New PSD2 Regulation Rings in a New Open World
September 13, 2019
Financial institutions are entering an era of new regulations that puts consumers in charge of their own data to improve privacy and drive innovation in banking.
Calls for stricter privacy laws
New privacy laws enacted across the European Union and the United States will shift the power over how personal information is used from institutions to their customers. In the EU, the General Data Protection Regulation (GDPR) gives individuals control over their data and how it’s used. In January 2020, California citizens will have the right to know what information about them is collected and can prevent a business from sharing or selling their information. Other states have tightened, or are in the process of tightening, laws around the information they collect about customers. Non-compliance with these stricter privacy laws will result in stiff penalties, potential lawsuits and reputational risk.
To comply, institutions will need to meet higher consent standards and be prepared to delete customer data from their files quickly upon customers’ request. Consent must be:
- Freely given (no pressure, no detriment for refusal)
- Informed (providing clear information about what consent is being requested and how to withdraw consent)
- Unambiguous (use of clear and simple language)
- Specific to each use case
- Obtained via a clear, affirmative action
Welcome to the new open world
The revised Payments Services Directive (PSD2) that goes into effect this month (September 2019) ushers in a new open world. PSD2 obligates banks to give third parties access to a customer’s bank information with their permission through open APIs. In effect, PSD2 allows bank customers, whether they are businesses or consumers, to use third-party providers to manage their finances.
PSD2 authentication requirements attempt to address the problem of growing fraud in card-not-present payments. Online authentication will require at least two of three elements – knowledge (such as a password or PIN), possession (such as a phone or hardware token) and inherence (such as a biometric identifier). The European Banking Authority just published its opinion in June and stated that if firms are not in full compliance by the time of PSD2 enactment, they must provide evidence of taking steps to become compliant with strong customer authentication (SCA).
Opportunities arising from PSD2
In a recent study from Accenture, more than three-quarters of consumers indicated their willingness to share personal information for benefits such as personalized offers, more efficient and intuitive services and more competitive pricing. The study also predicted that, over time, consumers are likely to expect greater innovation in return for sharing their data.
Open banking can enable institutions to develop new and better-targeted products and services with third parties. One example is reducing friction in the loan application process. A UK bank recently announced a collaborative venture to provide automobile dealerships with real-time loan payments through a commercial direct debit API. Under this scenario, an auto dealer who is attending a vehicle auction applies for a loan on the spot. The program uses real-time payment rails to deliver an instant loan to the dealer who has the assurance of receiving cleared funds in their account almost instantly.
The market is ready. Now it’s time for banks to examine their business models and evaluate how they can leverage open APIs to better position themselves in the market, remain relevant to their customer bases and create more value.
- Topics:
- Regulatory compliance