EU Banks Caught Between “Dueling Regulations”
With customer experience requiring more data, and the upcoming Payment Services Directive PSD29 requiring banks to release customer data to 3rd party providers so that customers have other options, it appears that banks are facing a Catch-22 situation with regard to new data privacy laws.
The conflict lies in the challenge of meeting the need for more information in order to maintain or improve Customer Expectations (CX) versus the General Data Protection Regulation (GDPR), the hotly anticipated data privacy regulation which is in direct opposition.
The GDPR is scheduled to go into effect in all member countries of the European Union on May 25, 2018 and will impose strict limits on the distribution and use of personal data.
The Payment Services Directive (PSD29) is intended to help customers by allowing their data, collected by the banks, to be given to third party providers who would deliver added value services, with the understanding that the bank has customer consent. In other words, the responsibility is borne by the bank specifically and the whole board is liable for violations.
What about Fintechs and the GDPR?
Meanwhile Fintechs, precisely because they are not banks and theoretically only offer technical solutions, are not normally regulated under the burdensome banking laws. For example, a Fintech/3rd party provider is able to focus on the customer and income generating front-end of the business.
Polish start-up Y Bank is a classic example of improving the customer situation by promoting and ranking products across all banks — serving as the Amazon of banking products while benefiting from the PSD2 law requiring bank to share data.
Thus, within the financial services sector there is a disproportionate burden for banks — especially small banks who must meet the same requirements as larger bank — created by the focus on the back-office.
In some banks which have become more digital, one challenge is the API used with GDPR to gather data. influencing many of the applications. As one CIO stated, GDPR hits every bank in a different manner because the IT architecture of each bank — even within one banking group — is different.
Adding to the confusion, regulations are not static, with room for interpretation on the national bank level. As a result, both local and country national banks are expected to dictate GDPR changes which may run afoul of another European banking regulation, the Common Reporting Frame work, or COREP. This will result in more challenges by Banks already challenging governments about their responsibility on data handling.
Impact of Culture
Then there are the cultural differences regarding privacy such as conservativism and willingness to change. For example, German, Czech and Austrian customers have a higher demand for privacy and are more conservative than customers in countries such as the UK or. Slovakia.
Stephanie, Faber, a top Data privacy lawyer at Squire Boggs, believes GDPR is not the problem but is one solution to prevent “privacy by disaster”, citing Equifax as an example. (The credit bureau only took action against a known data storage vulnerability after hackers in September exposed the personal information of 150 million Americans.)
Implementation of GDPR is an opportunity to understand what data one has and what must be deleted to avoid data breaches. Because it is directly applicable in all EU Member States and given the geographical scope beyond the European Union, Faber believes it creates a level playing field and possibly a competitive advantage to companies based in the EU.
But is this challenge to the banking industry a result of old-fashioned data quality and security issues and duplicative processes?
I asked the CMO of an international Telecommunication company how they will handle GDPR and his response was that GDPR is not a big issue. Data privacy has been handled in both Compliance and Legal for years. Because of data protection laws specific to the Telco industry, many processes which will be required by GDPR have already been implemented.
In other industries, Frame agreements & tenders are now requiring all suppliers to verify their adherence/compliance with GDPR, something which larger banks are also requiring of any Fintech with which they cooperate.
GDPR will force greater discipline in data quality and will be a learning process for banks. But, as Faber states, it could also in the end move the industry forward.