The Revised Payment Service Directive (PDS2) is a directive focused on the further integration of an internal market in payment services. Third parties (Account Information Services Providers or AISPs and Payment Initiation Service Providers or PISPs) will have access to transactional data to analyse the transactional data and/or execute payments. The PSD2 is a directive which means that member states need to implement the directive into national legislation. The implementation deadline for member states is the 13th of January 2018. Even though Belgium has not yet implemented the directive in national law, the key changes are clear: financial institutions will need to give access to bank accounts to third parties when double consent is obtained.
This revision of the PSD directive nicely follows the General Data Protection Regulation, which focuses on the protection of personal data and the transparency towards the natural person and enters into force on the 25th of May 2018, which is not excluded from the PSD2.
The PSD2 stipulates further requirements regarding transparency towards the natural person, especially when he/she interacts with a PISP. The natural person should be informed about the (executed) payment transactions. The general obligations regarding the information to be provided are the same for both the GDPR and the PSD2: the information needs to be concise, transparent, and presented in an intelligible and easily accessible form, using clear and plain language.
Double consent is necessary
However transparency alone is not enough. Third parties processing the payment information will need to receive consent from the natural person. Financial institutions as we know them today will also ask consent from the natural person to give the third parties access to the financial account of the natural person. Double consent will thus be necessary by the requirements of the PSD2. Keep in mind that the GDPR not only stipulates general requirements to protect the personal data, but also provides specific requirements about the way consent is obtained and how the controller should document that consent was in fact obtained.
AISP and PISP are controllers
Only the controller needs to demonstrate that consent is given. In the PSD2 there is no reference to the concept of a controller, but we can assume this is aligned with the definition of the controller in the GDPR.
According to the GDPR, a controller is the entity that determines the purpose and means for processing personal data. By consequence, in the case of the third parties stipulated in the PSD2 both are controllers, as they alone determine what will happen with the personal data, and how. For example, the AISP can determine the way in which it wants to analyse transactional data, which technology it uses to do so and for which purpose (yet always based on prior consent by the account holder). Whenever the AISP wants to expand or change the purposes of personal data, and/or when it wants to receive more personal data, it will need to do this in a lawful manner and by the requirements of the GDPR, which will very often involve obtaining consent for these new or expanded purposes.
It’s good to see how European legislation regarding personal and financial data is harmonised working towards the single digital market. Most importantly, both the GDPR and PDS2 put the ownership where it belongs: with the individual.
This post was authored by Anne Demoor, associate data protection consultant at Cranium with an expertise in applying data protection principles in financial institutions.