Share this post
Should payment firms be limited in how they reuse data or are the laws based on GDPR sufficient?
There are a multitude of benefits for payment firms that can successfully leverage big data analytics and open banking tools. Insights into transaction patterns, understanding customer needs and combating money laundering are just some of the advantages of big data payments sharing.
However, obtaining these benefits require payments firms to effectively navigate a minefield of regulatory obligations, not just within their home country, but also internationally when undertaking cross-border data transfers. “There are various benefits to banks in sharing payments data, from the ability to offer their clients more sophisticated products and services; to the cross and upsell of products enabled by better understanding of customer behaviours, habits and preferences,” says Amit Mallick, open finance lead at Accenture.
“For consumers, they stand to benefit from personalised offerings, loyalty programmes, discounts and intuitive and interactive solutions for payments and budgeting,” adds Mallick. “For SMEs, the sharing of payments data can facilitate insight-led products and services.”
Currently, the majority of information that is flowing though the payments ecosystem still constitutes personal data. While not always obvious, as it could be information linked to a transaction ID or a card number without a name attached, there is still always an individual behind any transaction data.
“What we have seen coming up quite a lot in discussions between merchants and particularly payment service providers, is the concept of purpose limitation,” says Simon Elliott, head of data privacy and cybersecurity practice for the UK, Ireland and Middle East at Dentons.
“What this means is the rights or permissions for payment service providers to reuse data for their own purposes.”
For example, merchants can pull together large datasets from across their bases and supplement this with data from third parties to examine patterns of fraud or to look into developing new products or services based on trends.
Debates are currently ongoing as to what ‘limits’ should be placed on payment firms reusing data, with the issue of consent at the forefront.
“There are obviously issues surrounding consent and the ability to use and access data. This is where there’s is an important interplay between the revised Payment Services Directive and data privacy laws such as GDPR,” adds Elliott
Implicit vs explicit consent
The European Commission’s revised Payment Services Directive (PSD2) was issued in March 2018. It aims to further level the playing field for payment service providers by including new players and enhancing protection for European consumers. It often intersects with the EU’s General Data Protection Regulation (GDPR) of which the UK’s own version is replicated from.
Within PSD2 there are certain obligations where payment services providers must obtain what is referred to as ‘implicit consent’ to gain data access. Implicit consent is when a consumer takes an action when they are inherently consenting to the use of their data. An example of this is when a customer makes an online purchase on Amazon, it can be argued that they are giving implicit consent to their address being used for the purchase delivery.
In contrast, ‘explicit’ consent takes it a step further where a consumer may grant consent for data access only after they are given an explanation of what data is being accessed, what it will be used for and who it is being shared with. “Within the GDPR context that tends to be more limited to special categories of data such as medical information, biometric information, sexual preferences, political views, etc,” says Elliott.
“This type of explicit consent is needed to access payments data or client information under PSD2, whereas under GDPR, financial information isn’t recognised as being sensitive, so there’s always been this gap,” he explains. “However, that is where PSD2 comes in and grants additional protections.”
The European Banking Federation has expressed concerns regarding the potential for ‘asymmetries’ between the Data Act and other frameworks, such as PSD2. “These kinds of conflicts could lead to complexities or disputes in compliance and enforcement,” says Debbie Evans, managing director at FTI Consulting’s information governance, privacy and security practice.
The European Data Protection Board has also issued guidance for the intersection between PSD2 and GDPR, specifically that “controllers acting in the field covered by the PSD2 must always ensure compliance with the requirements of the GDPR”.
“The key takeaway in all of this is that the requirements are complex, and uncertainty remains,” says Evans. “Organisations engaging in data sharing activities will need to proceed with caution and strong data protection controls to uphold defensible practices under GDPR and potential impending laws or revisions to existing legislation.”
Cross-border data sharing
Transferring payments data between the EU and the UK is relatively simple as the UK is viewed as “adequate” by the European Commission. This means that the UK is seen to provide the same level of data protection as its European neighbours, which allows personal data to flow freely between it and the bloc. However, transferring data internationally becomes a headache for payment firms when national regulators believe that there are differing levels of data protection between the origin and destination country.
“In this era of digital commerce, political and regulatory divergence poses real risks to the socio-economic benefits and opportunities of data use,” says a spokesperson at Visa.
“Attempting to fully harmonise privacy and consumer protection laws at the global level is likely to be a lengthy and perhaps impossible endeavour,” they add. “For international or cross-border harmonisation, trade agreements can be a powerful way of creating interoperability.”
Aside from trade agreements which payment firms have little control over, there are legal solutions that can be implemented to ease international data transfers. Heavyweight countries such as the US and China are not viewed as adequate by the EU, so firms often use standard contractual clauses (SCCs) to circumnavigate data inadequacy.
“The UK also has alternative tools known as an international data transfer agreement (IDTA) or UK Addendum,” says Phil James, partner at Eversheds Sutherland’s global data privacy and cybersecurity practice. “The IDTA is something you can use instead of a UK Addendum, which works alongside the EU SCCs and its stands alone without reference to the standard contractual clauses.
“There was previously a type of entente or treaty between Europe, UK and the US which is intended to avoid the need for having the standard contractual clause in place. But it was voided as a result of the US’ Schrems II decision.
“Also, dependent on the territory in which you’re transferring personal data to and from, you may also need to do things like carry out an accompanying transfer impact assessment, especially in addition to SCCs.”
With the multitude of compliance issues payment firms face when transferring sensitive financial personal data between borders, James advises companies to view it first and foremost as a fact-finding exercise.
“You need to know what data is being transferred and the originating and destination countries. Will there be external parties or subcontractors involved? There’s quite a lot of fact finding involved, but once you get a handle on that, you can then develop a proportionate and risk-based compliance solution.
“It can be helpful to develop a suite of contracts or some template agreements, which make it a lot easier to contract efficiency rather than trying to develop a bespoke contract all the time,” he advises. “But it does depend on the bargaining strength of your counterparty.”
Reaping the benefits of big data
With all the regulatory burdens and complications that come with big data sharing, why are payment firms set on open finance?
“Sharing payments data can help detect and prevent fraud, financial crime and money laundering,” says Luke Pearce, chief data officer, data and analytics centre of excellence at Santander UK. “It also has the potential to make it easier for people to manage their money through innovations such as open banking.”
If payment firms can avoid the regulatory pitfalls, cross-border data sharing can bring benefits to all stakeholders along the payments value chain. “Data is integral to commerce today. When data sharing is managed with privacy and data protection controls built in, it can drive significant value, by introducing commercial efficiencies and accelerating the speed of transaction,” says Evans.
Abhimanyu Julaniya, senior director at management consultant firm Simon-Kucher agrees with Evans on the benefits of open finance. “Some of our clients have also been able to smartly use first party data on their digital channels to offer a more relevant and targeted offering to their customers.”
However, businesses must stay on top of the everchanging regulatory landscape. In the EU alone, there are several regulatory frameworks underway. Most notably, the proposed data act drafted by the European Commission in February 2022, aims to plug the gaps in current data regulation.
“The UK government is also grappling with the extent to how closely it tracks EU law or whether it wants to try and do something a bit more innovative,” says James. “The extent of innovation needs to bear in mind the risk of whether the EU deems the UK inadequate for the purposes of ex-EU-UK transfers when it comes up for renewal in three years or so time”.
While it may take skilled regulatory navigation and resources to keep up with regulatory trends, the benefits open data can bring to payment firms are likely to payoff tenfold in years to come if data can be leveraged correctly.