Banks torn with GDPR start as EU pulls them in opposite directions
(Bloomberg) -- European banks are agonizing over how to handle the mountains of client data at their disposal -- and not just because Facebook Inc.’s privacy scandal showed them the potential pitfalls of getting it wrong.
Sweeping new European Union rules kicked in on Friday, setting out strict new boundaries on the information companies can gather about their clients and how they use it. Violators can be fined as much as 4 percent of their global revenues.
But for banks, that’s just the beginning. Lenders must also prepare for separate rules -- in a law known as PSD2 -- requiring them to hand over the same data to little-known technology startups and other firms next year. The apparent clash has prompted head-scratching over how these requirements are going to work together.
“You are left in the position where I risk PSD2 non-compliance” or “I risk jeopardizing the protection of my customers’ data by sharing it with someone whose reliability I can’t attest to,” said Brad Carr, a senior director at global trade group the Institute of International Finance. “It’s not a great dilemma to be in.”
Lenders have been complaining loudly about the controversial update to the EU’s payment-services rules -- or PSD2 -- under which they have to give out customer data to third parties if a client asks them to do so. While the aim is to spark competition in a sector traditionally ruled by banks, the financial industry says they’re at a disadvantage because technology firms aren’t subject to the same requirements.
“Banks are very concerned about competition opening up, and now you are suddenly facing the data privacy discussion with the customer, who would have the right to say you’ve been violating GDPR,” Ruth Wandhoefer, the global head of regulatory and market strategy at Citigroup Inc. said at a privacy conference last month.
“The problem for banks and payment service providers is that if we are non-compliant with GDPR, which could be triggered by compliance with PSD2, we have to potentially pay up to 4 percent of global turnover as a fine,” said Wandhoefer.
Part of the challenge is that while GDPR does hold fintech firms that misuse or fail to protect customer data provided by the banks financially liable, it’s the lender -- who is powerless to police the data once it’s handed over -- who would likely bear the brunt of bad press in the public’s eyes, Lokke Moerel, a data-protection lawyer at Morrison & Foerster LLP, said in an interview.
Society will still expect them to “make sure things don’t get out of hand,” she said.
Fintech firms will be obliged to have “appropriate technical and organizational measures” in place to avoid data breaches, and if a breach does happen, companies will have to notify them to their privacy watchdog within 72 hours latest, or face being fined.
As a result of the uncertainty, banks may have an incentive to declare a lot of their client data as sensitive, meaning it doesn’t have to be shared with anybody, even under new payment rules. The result of such a strategy would however mean that competition in the financial technology sector may not become as lively as policy makers had hoped.
The new payment rules took effect across the EU at the beginning of this year. The crucial standards that govern the access to a bank’s data vault only come into force in the middle of 2019, giving firms time to adjust and establish secure communication channels.
In a survey by McDermott Will & Emery LLP, 40 percent of the companies polled said they won’t be ready to comply with the regulation in time, with many saying that they don’t understand what exactly is required of them.
The possible complications have drawn the attention of Sophie in ’t Veld, a Dutch member of the European Parliament, leading her to seek clarifications from regulators and the commission about the interaction of data-protection law and the revised payments rules.
Valdis Dombrovskis, the EU commissioner in charge of financial-services policy, said in a letter to her dated April 30 that he’s confident the two sets of legislation “provide us with a solid regulatory framework for ensuring the protection of personal data.”
Still, he said the practicalities “of protecting personal data in the use of third-party services will have to be clarified in the coming months.”
Thomas Leysen, chairman of KBC Group NV, was asked at a Brussels conference this week whether banks should worry about being held accountable for any breaches of data while in the hands of third parties.
“We have to make sure that that doesn’t happen,” he responded. “It’s a daunting task.”
--With assistance from Fabio Benedetti-Valentini