The One Solution that Reconciles GDPR and PSD2
Banking is a highly regulated industry and for good reason: it involves money and lots of it. Regulations in the banking industry are necessary to protect the government, financial institutions (from themselves), and most importantly, consumers like you and me.
Remember when they were too big to fail in 2008?
PSD2 and Open Banking
Regulations protect, as well as streamline processes, by bringing standardization. In the European Union (EU), there is the Revised Payment Services Directive (PSD2), which is an EU Directive administered by the European Commission to regulate payment services and payment service providers throughout the European Union and European Economic Area. But PSD2 is mostly known for compelling European banks to create best practices in APIs, vendor integration and data management with the objective of standardizing open banking.
What is open banking? Open banking (or “open bank data”) is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces (APIs). In other words, open banking is a secure way to give service providers access to customers’ financial information and it’s an innovation that allows third parties (for example, mortgage companies) to build apps and services around financial institutions like banks. Financial institutions can create new revenue streams and customers gain access to a multitude of offers with one set of credentials.
There is another reality inside the European Union, and it’s called the General Data Protection Regulation (GDPR). The GDPR is a regulation in European Union law on data protection and privacy in the EU and the European Economic Area (EEA) that, among other things, addresses the transfer of personal data outside the EU and EEA. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Companies are required to comply if they have a presence in an EU country, so that means EU and EEA-based financial institutions that have embraced open banking. One of the many GDPR checklists for data controllers requires relevant companies to follow the principles of “data protection by design and by default,” including implementing “appropriate technical and organizational measures” to protect data. In other words, data protection is something to be considered whenever you do anything with other people’s personal data.
Push and Pull Dynamic Between PSD2 and GDPR
Here is the critical issue: How can you securely manage customers’ financial information, as leveraged in open banking, while being in full compliance of GDPR? The reality is that there is an inherent push and pull dynamic between GDPR and PSD2. The former pulls back to preserve the safety, privacy and control of customers’ private data whereas the latter pushes towards the convenience, efficiency and enhanced productivity of open banking.
Given that inherent conflict, let’s take a closer look at open banking and especially at the way customer data is managed. The reality is that the industry is still plagued by identity compromises, which open the door to customer and employee impersonation with consequences ranging from financial fraud (obtaining a loan with a synthetic identity, for example) to major data breaches. Open banking infers that a customer’s username and password be used to access the website of a bank where he or she has a checking account, for example, before accessing external financial services by leveraging the very same set of credentials. Moreover, the individual’s financial information can be shared among financial institutions based on his or her activity and requests across several institutions.
Sharing data means opening information systems, which inherently further exposes organizations to digital security threats that can lead to incidents that disrupt the availability, integrity or confidentiality of data and information systems on which the entire open banking model relies. And, even when individuals and organizations agree on and consent to specific terms for data sharing and data re-use, including the purposes for which the data should be re-used, there always remains a significant level of risk that a third party may intentionally or unintentionally use the data differently.
This conflicts directly with some of the principles of GDPR on lawful basis and transparency, privacy rights and data security. Financial institutions involved in open banking can simply not ensure that GDPR regulations are being followed. The many data breaches that have occurred in the last two years are evidence of that, with financial institutions preferring to pay fines than finding sustainable solutions to protect the storage and sharing of customers’ financial information.
Creating Privacy and Convenience
Is there a platform that can eliminate this push and pull dynamic between GDPR and PSD2? Yes, and it consists of three elements:
(1) Indisputable customer (and employee) ID proofing process that involves the triangulation of a claim (ID photo, address, last name, etc.) with a multitude of company or government-issued documents (driver’s license, passport, etc.) as well as sources of truth (government databases, passport’s issuing country, passport chip, credit cards, bank account, etc.), including advanced biometrics like a liveness test. This ID proofing process eliminates the potential use of synthetic identities.
(2) Username and passwords along with the one or two extra factors used for authentication are replaced by a liveness test. The liveness test is as good if not more pertinent than a physical presence. The liveness test eliminates the risk of account takeover and consequently data breach.
(3) The user data is stored encrypted in the Blockchain, which virtually eradicates the risk of cyberattacks. A Blockchain network is an infrastructure that powers peer-to-peer interactions. So, the user remains in control of his or her personal and financial information at all times and, when his or her data is about to be shared with a third party, he or she consents to send only the information that is pertinent to be shared. The GDPR’s guidelines on transparency, privacy rights and data security are being respected and followed.
Conclusion: GDPR and PSD2 Can Co-Exist in Compliance
Now we know that the convenience, efficiency and enhanced productivity that technology brings can co-exist with the regulations intended to increase security, privacy and control that legislators vote. Both can be fully complied with, as long as there is a platform in between that bridges the gap. This solution does not come from simply tweaking an existing technology, like a 2FA or MFA solution to authenticate the customer of a European financial institution who leverages the open banking system. No, it requires an advancement that goes far beyond the levels of IT security, identification and authentication that we have used in the past. The use of advanced biometrics, the storage of user data encrypted in the Blockchain and making sure the user remains in control of his or her data at all times represents this paradigm shift.