Can PSD2 Get Past Its GDPR Problem As Deadlines Hit?

Ladies and gentlemen, it has finally arrived.

From this day forward (March 14), businesses covered by the European Union’s (EU’s) Second Payment Services Directive (PSD2) are supposed to have a testing regime that conforms to the FinTech regulation. However, that’s only the foreshadowing. The bigger deadline comes on Sept. 14, bringing requirements related to strong consumer authentication and other tasks designed to establish a secure, Open Banking environment.

One can certainly feel the charge in the air (though that energy is probably closer to frustration, anxiety and dread than anticipation and excitement), as what is expected to be a major regulatory push for digital payments and commerce transforms from idea to reality. There is strong evidence that many players in the digital space — to say nothing of consumers themselves — remain confused by PSD2.

Besides that, the EU’s General Data Protection Regulation (GDPR), the online data privacy law enacted last year, seems to contradict the letter and spirit of PSD2 in many ways, providing even more challenges for financial institutions (FIs), payment services providers (PSPs) and merchants hoping to keep ahead of regulations. In a new PYMNTS interview with Karen Webster, CEO Rob Eleveld of Whitepages Pro, an online ID verification services provider, walked readers through the emerging PSD2 landscape.

Without downplaying the hard work required to conform to it, Eleveld described how retailers, PSPs and other organizations can get ahead in this new and uncertain FinTech environment. “This is a complex ecosystem for payments,” he said, but one key to making this work for everyone involved is to take a lesson from exercise: Don’t work on the whole body all at once; start smaller with specific muscle groups to build overall strength over time. (More about that in a bit.)

PSD2 Mindset

It is perhaps a missed opportunity (as least for cynical students of history) that this first major deadline for PSD2 — a piece of FinTech regulation that is all but certain to have a place in specialized economic, legal and technical treatments of the 21st century global economy — happens a day before the Ides of March (March 15).

That’s not only the date on which Julius Caesar was stabbed to death — which, in hindsight, put an exclamation point on the end of the Roman Republic and, therefore, was a major turning point in world history. That date also served as an annual deadline for Romans to settle debts. If not, they generally faced lawsuits from creditors (not slavery or crucifixion, just in case one might be wondering). It is little wonder why the Ides of March became associated with a general sense of doom and instances of dim, unwanted prophecy.

With luck and work, PSD2 will never gain such notoriety or infamy, even if the challenges and expectations seem pretty harsh at this point. This first PSD2 deadline, as Eleveld explained, marks the coming of a change in the FinTech mindset: the sharing of treasured data with outside parties in the interest of encouraging more payments innovation.

“Banks in general, especially issuing banks, are not used [to] sharing a lot of information,” he told Webster. “The core of PSD2 is Open Banking, not the hoarding of accounts from a few big banks to hold up innovation in the payments world.”

As shown in the new PSD2 Tracker, a PYMNTS and Whitepages Pro collaboration, some major players in the payments world are moving forward with those expectations. Mastercard, for instance, has a new offering that will review third parties looking for account access, and confirm that they are both legitimate and compliant with PSD2 and other European regulations.

However, trust issues will likely impede PSD2 progress, even after the March 14 deadline, especially when it comes to consumers’ relationships with banks, now required to share previously siloed data with third parties. For instance, the PSD2 Tracker also found that just 53 percent of U.K. customers said they would give their mobile numbers to their banks, showing a lack of trust, and putting a damper on Open Banking services.

Trust and reluctant banks are not the only problems for PSD2 compliance.

GDPR Complication

FIs, PSPs, merchants and a host of other organizations around the world are trying to make sense of the global impacts of GDPR — which, as is the case with PSD2, has little case law or regulatory precedent to guide decisions, Eleveld explained. Not only that, but the two mandates — one dedicated to consumer privacy protection, and the other seeking to spark the spread of valued information in service of innovation — represent “conflicting requirements,” he said. This has “info security, privacy and legal teams inside companies pulling in different directions.”

Furthermore, many — if not most — companies “were scrambling right up against the deadline” of GDPR, and “now they have another” major regulatory requirement to meet. That can make a person feel out of breath just thinking about it, as though one is charged with riding uphill and downhill at the same time. Yet, it need not be that way, at least conceptually, Eleveld told Webster.

“At some levels, they should work together,” he said of GDPR and PSD2. “The spirit of them should work together.”

The larger points of both regulatory regimes are to build a better digital economy, after all — even if many companies understandably remain skeptical of regulators’ intentions in both instances. Still, he said regulators are eventually “going to have to chime in about where it’s OK to share information [via] PSD2” in light of those GDPR privacy restrictions. “We need clarity on that.”

Building PSD2 Muscle

That’s enough theory, though. What about the practice when it comes to PSD2 compliance — a job that will only become more difficult in the coming months? What about innovation, and how will that happen under PSD2?

Well, for the first part, let’s return to the subject of exercise and building muscle.

Eleveld, who happened to work with nuclear submarine technology in the U.S. Navy, should know a bit about testing complex systems. He told Webster that he favors “picking out an area to test it well, not trying to make everything work come March 14.” More specifically, that means “let’s try to pick out one transaction type, and work on something simple and small, and then take those learnings and apply to bigger sets of transactions.”

He went further into that line of thinking. “When we get the muscle a little bit stronger (right now, it’s all flab), eventually, hopefully, by September or the end of the year, [we’ll get] this working at 50 percent or 70 percent” of where it should be, he said. “That’s a good target, but everyone needs to start exercising now.”

Merchant Pressure?

Yet, PSD2 is about an ecosystem, not individual companies. Getting from testing and deadlines to true payments innovation is going to require for certain participants in that ecosystem to pull some specific weight — at least, according to how Eleveld envisions the development of FinTech under PSD2. Issuing banks, in his telling, will be reluctant to go full speed toward the PSD2 ideals of information sharing in the service of innovation, and that will put more of the burden on merchants — which, after all, have intimate transaction relationships with consumers.

“Eventually, merchants will find different ways to put pressure downstream on issuing banks,” he predicted. “And some issuing banks will come to the forefront, seeing this as a competitive advantage. I think those banks should be rewarded, but that’s up to the regulators.”

The news of the March 14 PSD2 deadline is likely to be ample and telling, and give hints of not only how the Sept. 14 deadline will impact FinTech and other players, but how the innovation envisioned by the regulation’s crafters will really happen. For now, though, there’s much work to be done in building those muscles in advance of the toil to follow in the coming months.