The PSD2-GDPR Balancing Act

Whitepages Pro On PSD2’s Roadmap To September

September approaches, of course (as it always does) – but this time, with a red-letter day on the 13th as PSD2 takes effect.

As readers of these digital pages know, the European Union directive mandates that bank customers can use third-party providers for financial services. The latest PSD2 Tracker, via joint efforts of PYMNTS and Whitepages Pro, found that though PSD2 looms, confusion reigns amid enterprises about what the rules mean, much less how to follow them.

GDPR, which came into effect in May of 2018, offers some roadmap for PSD2, as companies grapple with data protection, storage and sharing.

Consider some stats from that January PSD2 Tracker report: 56 percent of U.K. firms surveyed stated that non-compliance with GDPR could affect their reputations. Separately, 26 percent of companies are still using paper diaries that could expose customers’ details.

In an interview with Spencer McLain, VP, EMEA, at Whitepages Pro, this seeming bifurcation of knowledge of what’s coming with open banking, and preparedness to adapt and adopt to those changes (paper trails are still stubborn in the digital age), comes with contrasting mindsets tied to those regulations.

McLain noted that GDPR gives companies the perception that they need to keep their data “as internal as possible and share it as little as possible, because it maximizes their chances of being compliant” with the regulations. Conversely, he said that “PSD2 encourages companies to share data more broadly.”

Thus, as PSD2 becomes reality in just a few months, McLain pointed to a data balancing act that may be tough to navigate for companies, especially because most companies – save for the very largest enterprises – may not have dedicated resources or staff in place to help ensure compliance.

McLain told PYMNTS that his own firm encourages companies to leverage relationships with the companies in the payments ecosystem that are closer to the regulations and instrumental in shaping them.

“When it comes to knowledge,” he said, “we encourage the small to medium-sized enterprises to look to their payment service providers and their card schemes to figure out how to best implement measures to remain compliant [with PSD2] while sharing data.”

The Balancing Act

Past discussions with PYMNTS and Whitepages Pro on PSD2 have touched on strong customer authentication (SCA). Looking at PSD2 and authentication in general, when it comes to SCA requirements, said McLain, “the technology most leveraged to satisfy that on the merchant side is going to be the 3D Secure protocol,” where new guidelines come into effect in Europe this year. He added that under this protocol, the examined data elements mushroom from 11 to more than 100. Though merchants may initially be hesitant to share such an exponential amount of data with merchant acquirers and issuers, McLain said the ultimate benefit will be significant: “There will be a huge increase in authentication rates for the firms that are early adopters of technologies that encourage data sharing.”

Some of the heavy lifting of that data sharing may already have been done, noted McLain, as many security aspects of PSD2 are satisfied as long as firms are in compliance with GDPR. Those GDPR mandates touch on the contractual controls that are in place between firms that send and receive data – and which ensure that both parties have the mechanisms in place to comply with end users’ requests to modify, view or erase data that is being stored.

Thus the stage is set for the merchants that have embraced GDPR and must now comply with PSD2 to “minimize the amount of friction that needs to be placed on consumers” as transactions are underway, maintained McLain.

The biggest shift under PSD2 will be tied to transaction risk analysis. For those companies, and for the merchants and card schemes, the mindset is that “I shouldn’t have to challenge a consumer that has shopped with me for years,” said McLain. “You can look at a device and an identity, and if there is some consistency across the way this consumer has transacted with me time and time again … I should not have to challenge that consumer.”

Against that backdrop, he continued, the card companies are working with large merchants to share data and communicate with issuers on the merchants’ behalf and identify trusted transactions and consumers.

“A lot of that has to do with machine learning,” said McLain – and can help foster what might be thought of as a form of institutional knowledge, where stakeholders sharing data can look for what the executive termed “patterns and trends across a variety of companies,” and where red flags in terms of aberrant behaviors can quickly be identified.

“The rules-based approach that merchants have used in the past is not really going to fly anymore,” he said.

And yet, though GDPR offers a bit of foreshadowing for PSD2 – there’s a reason the implementation guidelines have been staggered between the two, as McLain noted to PYMNTS – the process of transitioning to this brave new payments world will be an intense one.

Asked about what advice he might offer to companies as they automate and examine processes surrounding data sharing and security, McLain said, “What companies need to do now is look at their data strategies holistically … with an evaluation of ‘how are we storing, and where are we storing data?’” Time is of the essence, he said, adding that the risk of missing the September deadline is real. “You don’t realize how long this can actually take until you scope it out.”