In an increasingly information-driven world, legal frameworks governing the sharing and use of data in payment services — and awareness of their unintended consequences — are of critical importance. This article explores the dynamics between modernized privacy laws in the European Union (namely, GDPR) and open banking initiatives (namely, PSD2). These two legislative initiatives are each underpinned by worthy rationales, and each reflect a careful balance between multiple competing policy interests. However, they must be considered together in implementation. Particularly at their intersection in the sharing of an individual’s payments and account data, difficult questions may arise. How does one reconcile the interaction between the PSD2, aimed at increasing the seamless sharing of payment data, and the GDPR, aimed at regulating the processing of personal data? This question, and its implications, are important and timely as national authorities around the world are considering similar initiatives in response to emerging technologies, changing consumer expectations, and new market dynamics.
The fintech revolution has delivered a dizzying array of faster, easier ways to pay for things using digital wallets, to manage money using mobile banking apps, and to make payments in seconds that would have taken days. At the same time, advances in financial technology threaten to expose each of us to greater risk as personal and financial data digitally zip from institution to institution and from database to database.
What happens when financial products, business models, and market practices evolve to the point where existing legislation, which may not have been designed with them in mind, is no longer a good fit?
The Bali Fintech Agenda, jointly launched by the International Monetary Fund and the World Bank at their 2018 Annual Meetings, offers a blueprint to guide national authorities in harnessing fintech’s opportunities while managing the risks.
For authorities in the early stages of formulating their fintech strategies, as well as for those well into their digital journeys, a key consideration is the modernization of legal frameworks.
Two recent trends in financial sector legislation illustrate how legal frameworks can be adapted in response to emerging technologies, changing consumer expectations, and new market dynamics. The Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) are the European Union’s two most important responses to these developments.
These two pieces of legislation are also drivers of change in their own right, giving individuals greater control over their data. The PSD2 calls for banks to open access to customer account and transaction data, with a customer’s consent, to third-party service providers, such as fintech companies and other banks, with the goal of improving competition and innovation in the EU market for payment services. Its scope is limited to payment services and data held by banks, with a focus on facilitating the provision of innovative payment services and new actors, among other goals. In contrast, the GDPR is devoted to protecting personal data on a more general level, irrespective of business line or industry. The GDPR requires companies, including (but not limited to) banks, to protect and handle more carefully what personal data they have, with the aim, in particular, of giving more control to individuals over their personal information.
For many jurisdictions looking to keep pace with rapid technological change, modernized laws like the PSD2 and the GDPR are helpful comparison points. These two legislative initiatives are each separately underpinned by worthy rationales, and each reflect a careful balance between multiple competing policy interests. However, they do not exist in a vacuum and, in implementation, must be considered together. Particularly at their intersection in the sharing of an individual’s payments and account data, thorny questions may arise. How does one reconcile the interaction between the PSD2, aimed at increasing the seamless sharing of payment data, and the GDPR, aimed at regulating the processing of personal data?
Important legislative initiatives at this very intersection are being considered around the world, in recognition that a global economy increasingly driven by digital data presents new risks and opportunities. Countries such as Japan and Brazil, as well as the U.S. state of California, have recently announced new data privacy rules similar to the GDPR. However, there is no one-size-fits-all approach to privacy, and different countries have approached the issue in different ways (e.g., China’s cybersecurity law, Russian’s personal data legislation, and Israel’s privacy legislation).
At the same time, some jurisdictions are considering laws to address aspects covered in PSD2. Mexico’s recently enacted FinTech Law mandates the use of application programing interfaces (APIs) for sharing financial, aggregate, and transaction data of customers (with their prior consent) between financial institutions, including fintech companies. Australia has announced plans to implement a similar open banking initiative that would enable customers of banks to share their financial transactional data more easily with third parties online. The Canadian government recently launched a public consultation on open banking’s merits and the potential risks to privacy, data security, and financial stability.
Of course, modernized financial legislation comes in many flavors, reflecting a diversity of national priorities and circumstances that call for different responses. For example, authorities can pursue data-sharing initiatives without a specific legislative mandate for an open banking ecosystem, as the authorities in Singapore, Hong Kong, and Malaysia have done, subject to limitations under their respective data privacy regimes.
What has changed?
These legislative initiatives are in response to three mutually reinforcing recent developments: digitization, changing customer expectations, and new market dynamics. The cost of collecting, transmitting, and storing vast amounts of data has sharply declined. Hand-in-hand with the new abundance of data, related technologies like automation and data analytics extract more value, more efficiently and at lower costs. In the financial sector, technological advances—such as digital wallets, mobile banking, distributed ledgers (blockchain), APIs, cloud technology, and the “Internet of Things”—are creating new ways to pay, data-driven personalized financial services, and a digitalized end-to-end payments chain.
Just as the uptake in digital payments enables the capture of much more data (such as location, transaction counterparties, and shopping patterns), consumer attitudes are changing. Beyond expectations of greater speed and convenience in the payments experience, a greater tolerance may be emerging among consumers for the amassing and sharing of data that once might have been perceived intrusive. Such qualms may gradually, if not already, be outweighed by the immediate benefits of personalized and seamless financial services.
New companies are emerging to meet these evolving consumer expectations, using innovative financial technologies to focus on improving specific inefficiencies and frictions. This strategy of offering a superior niche alternative stands in contrast to the traditional banking model of providing a broad array of products and services, as a one-stop shop for a customer’s financial needs. However, these newcomers may initially lack network reach and market adoption that established incumbents enjoy, with the result that some may seek to partner with banks that already possess the scale of customers.
At this dynamic intersection, the European Union has recently launched two key legal initiatives to modernize privacy laws (e.g., the GDPR) and to implement open banking (e.g., the PSD2).
The General Data Protection Regulation
The GDPR, which entered into force in 2018, reflects modernization of data privacy legislation in response to technological change. A key aim of the GDPR is to empower individuals by giving them control over their personal data. It establishes a principle of data minimization, under which data handling should only involve as much personal data as is required to successfully perform a specific purpose. Moreover, data collected for such purposes cannot—in principle—be repurposed without further consent from the individual to whom the data relates.
The GDPR also gives individuals new, expanded rights over their personal data, including a new “right to be forgotten” and a “right to erasure” (that is, to have one’s personal data erased, the dissemination and processing of such data terminated, with such rights balanced against “the public interest in the availability of the data”), a “right to rectification” (that is, to ask for information to be corrected), and a “right to portability” (that is, to retrieve or have transferred one’s personal data, free of charge, in an electronic format).
There are important consequences for not complying with the GDPR: in addition to heightening the responsibilities of companies handling personal data, the GDPR is also significant in heightening their liabilities—with fines of up to €20 million or 4% of global annual revenue, whichever is higher. These consequences hold for companies regardless of their place of establishment. Indeed, the GDPR applies not only to organizations located within the EU, but also those located outside of the EU that offer goods or services to, or monitor the behavior of, a person residing in the EU.
The Payment Services Directive 2
Like the GDPR, the PSD2 is a legal modernization effort to account for new types of data-driven developments, specifically in the context of retail payment services. The PSD2, which Member States were required to implement by January 2018, repeals the Payment Services Directive of 2007. It addresses the emergence of two new types of payments-related service providers. The first type enables customers to more conveniently initiate payments from their bank accounts. The second type provides aggregation services for customers to pull together data from their accounts at multiple financial institutions, such as transaction histories and balances, giving a broad view of their finances in one consolidated place. Such dashboards can also serve as a platform for new services: analyses of spending habits, financial advice, and personalized advertisements or offers. Payments data can also be transferred to other third parties that combine it with data from other sources to provide yet another layer of innovative services to customers.
The PSD2’s rationale is unique: its legal framework has been specifically designed to foster competition and innovation in payments services. It grants payment service providers a fundamentally new legal right of access to the account and transaction information held by banks on the banks’ customers—whenever the customer consents for the purpose of receiving payment services from these providers. In this way, the PSD2 could strengthen an individual’s ownership of their personal data by enabling them to easily and securely require their bank to share data with other banks, fintech companies, and other licensed service providers. At the same time, this means that banks lose their historic monopoly on their customers’ transaction data.
The Intersection Between GDPR and PSD2
Within their respective regimes, the GDPR and the PSD2 each separately reflect a careful balance between competing policy interests and the pursuit of worthy policy goals. But they must be interpreted alongside each other. While the PSD2 grants payment service providers access a customer information at other banks in connection with the provision of services, much of this information is personal data (such as the name, account number, and transaction information of the customer) that is subject to the GDPR. Banks are required under the PSD2 to open access to such data to third party service providers (to the extent needed to provide the payment service and with the customer’s consent) but, at the same time, are subject to the GDPR’s rigorous requirements to protect customer data, paired with severe penalties for failure to do so.
The European Commission has provided useful clarifications with regard to this intersection. For example, it is of the view that the provisions of the PSD2 on data protection must be interpreted in light of the GDPR and are subject to its terms. Indeed, in the spirit of the GDPR’s data minimization principle, the PSD2 prohibits a service provider form using the personal data it has obtained for purposes other than performing the specified service. However, it is not clear how robust this prohibition may be in practice. For example, might a clever service provider circumvent this limitation by simply broadly defining the service it offers: for example, not only account aggregation, but also personalized offers for other products and services? If customers were to sign up for that package and consent to such purposes, the service provider would, as a practical matter, have broadened grounds for the lawful processing of their personal data.
In practice, other challenging questions may remain in applying the two modernized laws and balancing the development of a competitive market for payment services with the protection of personal data.
A bank may appropriately opt not to provide a customer’s chosen service provider access to transaction data out of fear of breaching the customer’s privacy rights under the GDPR. That may be the case, for example, if the service provider has a record of using security measures that are ineffective or authentication processes that are insufficient to prevent fraud. To avoid the risk of such action being construed as an illegal restriction of competition, the bank must establish that it has reasoned doubts justifying its refusal to grant access. Any decision would be subject to judicial review under the PSD2.
The impact of these modernized laws on the European Union’s financial sector, including any unintended consequences, is still taking shape. Their impact on competition, for example, will depend on technological developments (e.g., artificial intelligence, machine learning, and big data) and changing market dynamics. In particular, the third-party service providers that have access to customer data under the PSD2 can include large technology companies entering into the payment services market. Importantly, the PSD2 is a one-way street: these non-bank technology companies and internet platforms would not have a similar requirement to share customer information back with banks. Moreover, although GDPR grants a new data portability right to individuals, with a “side effect” of fostering competition, such right may be limited as a practical matter because it is not accompanied by a corresponding obligation for any company to provide technology solutions to allow individuals to securely port their personal data. Applications of PSD2 and GDPR in these asymmetric contexts may potentially have unanticipated consequences for competition yet to be seen.
Conclusion: A way forward
Many of these details remain a work in progress and will be refined as the market impacts of open banking play out and the refinement of modernized legal principles continues. The weight given to competition, data protection, and privacy, as well as how policy choices are implemented in practice, will vary across countries. It is clear, however, that in an increasingly information-driven economy, legal frameworks governing the sharing and use of data are of critical importance.
These issues do not merely represent theoretical concerns. Rather, they impact us directly, our money, and our identity.
In order to achieve success in catalyzing competition and innovation in the financial sector while, at the same time, pursuing important data protection priorities, there is a critical element needed: promoting awareness among individuals of their rights to privacy and data protection in the digital world.
PSD2 empowers individuals to share their account information, removing the bank’s role as gatekeeper. Individuals cannot effectively exert this control or exercise their rights under the GDPR if they do not attach due value and sensitivity to their personal data. More fundamentally, it is essential that they know their rights under the law.
Readers are welcome to continue the discussion in the comments below.
Ross Leckow is Deputy General Counsel of the International Monetary Fund (IMF). Mr. Leckow leads the Fund’s work to help member countries strengthen their legal frameworks to regulate the financial sector and respond to the opportunities and challenges posed by technological change. Mr. Leckow has co-authored the “Bali Fintech Agenda” (IMF/World Bank 2018), “Fintech and Financial Services (IMF 2017) and Virtual Currencies and Beyond (IMF 2016). He has also authored “Virtual Currencies – the Regulatory Challenges” (European Central Bank, 2016). Mr. Leckow lectures around the world on international monetary and financial law.
Jess Cheng is Counsel in the IMF’s Legal Department, specializing in financial sector legislation in the areas of fintech, crypto assets, payments, and central banking operations. She has contributed to the Fund’s Financial Sector Assessment Programs (FSAPs) and its policy discussions on fintech. Prior to joining the Fund, Ms. Cheng was Deputy General Counsel at Ripple, a San Francisco-based startup. Before that, she was Counsel and Officer in the legal group of the Federal Reserve Bank of New York, and she practiced law as an associate at the New York law firm Wachell, Lipton, Rosen & Katz. An active member of the American Bar Association, she currently serves as Chair of the Payments Subcommitte of the ABA Business Law Section's Uniform Commercial Code Committee.
About the International Monetary Fund
The International Monetary Fund (IMF) is an organization of 189 countries, working to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty around the world. Created in 1945, the IMF is governed by and accountable to the 189 countries that make up its near-global membership. The IMF's primary purpose is to ensure the stability of the international monetary system—the system of exchange rates and international payments that enables countries (and their citizens) to transact with each other. The Fund's mandate was updated in 2012 to include all macroeconomic and financial sector issues that bear on global stability.
 The views expressed in this paper are those of the authors and do not necessarily reflect the views of Payments Canada or represent the views of the IMF, IMF Executive Board, or IMF management.