European Union: PSD2: Legal Issues In Open Banking (And GDPR!)

Last Updated: 6 March 2019
Article by Giangiacomo Olivi

Directive (EU) 2015/2366 (the so-called Payment Services Directive2 or PSD 2) has contributed greatly to the consolidation of the European payment services market and, as a consequence, to the growth of open banking in the EU. In Italy, PSD2 has been implemented by the Italian Legislative Decree 218/2017, published in the Official Journal on 13 January 2018 (Legislative Decree).

Open banking is generally defined as a system of technologies that allow consumers to access traditional banking or financial services and products through the use of digital means and tools, such as apps, web platforms, software and the like.

PSD 2’s provisions contributed to the rise of open banking by breaking down banks’ and financial services’ consolidated monopoly on the use of customers’ data for making payments, investments and managing money, both online and offline.

Thanks to the rise of open banking the European FinTech ecosystem has flourished, covering everything from personal finance apps to robo-advisory, from innovative payment service providers to online banking.

This disruption led traditional banks and financial firms to re-think their ways to approach customers, especially younger generations, in light of the challenges posed by ‘openness’ in their respective sectors.

Data is fueling this rapid change and fostering further innovation in open banking and FinTech. However, data brings all the challenges and legal issues associated with its collection, use and sharing, as covered by the General Data Protection Regulation (GDPR).

What are the main legal issues connected to open banking?

When it comes to PSD2’s provisions the processing of personal data must take place in full compliance with GDPR. The territorial scope of GDPR is quite extended: it applies to the processing under controllers located within the European Union and to the processing related to data subjects who are in the European Union by a controller not established in the European Union, subject to a number of criteria (e.g. the processing concerns the offering of products and services to data subjects in the European Union).

Data controllers are required to put in place a number of compliance measures. By way of example, the relationship between the bank and the third player providing financial services should be clearly defined: the parties should guarantee security standards and they should have access to data only when necessary for providing the services. In addition, data controllers are required to ensure that data subjects can effectively exercise their rights; such duty may entail difficulties, especially when it comes to requests of access to the criteria applied for performing profiling activities.

In light of the potential risks that may derive from the processing of personal data related to financial services, it is highly recommended to perform a data processing impact assessment in order to identify which actions are necessary to lower the risks.

Concerning data security, the risk level has increased with the digitalization of financial services. This is particularly true with reference to “open systems”, as such systems expose data to external attacks that may affect system functionality. Consequently, data controllers are required to set security measures that ensure the continuity of the systems, the access to their customers’ data and the update of the information stored.

Last but not least, the new services should protect consumers’ rights and ensure that the applicable consumer laws are properly taken into account.

Focus: what about GDPR and PSD2?

PSD2 provisions state that payment service providers shall only access, process and retain personal data necessary for the provision of payment services, and with the explicit consent of the payment service user.

This means that payment service providers have to obtain consent under the GDPR (i.e. free, unambiguous and explicit approval) that their processing activities are strictly necessary for the provision of their innovative services.

In practice, this would make the provision of FinTech services based on open banking subject to consent, whereby FinTech providers process consumers’ data on a contractual basis or, as alternatively, according to their legitimate interest or that of third parties (e.g., banks and financial firms).

For instance, PSD2 has three types of consent for processing: (i) explicit consent to the payment service provider’s access to personal data; (ii) explicit consent to the payment order or transaction; and (iii) explicit consent to access to the payment account for gathering a user’s account and payment information.

In light of the above, the question is therefore how to interpret this obligation to obtain all PSD2 consent(s) under a GDPR perspective, and whether an alternative legal basis to consent is acceptable for such processing activities.

PSD2 passed at the end of 2015, when the GDPR trilogy negotiations had not yet been finished, so it may be that there are some misalignments between the two norms.

In a sense, PSD2 could be lex specialis with respect to GDPR’s wider provisions concerning the protection and processing of personal data (such as in the case of the ePrivacy directive/regulation, clinical trials regulation, AML directive, etc).

This means that specific consent to certain types of processing (i.e., FinTech-related processing activities) would still be required even in those cases where another legal basis for the processing may apply.

This is important because it draws a line between the payment service / FinTech sector and the enforcement of EU’s data protection laws and regulations. Furthermore, it also poses important legal issues concerning open banking.

What are Italian regulators saying?

Although the PSD2 was implemented in Italy by means of a Legislative Decree, there is no guidance on the interaction of this law with applicable national privacy provisions yet.

In this regard, the Italian data protection authority (the Garante) did not provide any particular statement relevant to FinTech-related data processing activities or to data protection issues in open banking services in general.

On the one hand, this is because the European Data Protection Board has created a specific focus group for investigating the relationship between PSD2 and GDPR, whose activity may result in official guidance on the issue.

On the other hand, according to some commentators, this may also due to the fact that the Garante’s board is set to change by this summer on the expiry of the board’s term. Therefore, it will be up to the new board to handle most (if not all) the “thorniest” issues left opened.

In any event, prior to taking its stance on this issue, the Garante should most likely inform or coordinate with other entities, such as the Italian Ministry of Economy, the Italian Commission for Stock Exchange Control and the Bank of Italy.

Finally, given the rapid growth of FinTech and open banking, in Italy as well as in the EU and the rest of the world, we would expect to see more shared guidance by regulators in the coming years.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions