By Bruce Bennett, Carlo Kostka, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin
The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure. The new legislation is intended to improve competition and innovation in the EU market for payment services. The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data. The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.
For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law. This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.
Access to customer account data
Under PSD2 banks have to allow TPPs access to customers’ payment account data. This involves the processing of customers’ personal data and is subject to compliance with the GDPR. We note below some of the key challenges that may arise in this space.
Legal basis and consent
Under PSD2, banks must only allow TPPs access to customers’ payment account data provided the TPPs have the “explicit consent” of the customer (Article 67 and 94, PSD2). Under the GDPR, data controllers (i.e., banks and / or TPPs) must have a “legal basis” in order to process a data subject’s (i.e., a customer’s) personal data. Consent is only one of the available legal bases and probably not the most appropriate in this case. The GDPR allows for the processing of personal data (without consent), for example, where the processing is necessary to perform a contract, or for the purposes of the legitimate interests of the data controller or for compliance with a legal obligation. Practically speaking, if a customer wants to carry out a payment transaction with a TPP, the TPP needs access to their payment account data in order to perform the contract, i.e., initiating the payment. There should be no need for customer consent for the associated data processing operations. PSD2, however, increases the standard of protection in comparison to the GDPR by nevertheless imposing an additional consent requirement.
While this may seem an academic point, the ramifications can be important. For example, when relying on customer consent, as per the GDPR, the customer can easily withdraw this consent at any time, meaning the bank and / or TPP no longer has a legal basis under data protection law to process the customer’s payment data. Equally, customers can request the deletion of their personal data at any time, meaning banks and TPPs may need to delete their payment data. These rights, however, are not absolute rights. They are subject to limitations aimed at balancing competing obligations and interests, such as record retention requirements. The interplay between these individual rights and the obligations of banks and TPPs raises significant uncertainty; that is further exacerbated by national laws containing additional, differing rules on individuals’ rights.
There are various other complications, such as: who is responsible for obtaining consent; what level of due diligence is expected from banks before sharing customer data with a TPP, and how to perform it (knowing that the banks cannot impose contractual obligations on TPPs – see Art. 66(5), PSD2); what is the scope of the consent and what level of granularity of choice can users expect?
Aligning definitions and scope
The GDPR contains definitions of “personal data” and “special categories” of personal data. However, PSD2 brings in additional definitions which do not appear in the GDPR, such as “sensitive payment data”. Sensitive payment data is very broadly defined as data, including personalised security credentials which can be used to carry out fraud. Does sensitive payment data qualify as a category of special personal data under the GDPR and thus subject to stricter rules, or not?
The GDPR increases information requirements for banks and TPPs, such as having to provide customers with the legal basis for the processing and transfers of personal data. The question then arises, who is responsible for providing this information to customers? If banks are indeed responsible, how do they ensure the customers using TPPs have access to the necessary information to satisfy their obligations under the GDPR?
Banks will need to ensure that they have correct procedures in place to comply with both pieces of legislation, which will be a difficult task given that aligning the two is in no way straightforward.
Prevention of Fraud
Under PSD2, “Member States shall permit the processing of personal data by payment systems and payment service providers when necessary to safeguard the prevention, investigation and detection of payment fraud” (Article 94(1), PSD2). This is to be carried out “in accordance with” the GDPR. Under the GDPR, banks need to supply minimum information to customers on the collection and further processing of their data. This raises the question as to whether banks need to inform customers when they are processing their data for the prevention of fraud in order to comply with the requirements under the GDPR. In addition, it is unclear how this will impact the collection of data where it is necessary to prevent fraud, and how banks should deal with a request to delete data during investigations into suspected fraud.
Both PSD2 and the GDPR impose incident reporting requirements, albeit different ones. The GDPR requires banks and TPPs to document all personal data breaches. In addition, they must notify these breaches to the relevant data protection authority within 72 hours, unless the breach is unlikely to result in any risk for individuals. Equally, the bank must notify the customers whose data was breached without undue delay where the breach is likely to result in a “high risk to the rights and freedoms of individuals”.
PSD2 requires payment service providers (i.e., banks and TPPs) to notify, without undue delay, to the competent authority any “major operational or security incidents”. Similar to the GDPR, under PSD2 the payment service provider also has to notify the payment service user (i.e., the customer) if the incident may have an impact on their “financial interests”.
This means that both banks and TPPs will have to satisfy incident reporting requirements under both sets of legislation. For example, in the UK the relevant reporting authority under the GDPR would be the Information Commissioner’s Office (ICO), but the relevant reporting authority under PSD2 is the Financial Conduct Authority (FCA).
Defining the relationship between banks and TPPs
The GDPR distinguishes between data controllers and data processors, and each are subject to certain obligations. Banks and TPPs will have to assess their relationship on a case-by-case basis and decide whether they are data processors and / or data controllers. Where the TPPs are data controllers, which is more likely to be the case, the bank, and the TPPs will need to decide whether they act as independent data controllers, joint controllers or co-controllers. However, Art. 66(5) of PSD2 provides that no contract can be required, meaning banks cannot refuse TPPs access to customer accounts if the TPP refuses to enter into a written agreement. The lack of mandatory contractual relationship limits the ability of the banks to agree on an appropriate allocation of responsibility for compliance with the GDPR and to guarantee the security of the disclosed data.
Member State divergence
Many of these issues will be further flavoured by the country specific implementation of the relevant regulations; both PSD2 and the GDPR will have many national divergences. Recently the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), criticised the country’s own proposed implementation of PSD2 for not sufficiently taking account of the relationship with the GDPR. In particular, the AP criticises the fact that the current draft of PSD2 puts the responsibility of ensuring compliance with data protection law in the context of PSD2 with the central bank, and instead argues that it should be their responsibility as the data protection authority. This further raises issues with potential conflicting relationships between local financial authorities and data protection authorities. Who will ultimately be responsible for compliance? As in the competition law context described above, banks may find themselves being pulled in different directions.
Why does this matter?
The issue is that PSD2 and the GDPR described above have different goals, and there will be national approaches to both, which will affect companies operating cross-borders in particular.
It is fair to say that the drafting has not been coordinated amongst the relevant regulators and at times there would seem to be contradictory provisions regarding the same matters. In other instances, there is a lack of guidance on how to implement both the GDPR and PSD2. Nonetheless, each of the abovementioned provisions will come into force shortly, and the violation of such provisions will carry the risk of penalties and other liabilities, such as civil litigation. For example, breach of the GDPR can lead to fines of up to €20 million, or up to 4% of an undertaking’s total worldwide annual turnover, whichever is higher. Under PSD2, Member States are free to determine penalties that may be imposed by national authorities following an infringement of the law.
To address these issues and mitigate potential risks, companies will need to rigorously assess the interaction of the provisions and develop a robust and defensible position for why they are adopting certain interpretations or taking certain positions. Companies also need to assess the operational implications of such decisions. Any strategy for working through this dense thicket of law and regulation will require expertise in numerous areas of law, an ability to analyse competing outcomes and to create a series of priorities, which then need to be implemented and complied with through the organisation.