psd2 and gdpr

5 min read

PSD2 & GDPR regulations on collision course?

Krzysztof Trojan

The second half of 2018 looks interesting. Two major EU regulations which are of importance to banks will come into force at roughly the same time. The Revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) have a substantial area of common concern: customer data.

However, while the PSD2 is all about making the data of individuals available to third parties, the GDPR is all about keeping this data private.

The PSD2 will require institutions to open access to personal information related to customer accounts to third parties which the institution has no contractual agreement with. The GDPR, however, forbids sharing information with third parties, basically, it is up to the individual to give consent and to provide the data to the data processor - not a decision made by other processors. Considering the overlapping scope and conflicting targets of these two pieces of legislation, surprisingly little has been said in the regulations about their coexistence.

A closer look at GDPR and PSD2

Not surprisingly, the GDPR does not mention the PSD2, whereas the PSD2 has an entire chapter on data protection.

Chapter 4 - article 94, 7 lines of text total. The chapter refers to the data protection regulations of 1994 and 2001 and does not acknowledge the existence of the GDPR, nor does it refer to potential future regulations. Much more is actually written in the preamble, but still it is all about compliance to regulations which will no longer be in force at the time the PSD2 is to be implemented.

The conclusion is that the text of the acts is of little help if the two conflict each other. The assumption that the PSD2 directive explicitly excludes itself from the scope of GDPR is tricky at best!

The Regulatory Technical Standard does not help

One could be fooled into believing that the RTS would cover the details. In the end, this is what the Directive says:

'When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimise threats to data protection.'

I have read the draft RTS quite a few times. As the technical options are not named there, one can hardly find any remedies for the risks linked to those options.

Consent – the common element of both regulations

There is one element that is common to both regulations: customer consent. In the end, the power is to be with the customer, and if the customer decides to share his/her data with any institution, no one is to challenge that.

But there are at least two problems:

  • Both the regulations are a bit vague about the form of the consent required - and, considering that consent in electronic form is a practical necessity for PSD2, the technical means of providing consent are also absent.
  • The subject of consent - the GDPR requires customer consent for processing, the PSD2 for sharing with other institutions the ASPSP is not the controller for (see "controller" in GDPR). Can a bank provide access to some third party based on the customer's consent to do so, without checking whether the consent to process the data by the other party is in place? How is the bank is to verify this?

At this point, we arrive at another important omission: the relation to the regulations about identity and trust services, virtually missing from both the GDPR and PSD2. eIDAS seems to be an unknown idea to the GDPR... and the PSD2 only mentions it in the context of authenticating TPPs.


The potential penalties an institution may face if found in breach of the GDPR regulation are enormous - up to €20M or 4% of global turnover, whichever is bigger. At the same time, the PSD2 does not name any penalties for non-compliance. I am not surprised financial institutions are so slow in preparing for the PSD2. Were I a compliance officer of any bank, if the slightest doubts arose, I would forget the PSD2 in favour of the GDPR, applying the most rigid interpretation possible.

For the PSD2, however, this may mean that it will become a dead letter, or at least delayed severely...

Challenge everything!
About pattern image
  • Data and files
  • Confirmation

How can we help you?

Please provide information so we can contact you.
Please provide correct name
Please provide correct last name
Please provide correct e-mail
Please provide correct company
Please provide correct description
Attach a file if you wish
You can upload up to 5 files. Max file size: 5MB Allowed file types: .pdf, .doc, .docx, .docm, .ppt, .pptx. File name length must be less than 50 characters File name must not contain two or more spaces in a row File name must not contain the following characters: \/?|<>:*'"+,;=[]&
    We adjusted your file name to our file naming convention. This file extension is not accepted. Please upload one of following file types: .pdf, .doc, .docx, .docm, .ppt, .pptx. This file is too large. The max upload file size is 5MB. Your file size is tiny, please check if you upload correct file.
    Please read and agree to the terms and conditions in order to continue.
    • The controller of personal data in relation to the recruitment is intive GmbH spółka z ograniczoną odpowiedzialnością Oddział w Polsce with its registered office in Warsaw, 1 Sierpnia 8, 02-134 Warsaw. More information on the principles of personal data processing, including the purposes of processing and the rights of individuals, is available in our Privacy Policy.

    Message Sent

    Thank you for your trust, {name}.
    We are looking forward to talk to you.
    Our representative will contact you.
    Dirk Heider

    VP, Project Delivery

    Oh no!

    We have run into problems while submitting your form. Please try again later.