As the industry gears up for the Second Payment Services Directive (PSD2 – January 13, 2018) and the General Data Protection Regulation (GDPR – May 25, 2018), many have focused on the risks associated with the upcoming rules, such as the stricter technical requirements and the, potentially significant, sanctions and fees. However, both PSD2 and GDPR also contain new and very promising opportunities for innovative companies that are ready to take full advantage of and benefit from the data portability rules.
Beginning in spring 2018, two new sets of EU rules will change the landscape for entrepreneurs and large companies alike – particularly in the FinTech sector.
In January, PSD2 will change many aspects of how payment data is handled by banks and payment service providers. Among other things, these rules aim to enable consumers to provide access to payment data to third-party providers for use in so-called payment initiation services (PIS) and account information services (AIS). As a result, current payment service providers will risk losing control of their payment data, as the rules will force the payment service providers to provide third-party providers with direct technical access to such data, for example through APIs, all for the intended benefit of consumers.
Later, in May 2018, the GDPR will provide updated and EU-wide rules on how personal data must be handled. The updated rules include several provisions on data subjects’ (e.g. consumers) rights in relation to how data is stored and handled – such as the right of access, right to rectification, right to erasure/be forgotten, right to restrict processing and right of data portability. In particular, the right to portability, which gives the data subject a right to transfer data to third party providers without the consent of the data holder, is new compared to current provisions and has the potential to disrupt many business models that are directly or indirectly based on data processing. In the FinTech sector, this novel provision can both provide many opportunities for innovative companies that take advantage of the consumers’ right to their own data – as well as risks for other companies, who face losing some control over those same data.
So, what will these new data portability provisions mean, in practice, for FinTech businesses? For many, the transition to these new rules will mean high costs due to necessary investments in IT systems and processes. IT systems will probably have to support both direct download features and APIs for the direct transfer of personal data to third parties. There will also be requirements for strong identification and authentication processes to ensure that a request to transfer personal data is made from someone who has the right to make such a request. In practice, an IT system will thus be required to include support for automated transmission of user-related data to any third-party provider, and must also provide a method for the users to properly identify themselves when making such a request.
The intention with PSD2 and GDPR is to achieve different objectives – namely harmonizing payment services (PSD2) and strengthening personal data laws (GDPR). However, it is clear that they contain overlapping aspects with the same general intentions: 1) lowering market thresholds for competition in digital services, 2) encouraging a single digital market in the European Union, 3) empowering consumers and 4) stimulating innovation. Companies that embrace these objectives could reap major benefits from the opportunities available under these rules. However, the downside is that many current business models that are based on the previous (and perhaps soon to be obsolete) system may face new threats and competition in previously unknown areas. Regardless of the position your company finds itself in, the strategic discussion should begin today.