PSD2 & GDPR Preparedness Planning
October 23, 2017
The Second Payment Services Directive (PSD2) is a fundamental piece of payments-related legislation in Europe, which entered into force in January 2016. PSD2 requires payment service providers to make significant changes to existing operations. Close on its heels is the General Data Protection Regulation. These regulations aim to increase competition, enable open data sharing and put customers in control of their data and how it is used.
Now is the time to begin assessing aspects of business operations to identify the potential impact of PSD2 and GDPR.
SECOND PAYMENT SERVICES DIRECTIVE
WHAT ARE THE AIMS OF PSD2
1) Protection – Better protect consumers when they pay online.
2) Promotion – Promote the use of innovative and emerging technologies for online and mobile payments.
3) Processing – Make payments safer and more secure.
WHAT ARE THE IMPACTS OF PSD2
1) Increased Competition – A streamlined process to obtain licenses for new entrants will increase competition
2) Increased Security – The requirement to have Strong Customer Authentication will reduce the risk of fraud
3) Access to Data/Data Sharing – Operational and systems impacts to enable Payment Service Providers’ access to data via new secure and direct data links. The third-party data sharing
environment envisaged under PDS2 will have significant overlaps with GDPR (General Data Protection Regulation)
GENERAL DATA PROTECTION REGULATION
GDPR follows PSD2 and gives consumers more control over how personal data is used. Organisations cannot simply gather data without good reason, and must prove they are doing all they can do to protect it. The impacts are wide reaching and are very much aligned.
WHAT ARE THE AIMS OF GDPR
Protection – Better protection from privacy and data breaches.
Transparency – Easier for consumers to under-stand how their data is being used.
Consent – Must be as easy to withdraw consent as it is to give consent and consent must be explicit.
PREPARING FOR IMPLEMENTATION
Impact assessments should be completed on all aspects of business operations to assess the potential impact of PSD2 and GDPR:
- Fraud Strategies
- Security and Risk Management
- IT systems
- Products and Services
- Staff Training
- Process and Procedures
- Customer Journey
- Marketing Materials
- Complaints and Dispute Resolution
- MI and Reporting