EXCLUSIVE— While PSD2 was the subject of extensive focus for European banks, businesses, tech firms, and fintechs, these institutions may not be ready for another data initiative, the General Data Protection Regulation, set to come into effect this May.
In fact, studies show that less than half of businesses in the United Kingdom — only 38% — are even aware of GDPR, much less ready to comply with the deadline.
According to this study, released last week by the U.K. government, just over a quarter of those 38% have made changes to their cybersecurity practices to accommodate GDPR’s guidelines. Separate from PSD2, GDPR deals with regulations around obtaining consumer consent and use of data.
While the finance and insurance industries have the highest level of awareness, said the study, banks still might be struggling to comply with the regulation, which deals with such contentious issues as the “right to be forgotten” by consumers. The initiative provides unique security challenges, as Chris Kronenthal, president and chief technology officer of FreedomPay (a company he described as “just to the left” of PSD2) told Bank Innovation.
“The bigger problem that we solve which is sort of the native brother or sister of encryption is GDPR, which is essentially the right to be forgotten, or the right for consumers to control their data, which is hitting the European market now,” Kronenthal said. “When you consider all of these companies implementing encryption or tokenization and then you walk up as a consumer and say, you have to delete my data, does the merchant have control over that anymore, can they actually comply? So that’s a huge problem coming up that we’re solving in real time with a lot of our partners.”
As Brian Costello, chief information security officer for Envestnet Yodlee, explained, a financial institution might initially find it “difficult to comply” with GDPR, but the initiative could also represent a chance for banks and businesses to build a new kind of relationship with their customers.
“We see this as a fantastic opportunity for [firms] to broaden and strengthen the relationship they have with their customers,” Costello said. “A financially healthy customer is a better customer at the bank.”
Together with PSD2, data and identity regulations like GDPR makes it clear that banks, businesses, and technology firms “all have responsibilities to the consumer,” Steve Boms, president of Allon Advocacy, LLC, told Bank Innovation.
While PSD2 and GDPR seem to be moving data and security towards more open platforms in Europe and the United Kingdom, neither Boms nor Costello seemed very optimistic about such regulations latching onto the U.S. any time soon.
“There are so many differences between the U.S. and the U.K., in terms of structure,” Costello said, adding that it might take a bit longer for “something as standardized as open banking” to make its way to the U.S. ecosystem.
In the meantime, however, U.S. institutions should keep their eyes across the pond. GDPR is set become effective on May 25th, 2018.
To learn more about the latest developments in identity , join us on March 5-6, 2018 at the Parc 55 in San Francisco for Bank Innovation 2018. Click here to request an invitation.