Your browser is out of date and may not display all features of this website.

At first glance the revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) may look like they collide – but are the two regulations really on opposite sides and incompatible with each other?

Or do they actually intertwine and create a more customer centric financial sector with a solid security data protection mentality? Let’s take a look.

In short, PSD2 is about making a person’s data more accessible to the user and third party providers, while GDPR is about controlling and regulating the sharing of that same data. Judging by the piles of GDPR and updated privacy policy emails that were sent to consumers last month one can assume that people were made agonizingly aware of the large number of companies that actually possess, and use, their data. This recent GDPR wake-up call will eventually make people ask the question “Where is my data actually stored and who will have access to it?” before they act.

Under PSD2 third parties (TTPs) can access the customer’s account information directly, given that they have the customer’s clear consent. In theory, that fits exactly with the control of data sharing that is required by GDPR. But in real life the key question of which party that have the right to actually procure the customer’s consent is, to some extent, unanswered.

Another major implication of PSD2 is the requirement to improve security in the payments space and other industries that handles sensitive data by using strong customer authentication (SCA). Usernames and passwords are no longer considered secure enough – and this is where new security approaches are needed, like multifactor authentication with biometric recognition or fingerprint activation – or ultimately, like in the Covr solution – all of the above including the elimination of passwords altogether.

To all appearances unrelated, the new regulations do share two common purposes – placing customers in the center of control of their personal data and keeping that data secure. The customer is king – if and when people choose to share their information with a third party, it is at their own pleasure. Not the other way around.