PSD2 and GDPR: are they enough for open finance?

2018 was a milestone year for data regulation in the UK and Europe, with the implementation of both the revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). Designed to protect individuals’ rights with regards to the collection and use of their personal data, these regulations helped drive the growth of open banking and laid the foundation for open finance. But two years on, has it been enough?

The right to data

In January 2018, PSD2 introduced new rights for certain third-party providers (TPPs), allowing them to directly access payment service users’ online payment accounts with their explicit consent. It also required Account Servicing Payment Service Providers (ASPSPs), such as banks, to permit access to this data through a dedicated interface.

Several months later, GDPR came into effect as well. This enhanced individuals’ rights around their personal data, including the right to data portability.

Together, these regulations opened up the market to new players while simultaneously mandating key consumer protection and data privacy requirements—putting individuals more firmly in control of their personal data. By providing a mechanism for TPPs to access this data directly from the source, PSD2 in particular made it possible for financial players such as Plaid to emerge in the UK and Europe and for a range of new, innovative financial services to develop.

Only the start

However, PSD2 and GDPR were not written to support the broad potential range of products and services within the scope of open finance. Indeed, PSD2 applies only to payment accounts, which means there is still no mandate with regards to other types of financial data—such as savings and investment accounts, pensions, or even mortgages.

GDPR provides consumers with the right to data portability, meaning they can share their data with another party. However, data portability does not mean that consumers can easily move their data using a TPP via direct access, even with the consumer's consent. This limits the benefits of data portability for consumers and constrains the emergence of new services.

While PSD2 and GDPR are a solid starting point, they don’t allow consumers to control their financial lives. They have already proven insufficient with respect to the full needs of open finance, which in its most basic definition refers to open access to all financial data—whatever the kind—from financial institutions.

PSD2 and GDPR must evolve to ensure consumers, TPPs and ASPSPs can make the most of open finance and ensure it is a success. Only then will they have what they need to power the full range of apps and services consumers need to live a healthy financial life. In turn, regulators will need to establish clarity on the protections, redresses, and liabilities that additional access will surely bring. The future of open finance is calling for it.

Contact Plaid to learn how we can support your open banking initiatives. And check out the other posts in our Open Banking series:

• Open banking: Should I build or partner?

• Open-banking-as-a-service: what does that actually mean and how does it work?

• Reviewing open banking on a global stage