Payments Leader

Implications of Europe’s GDPR & PSD2 on the United States

June 27, 2017

Bob Legters I Chief Product Officer, FIS Payments Division


How will GDPR and PDS2 affect your business?

Innovation in the financial industry is rarely a result of regulation. But two important developments in Europe – the EU’s General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2) – look set to change that.

Both focused on customer data, PSD2 will significantly impact how customer data becomes available to third parties, while GDPR will be about keeping personal data private. It’s time to rethink processes around compliance.

Empowering E.U. Consumers Is a U.S. Obligation Too

GDPR, which will take effect in May 2018, imposes new rules on organizations that store information on European citizens (including the UK, regardless of Brexit), and stipulates that they need unambiguous customer consent before data may be shared or processed. In essence, GDPR prohibits the transfer of personal data to a third party – or country – unless there are adequate levels of protection.

Consumers must give their consent to use their data, and they also have the right to be forgotten, thereby excepting themselves from marketing campaigns. The principles are simple: institutions should not store data they don’t need; what is stored needs to be secure; it must be possible to delete unwanted data. Any breaches of personal data must be reported to the authorities and the consumer within 72 hours. Finally, institutions are accountable for the maintenance and availability of internal records on all data processing activities. And all this applies to U.S. institutions that provide processing services that originate or terminate in Europe on behalf of European citizens.

PSD2 focusses on the payments process and how customers’ account information is shared with third parties. It requires financial institutions to provide third parties with open access to all customer data at the will of that customer. For U.S. institutions, the regulation increases the control of international transactions that have one leg – originating or ending – inside Europe. Card payments are also impacted as PSD2 increases the authentication and permissions process for the card, not present payments. This goes against the one-click buy ethos, so discussions on implementation are ongoing.

Importantly, if institutions are in doubt about their obligations, it is wise to be aware of the potential penalties. An institution found to be in breach of GDPR regulation faces a fine of up to €20M ($22.4M) or four percent of global turnover, whichever is higher. While PSD2 has no specific penalties for non-compliance, both regulations create more customer-centric and transparent information exchange, which can be a strong competitive differentiator.

Toward the Sharing Economy in the U.S.

PSD2 aims to fuel nothing short of a full digital revolution, but the repercussions will likely extend beyond Europe’s borders. By catalyzing new third-party services, the hope is to increase competition across the industry and enable the increasingly important sharing economy. With the growing reliance on online services and the emergence of the sharing economy, data has become a very valuable commodity. The current model of data ownership, permissions and usage cannot fully capitalize on that inherent value, which is why there is growing agreement that initiatives such as GDPR and PSD2 will become global phenomena. U.S. financial institutions should view the changes happening in Europe as an inevitability across the globe.

The era of open banking, typically coupled with immediate payment mechanisms that often bypass cards (open and instant), is one major influence that is being codified with PSD2 and similar initiatives worldwide. There is no evidence that the U.S. will be any different. Customers are encouraged and empowered to control their data and share it as they see fit, in return for improved and innovative services. This will not be optional. Institutions will need to work harder to keep their customer information and access rights to consumers’ data up-to-date.

The business case for monetizing these regulatory obligations may not be immediately justifiable in the short term, but it is important to bear in mind that many of the benefits are more intangible and are concerned with creating business value and remaining a relevant player in the market for the long term. It is important to see the new opportunities these challenges create; opening the door to new business models demands new ways of thinking.

Embracing the Open Banking Ethos

The U.S. is finally embracing EMV and the inevitability of immediate payment systems under the guidance of The Federal Reserve Bank is only a few years away. Dual-cards and tokenization may have started overseas, but the U.S. has a long history of adopting world standards – in their own time. Similarly, consumer data protection is growing in importance across many technology-based industries, so U.S. financial institutions are already seeing the snowball growing.