commission and one of the main reasons PSD and PSD2 were implemented and why a PSD3 may be implemented in the future.