Global banking and finance: Do GDPR and PSD2 go hand in hand?
If banks get it right, PSD2 can help banks retain their large customer base by offering newer, practical services their customers today expect. GDPR could mean a world of new opportunities for banks, like strengthening customer trust, delivering greater customer satisfaction and enhancing brand image. Only well-planned and proactive preparation with the right tools will make the difference between the success and failure.
However, aside from PSD2 and GDPR seeming to be contradictory, what constitutes sensitive payment data is vague. This creates an interpretation challenge for banks. Knowing what data is extremely sensitive and the extent of customers’ contest will become crucial. Questions arise, such as: for how long has the customer given his consent? To what data does it extend? Which party should obtain customer consent? More importantly, when customer information is exposed, dissected and analysed, how does one remain compliant to GDPR’s strict privacy rules?
The ability to dissect data at granular levels while being flexible enough to restrict conditional elements from being shared is a huge challenge banks and their IT departments will have to face if they want to be compliant to both PSD2 and GDPR.
These questions boil down to an even larger one: how can our financial services provider thrive in such a complex regulatory environment?
Data management struggles
Sharing customer data with third parties, as directed by PSD2, is a great in theory but challenging for financial organisations realistically carry out. Banks have to deal with legacy systems, operating in silos and current IT practices, which makes data management even more difficult. GDPR only adds to the challenge as banks have to know the source of every single bit of data they hold in their systems.
Furthermore, the right to erasure (article 17 of GDPR) require a good handle on customer data in order to be able to delete specific information on request. The right to data portability (article 20 of GDPR) means businesses need to move, copy or transfer data easily from one database, storage or IT environment to another.
Any Financial Services organisation will need the ability to access and analyse the data of any transaction at any time. As part of regulatory audits, banks will have to summon up specific customer data very quickly and they will have to understand what that data means in the broader context of their payment history.
Data protection and privacy will be a particular challenge for companies who weren’t as prepared ahead of GDPR. At worse, it could mean an overhaul of the entire IT system. Businesses will have to detect and report data breaches within 72 hours once the breach is found to avoid being fined. Should a breach be detected on a Friday, this could mean working on weekends for some banks.
All Financial Services organisations will have to demonstrate true digitalisation. These organisations need to provide context-specific offers to the customer, which is helped further by Open Banking, as they will be able to track data from other banks catering to the customer.
To seize this type of opportunity, organisations will need to be capable of customer-centricity and building their own marketplace economy.
Placing the customer, not just rules, in the centre
Banks cannot have a narrow view and see regulations as checkpoints to be ticked off in order to be compliant, neglecting the wider picture, if they want to thrive.
GDPR and PSD2 are not contradictory. In fact, they both have the exact same objective. Both regulations want to push organisations towards customer-centricity in order for business to adapt to faster to the digital age and the rise of the platform economy. In the post-GDPR era, efficient data management is key in order to provide services tailored to their customers’ need.
This calls for a system or platform flexible enough to dissect very specific data that is within the scope of client consent, while restricting conditional elements from being shared. A granular level of data management will truly push banks toward customer-centricity.
This is crucial, as going beyond simple compliance and handling customer data with efficiency and transparency will go a long way to rebuild customer trust. The benefits of GDPR can be reaped when financial organisations can convince not only regulators, but also customers, that their data is truly protected. A greater understanding of the customer, the product and the price point requires better management of tangible and intangible data in order to better meet expectations in the post-GDPR world.
Reviewing data management processes to make them more efficient can directly lead to enhanced customer loyalty, which will come about by creating better deals for customers through the use of all the data held by a bank. This data can help create unique revenue models and pricing solutions adapted to the customer’s needs and spending patterns. These value-added services are sure to generate increased customer satisfaction.
Concerning the data security element of GDPR, organisations need to go beyond simply applying a turnkey cyber security solution. Businesses will need to keep internal records of data protection and show regulators and customers alike what has been done to keep their data safe. An audit log of public, private and personal APIs being accessed will need to be kept in order to keep track of any access to customer data.
The multiplication of RegTech solutions might seem like good news for businesses looking to avoid fines and immediate consequences of non-compliance. However, it often presents a short-term solution to a long-term, more nuanced problem. Banks need to manage their data in a way that puts customers at the centre.
Being customer centric enables these organisations to reap the benefits this year’s new regulations entail.
Customer-centricity brings four key benefits:
- Reputational benefits: it will ensure customers their data is well-protected and showing transparency when dealing with customer data will increase trust. Avoiding brand image disasters like Equifax and becoming an example of a company making an effort and caring about the duties that comes with the custody of data could lead to immense reputationals benefits.
- Financial benefits: being customer-centric will improve customer retention and attract new customers. Knowing and tending to the needs of your customers will increase trust and customer satisfaction: while competitors are poorly managing their data and offering customers irrelevant offers, having the reputation of being an efficient, insightful business can bring immediate financial benefits.
- Preparation for an increasingly customer-centric economy: digital transformation is leading businesses toward an increasingly customer-centric economy. GDPR is an attempt to regulate this wave of change and make sure some businesses are not left behind. Preempting the intent of GDPR and being customer-centric ahead of the curve through impeccable data management could give businesses a competitive edge.
Although GDPR and PSD2 may seem to be contradictory in their requirements, both lead Financial Services organisations toward a much needed acceleration of their digital transformation process by rightly placing the customer in the centre.