In the financial industry, questions arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). When examined separately they appear perfectly fine legislations, yet, if viewed collectively they might lead to uncertainty for Payment Service Providers (PSPs).

PSD2 vs GDPR means the comparison between a payment directive that opened up payments and the legislation to protect EU customers data. To operate successfully a business must guarantee compliance with both of these laws.

Both the GDPR and PSD2 provide a statutory and regulatory framework for PSPs offering payment services in the EU or European Economic Area (EEA). If applied together they should stipulate the principles of data protection and transparency.

Nevertheless, in reality, PSD2 was created to access the Payment Services Users (PSUs) financial data permitting third parties to join the payment market and provide supplementary payment initiation services. Ordinarily, these third parties can be divided into Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).

In short, PSD2 strives to open up financial data. Whereas, GDPR aims to protect and secure consumer personal data, enabling them to understand and control the information flow and its purpose of use.

Comparing GDPR vs PSD2 deadlines, they both came to effect around the same time. PSD2 - 12 January 2018, GDPR - 25 May 2018.

PSD2 and GDPR conflicts are not the essences of the two directives, there are also commonalities between the aforementioned regulations - the emphasis on individual consent. For instance, if a customer requires to share their Personally Identifiable Information (PII) with a third party, PSD2 forces them to share that information. But, if a customer wishes to have their PII deleted, GDPR obliges them to obey this request. In both cases, a party that has the PII should act upon the individual’s consent.


PSD2 and GDPR compliance

Failure to comply with PSD2 and GDPR can induce potential fines. Negligence to comply with GDPR may have serious financial consequences - fines can go up to €20M or 4% of global turnover. 4% may seem an insignificant amount until the realisation that some multinational companies make billions of Euros per year. PSD2 can be less brutal and depends solely on the member states and their penalty definitions. It might even result in a fine free policy in some circumstances.

Nevertheless, financial institutions should not succumb to possible fines and allow GDPR to impede the innovation encouraged by PSD2. Rather, there should be a clear action plan of how to become compliant with both regulations and avoid any PSD2 and GDPR conflicts. The possible action points if not done yet, could be:

  • Precise automated decisions. Ensure that there is no profiling as GDPR prohibits it. Also, be ready to justify any automated action in case of consumer inquiries.
  • Oversee Data Protection Impact Assessment (DPIA).
  • Ensure that new services have an integrated data protection design.
  • Be assured that it is possible to erase all consumer data on request.

PSD2 and GDPR can work in harmony and enable PSPs to safeguard consumer personal data while seizing new growth opportunities.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.