GDPR and PSD2: what are the issues for FinTechs?

The FinTech model is reaching a new level of maturity. The first stage saw them disrupt the traditional banking business models using technology to impact the customer experience and relationship. The second wave offers FinTechs the opportunity to expand their service offering and develop their independence, provided that they understand their relationship with the regulatory environment.

Optimising the customer journey through major technological innovation is at the root of FinTech development. Such innovation has enabled FinTechs to engage with the banking sector to offer payment solutions, currency management, and so on. Today they have developed a broader spectrum of banking services focusing on the core activities of traditional banking, including savings, payments, overdrafts/loans and financial advice. This is a significant development for the industry, because it frees FinTechs from the need for backing by a large banking network or even a Google, Apple, Facebook, and Amazon (GAFA) company. Therefore it guarantees their independence at the very moment when the regulatory landscape introduced by the revised Payment Service Directive (PSD2) is very much to their advantage.

The first challenge, and by no means the least, for these FinTechs – particularly the neobanks – is to obtain a banking licence, which will tip them into a regulated world. They are then subject to the same rules as the rest of the banking industry, which has seen an unprecedented wave of regulation mainly focused on transparency and the protection of customers and savers.

Know Your Customer (KYC), the quality of data, ethical prerogatives: this unprecedented intertwining of regulation and technology exposes FinTechs to complex situations. The development of IT architecture for example, which is unavoidable with the adoption of the cloud/Software as a Service (SaaS) and the Internet of Things, multiplies the threat of cyber attacks. The use of chatbots brings with it new requirements for the auditability of algorithms. Finally, General Data Protection Regulation (GDPR) coming into force on 25 May 2018 will also have a major impact on the sector.

GDPR: a significant impact

Data is at the heart of the FinTech business model. GDPR has an impact on the collection of this information: FinTechs must demonstrate the integrity and validity of their customers’ consent to the sharing, marketing and commercial use of their personal information. FinTechs will also have to tell customers the purposes for which they process and use the data, and appoint a dedicated Data Protection Officer. Finally, failure to comply with GDPR principles, including properly recording the customer journey and the registration process, will incur heavy penalties. Penalties will be discretionary and, depending on the nature of the breach, range between 2% and 4% of worldwide revenue, with upper limits of Euros 10m and Euros 20m.

Faced with these issues, FinTechs must demonstrate to customers their respect for the confidentiality of personal data within the architecture of their service solutions. Finally, the right to be forgotten introduced under GDPR, is bound to call into question certain rapidly expanding practices such as blockchain.

What will the impact of PSD2 be?

In the second version of its payment services directive [1], for which the phasing-in period for which runs to September 2019, frthe EU redefines the rules of the game for banking payment services. This directive heralds the arrival of Open Banking, forcing banks to allow third party providers[2] access to bank accounts and to provide payments on the customer’s behalf if consent is given.

For FinTechs this is a crucial issue as the directive provides the basis of a new marketplace for them through the use of the existing banking and payment infrastructures. The directive also considers the significant operational changes for all payment service providers, not least for the security of online payments and the protection of customers’ financial data.

With a more agile and digital infrastructure, FinTechs will find it easier to adapt its model in respect of:

  • IT architecture and systems and customer interfaces,
  • products and services including any improvements and opportunities,
  • commercial documentation, general conditions and education,
  • the method of processing claims and alternative dispute resolution procedures,
  • reporting obligations and statements,
  • fraud, security and risk management,
  • requirements in terms of resources, budgets and staff training.

Anxious to prevent new risks potentially introduced into the banking system by the very technologies that give FinTechs a competitive edge, supervisory bodies are beginning to work more closely with players. In France, for example, the banking supervisory body, ACPR, has taken particular interest in the question of licences and has begun a preliminary phase. They are giving 200 start-ups at Station F, which is the world’s largest start up campus, the chance to talk directly with the watchdog through its FinTech one-stop-shop.

Given their agility and digital platform, there is little doubt that FinTechs are potentially well placed to incorporate the regulatory constraints inherent in the successive expansions of their service offering. But in order to fully succeed, they will need to grasp the strategic nature of compliance in the banking environment.

[1] Payment Services Directive (PSD2)

[2] Third Party Payment Services Providers, TPP