Co-authors: Christophe Vergne, Cards and Payment Practice Leader, Capgemini and Jan Dirk van Beusekom, Head of Strategic Marketing, Cash Management and Trade Solutions , BNP Paribas
The lack of coordination and integrated data management among regulatory authorities is stirring contradictory objectives and competing agendas that are hindering standardization and causing ambiguity within the new payments landscape.
The objectives of several key regulatory and industry initiatives (KRIIs) overlap. The resultant complementary or conflicting effects are impeding the progress of new payments ecosystems across diverse markets comprised of wide-ranging methods, instruments, and players.
This impact of KRIIs on one another – either cascading, complementary, or conflicting – increases regulatory complexity. All this as a new payments’ universe is evolving thanks to corporations’ increasing demands for value-added services, rising consumer expectations, the shift to open banking, and a spike in payments-enabling technologies.
Overlapping KRIIs stymie the attempts of payments’ stakeholders to transition to the new ecosystem. In Europe, regulatory initiatives such as the revised Payment Services Directive (PSD2) conflicts with both the fifth Anti-Money Laundering Directive (5AMLD) and the General Data Protection Regulation (GDPR), which poses challenges for payment service providers (PSPs).
Regulatory overlaps and their resultant bottlenecks require resolution. Meanwhile on the global front, KRIIs – such as those regulating cryptocurrencies – are treated differently from region to region, which further muddies the payments’ waters. If the current ambiguity is unscrupulously exploited, multinational corporations may shelve collaborative opportunities and investment in blockchain online courses-based payments’ initiatives.
Conflicting KRIIs: PSD2 versus GDPR
|Banks are required to open customer accounts and transaction data to third-party providers (TPPs)||GDPR requires banks to protect customer data and imposes significant penalties for failure to comply (up to 4% of global annual revenue)|
|The Directive encourages an open-banking environment||With the stringent requirements, the regulation might make open banking implementation less attractive|
Although GDPR and PSD2 converge around five pillars – enhanced customer and data protection, improved data compliance (the use must comply with the law), data quality (including accuracy, consistency, and lineage), boosted user experience, and keener competition – implementation inconsistencies exist.
The main difference between the GDPR and PSD2 is that while the former is a regulation, the latter is a directive open to interpretation by the individual EU Member States. While the GDPR applies directly across the EU, PSD2 is subject to translation into member states’ local laws such as France’s Code Monétaire et Financier and Germany’s BaFin ZAG.
Only 21.4% of global finance leaders said their firm was fully compliant with PSD2, according to an executive survey in the World Payments Report 2018, indicating a conundrum as the industry seeks to comply with the Regulatory Technical Standards (RTS) coming into effect in September 2019.
With no rigid standardization guidelines or non-compliance penalties, total and efficient compliance may take more time, as 18% of survey respondents said they are still in the compliance implementation stage.
On the other hand, 44.1% of survey respondents said they were fully compliant with GDPR requirements. However, that number is low considering that the compliance deadline was May 25, 2018 (and participant polling took place in July) and the penalty for non-compliance or breach is quite punitive.
Given the ambiguity around certain KRIIs – and the impediments to progress caused by conflicting regulations – standardization to solve anomalies and inconsistencies is required. Action in areas including data access, data storage and disposal, identity and trust, and interpretation of the term data controller, may help bolster and expand industry compliance with both PSD2 and GDPR.
For example, both initiatives diverge on data access. While PSD2 emphasizes data sharing with PSPs, GDPR aims to protect personally identifiable information (PII) from third-party payment service providers (TPPs).
When it comes to data control, GDPR requires customer consent for processing data, while PSD2 requires consent for sharing with other institutions when the account information service provider (AISP) is not the controller. Access to data, fragmented compliance activity, and missing identity and trust details were rated highly as areas of concern, by executives surveyed.
Executive responses: Importance attributed to conflicting parameters under PSD2 and GDPR, (% of respondents)
Sources: Capgemini Financial Services Analysis 2018, Capgemini and BNP Paribas WPR 2018 survey (101 responses, July 12, 2018)