January 25, 2019

PSD2 and GDPR One Year On – Time to Act?

On 1 January 2018, the EU introduced its second Payment Services Directive (PSD2), designed to introduce greater competition to financial services by compelling institutions to share customer data and APIs with third-party providers. Five months later, the General Data Protection Regulation, or GDPR, was launched to protect consumer’s data from being used without explicit consent.

This blog looks at what’s changed as a result of this legislation, and what steps payments companies need to consider in 2019 to stay ahead.

  1. The sands are still shifting. Although PSD2 came into force a year ago, only the UK, Germany, Italy and France have published “national guidance” frameworks relating to it. Of these four, Germany and the UK are most advanced, with 40 German banks and PSPs publishing operating guidance on 21 December last year. The UK is further ahead, with 88 PSD2 applications made by third-party providers in 2018, and 13 products from third party providers now live. Despite this, the pan-European Fintech Disruptors 2019 study revealed some 56% of companies across the continent had yet to finalise their approach to PSD2.
  2. Payments players need to be ready. With Swiss management consulting firm Roland Berger estimating up to 40% of all financial services profits could be at risk from third party products, payments players need to invest in digital solutions, rather than rely on decades-old technologies. PSD2 means a new era of competition, with third parties such as mobile phone and utilities companies offering financial services products to their existing customers and to bank customers.
  3. GDPR affects everyone. GDPR has transformed the rules of marketing and data management. Under GDPR, it’s necessary to get explicit consent to share personal data from consumers, often more than once – and this rule applies to all companies doing business in the EU, not just those based there. Despite this dramatic change, TrustArc says only 20% of firms doing business in Europe are currently GDPR compliant – and that a further 27% haven’t begun compliance strategies as yet.
  4. Copycat legislation is coming. If Europe isn’t part of your 2019 business plan, know that legislation similar to GDPR exists in Canada, with other countries such as Brazil and Singapore well advanced in their plans. The outlier in this regard is the United States, although California has passed a Consumer Privacy Regulation similar to GDPR – and two-thirds of US firms surveyed by Ovum Consulting believe it’s only a matter of time before consumer pressure drives similar legislation across the US.

To get your payments infrastructure ready for GDPR and PSD2 and for guidance on how these new rules impact you, get in touch with us on info@rs2.com

– Pina Farrugia, Senior Compliance Manager, RS2

Want to receive RS2’s company updates, blogs & whitepapers directly to your inbox? Sign up to our mailing list by clicking here