GDPR was adopted on 14 April 2016 and came into force on 25 May 2018. Since then, the data protection landscape in Europe has changed dramatically. This article analyses the effect of open banking on data protection rights, and the risks and liabilities that financial institutions face.

It is now four years since the General Data Protection Regulation (GDPR) became enforceable. Its influence in the past few years has been clear – from high-profile fines against some of the largest companies in the world, to heightened consumer awareness of the importance of protecting data and the responsibilities of data processing companies.

Open Banking Begins

At around the same time, the Second Payment Services Directive (PSD2) was implemented in Europe. Unlike regulation, the directive had to be transposed into national law by each country in the EU, which led to further delays beyond the deadline of January 2018 and vast differences in interpretation between countries.

One of the most significant impacts of PSD2 was to create a regulatory environment for open banking. PSD2 requires financial institutions to share their customers’ accounts with authorised third parties and fintechs, with the aim of creating more competition and innovation in the financial sector. Open banking has since become a major phenomenon with billions of transactions in Europe a month and an expected 63.8 million users in Europe by 2024 (Statista). It has facilitated many use cases such as short-term financing and access to loans, wealth management and onboarding.

GDPR and PSD2: At Odds?

However, by enabling third parties to access account information and offer new financial services, open banking has intensified the risk of data misuse and potential GDPR breaches.

GDPR and PSD2 share the same goal of giving consumers control over their data. However, while GDPR aims to minimise all data sharing and protect the consumers’ privacy at all costs, PSD2 requires banks to and give instant account access to authorised third parties as long as prior customer consent has been given. As a result, financial institutions are stuck in a difficult position between these two legal frameworks and must take great care to ensure they are compliant with both.

In December 2020, the European Data Protection Board (EDPB) published guidelines on the interplay between PSD2 and GDPR. It is clear in PSD2 that data holders must be compliant with GDPR and all national data protection laws (Article 94). This means that financial institutions must follow GDPR when processing open banking transactions, including gaining “explicit consent” from the consumer (Article 9) and taking responsibility if the data falls into the wrong hands (Article 82).

Dangers of Non-Compliance

The introduction of PSD2 and GDPR has created a complex regulatory environment. Not only must financial institutions take national banking laws into account, but they must also comply with pan-European regulation. Within open banking, third-party providers (TPPs) are regulated across Europe by their National Competent Authority (NCA). Nearly half of all TPPs in the EEA are authorised to passport their services into another country, which means financial institutions must be vigilant of which country an open banking request originates from and be connected to over 115 NCA registers in total to have the requisite oversight of these permissions.

Banks may find themselves under regulatory scrutiny for one of two main reasons: payment processing or data disclosure. Data disclosure is more likely to fall under GDPR and involves data breaches or sharing information with unauthorised third parties. Most of these risks are not associated with the intent of fraud. Rather, they are often down to careless errors in disclosing information or giving access to the wrong people. At the end of March, 98% of TPPs offered account information services (AIS), which deal with consumer data and are therefore in the scope of GDPR. And the stakes for GDPR are high: unlike PSD2 – which mentions no specific penalties – a GDPR breach can result in a fine of up to €20 million or 4% of a firm’s global turnover.

Open Finance

This year, we have seen increased enforcement of GDPR, and more fines are being issued for non-compliance. This trend will continue as open banking moves into open finance. Open finance will make the ecosystem far more complex – as insurance and pension companies become data providers and a wider range of organisations act as data recipients – some of which may be unregulated. Even now, open banking has evolved from the initial prescription of only regulated third parties: TPP-as-a-Service, where TPPs rent out their permissions to agents, has meant that unregulated entities can access consumer data, introducing further risks for financial institutions.

As open finance is introduced, the number of AIS transactions will increase exponentially. Rather than dealing with payments specifically, open finance involves accessing data from savings, investments, and other sources to gain a holistic view of a consumer’s financial position. How this aggregated data is used will be the responsibility of the banks and enforceable under GDPR.

How to Mitigate Risk

Outside the world of open banking, financial institutions have full ownership over their customers’ data and – in the absence of password theft or a cyber-attack – can protect their customers’ privacy and comply with GDPR in a straightforward way. But open banking and open finance are different. When data is shared, banks must ensure that they are giving information to the correct entities in a way that it will be used responsibly. Financial institutions are liable for any data given to unauthorised third parties.

The only way to ensure that open banking data is not inappropriately handled is to perform the correct checks and due diligence. This not only requires financial institutions to check a TPP’s authorisation status, but to also check the services it is allowed to provide and the markets it can operate in. All this must be done at the time of the transaction request, each time a request is made.

These checks are complex, costly and require considerable know-how, alongside continued maintenance, and support.

To remove these complexities, Konsentus can help financial institutions make informed, real-time decisions on data sharing and API transaction requests by providing them with consolidated data, sourced directly from the NCA and EBA registers. This ensures that data is never handed out to unauthorised third parties, thus avoiding any PSD2 or GDPR non-compliance fines.

Contact our team of experts to learn more about your liabilities under GDPR and PSD2, and how Konsentus can help.

Want to know more? Fill in the form below to gain access to the full article: