The Meat in the Sandwich

13 March 2018


Caught between two regulatory juggernauts

I’ve been really enjoying the recent Six Nations rugby: there is some phenomenal skill on show, and some very astute tactics, but you can’t beat the sheer physicality of rugby – crunching tackles from hulking defenders, and fleet-footed agility to feint and evade “on the hoof” (to use Bill McLaren’s immortal phrase).

Banks are enduring heavyweight challenges of their own

Much of my job is spent helping Icon’s customers navigate the complex regulatory frameworks they must increasingly comply with, and it has occurred to me that the difference between being tackled heavily or sprinting clear towards the try line was a very apt metaphor for the situation facing many large financial organizations. Multiple significant regulatory challenges are upon them at the same time, all with the potential to severely curtail business activities.

First half…

The first significant piece of regulation (law since 13 January 2018) is the Second Payment Services Directive (PSD2), also known as Open Banking. As well as setting out a common legal framework for making and receiving payments, PSD2 enforces the right of customers to choose third party financial services to initiate payments, and to use their account information. These changes support the evolving landscape of e-commerce: growth in mobile and online payments, and data aggregators providing customers with “value-add” financial services.

Second half…

The second significant piece of regulation (compliance required by 25 May 2018) is the General Data Protection Regulation (GDPR), the aim of which is to ensure the data privacy of all EU citizens and their protection from data breaches. GDPR expands both the jurisdiction (it applies to all companies processing personal data used to provide services in the EU, no matter where they are based geographically) and the financial penalties for breaching the regulation. The rights of a data subject (customer) to access and control their personal data, at no cost, are also strengthened by the GPDR.

It’s all settled on the pitch

The crux of the problem faced by financial organizations is in the conflicting demands of the two regulatory behemoths: if they angle their run to avoid being tackled by GDPR, they run the risk of being brought to ground by PSD2, because they can’t safely implement services which expose their customers’ account data to be used by third party data aggregators. Similarly, if they try to escape from PSD2 down the by-line, they’re very likely to be slammed into touch by GDPR, because they’ve exposed personal data in an insecure manner and are in danger of significant data breach. To be compliant with both sets of regulations, a financial organization’s personal data crown jewels must be exposed over online services, but only with demonstrably robust security protocols and breach detection.

There’s already discussion in the industry regarding whether customers’ data privacy concerns will restrict the take-up of the opportunities provided by Open Banking (see this report on Opening up banking is a revolution included recently in the Sunday Times). It’s an interesting issue, because those customers most likely to take up the new services arising from Open Banking – millennials or technophiles – are also very aware of the value of personal data, the impact of it being misappropriated, and the very real risk of that happening. These customers will demand fact-based reassurance that the sharing of their personal data between different organizations is both fully within their personal control, and supported by robust, well-designed IT security protocols to defend against cyber-crime. Banks and third parties will need to go about proving this level of security and building trust with their customers for Open Banking to fully succeed, and to be GDPR-compliant.

Ultimately, it’s all about being match-fit

It’s obvious that the more widely customer data is shared across different organizations, the greater the risk of a breach involving that data. It’s also obvious that customers are very aware of this, due to recent high-profile data breaches. However, if a bank or service provider achieves compliance with both the GDPR and the PSD2 regulations through careful investment in their IT architecture and infrastructure, then their customers can have a high degree of confidence in the Open Banking services they are provided with.

The key point here is to communicate what regulatory compliance, for both GDPR and PSD2, means in the real world: a transparent demonstration of full Data Security implementation by both the banks and third-party service providers. There is no single technological “silver bullet” that can provide this reassurance: it requires diligent IT design and implementation, and that will bring other benefits too: it can also be used to demonstrate compliance to either regulator, and it’s also very likely to eliminate technical debt, thereby removing significant residual costs and risks from the day-to-day running of the IT estate.

Don’t miss a thing! To receive future blogs and insight updates from Icon Solutions, simply register your details below:

You can unsubscribe at any point by clicking the link in our emails. Read our Privacy Policy.

* indicates required

Mady Dyson