Time is running out for companies to comply with the European Union’s Revised Payment Services Directive (PSD2), which takes effect in January 2018, and General Data Protection Regulations (GDPR), which kick in in May 2018. The trouble is that these two sets of guidelines are not only strict on their own, but in some respects even seem to work against each other. How are financial institutions to approach this conundrum?
PSD2: OPEN WIDE!
In essence, what PSD2 will do in Europe is to require banks, traditionally the custodians of customers’ personal information, to give third-party providers (such as retailers and fintech providers) access to account information. PSD2 does not specify penalties for non-compliance, but states that EU member states have to lay down their own appropriate penalties.
GDPR: INFORMED CONSENT
The GDPR mandates increased control around consumer information privacy, and will apply to all organizations that handle the personal data of any EU resident. This means that it is not only European companies which will be affected. Multinationals will also need to comply in order to keep their European operations – and avoid a fine of up to €20 million ($23 million). It’s no wonder a recent survey by PwC found that GDPR readiness is the highest priority on the security agenda for more than half of the US companies with a European presence.
What does compliance entail? The GDPR’s primary message is that the power to decide whether or not to share personal data with a company must remain with the customer. Companies must also be thorough and completely transparent in keeping customers informed about how their personal data is used.
A JUGGLING ACT
Satisfying both these regulations can be tricky. You will need to have the ability to share information, as well as the ability to prove consumer consent for this sharing. Entersekt’s PKI-based solution, Transakt, enables you to capture cryptographically signed consent from the customer when third-party access to sensitive information is requested.
With our technology, providing consent is as easy as accepting or rejecting a push-based request on your mobile. The customer feels empowered, without being subjected to cumbersome and time-consuming authentication processes, while the heavy lifting is done in the background. This method of extracting non-repudiated proof of consent through a convenient, smartphone-based solution significantly simplifies compliance with both PSD2 and GDPR guidelines.
With so many different and potentially even incongruous requirements to meet, the best choice that a company can make is to join up with an experienced and knowledgeable IT partner, who can help them steer through the treacherous waters of regulation.