Harmonization needed among conflicting key regulatory and industry initiatives to enable new payments’ ecosystem functionality
The lack of coordination and integrated data management among regulatory authorities is stirring contradictory objectives and competing agendas that are hindering standardization and causing ambiguity within the new payments landscape.
The objectives of several key regulatory and industry initiatives (KRIIs) overlap. The resultant complementary or conflicting effects are impeding the progress of new payments ecosystems across diverse markets comprised of wide-ranging methods, instruments, and players.
This impact of KRIIs on one another – either cascading, complementary, or conflicting – increases regulatory complexity. All this as a new payments’ universe is evolving thanks to corporations’ increasing demands for value-added services, rising consumer expectations, the shift to open banking, and a spike in payments-enabling technologies.
Overlapping KRIIs stymie the attempts of payments’ stakeholders to transition to the new ecosystem. In Europe, regulatory initiatives such as the revised Payment Services Directive (PSD2) conflicts with both the fifth Anti-Money Laundering Directive (5AMLD) and the General Data Protection Regulation (GDPR), which poses challenges for payment service providers (PSPs).
Regulatory overlaps and their resultant bottlenecks require resolution. Meanwhile on the global front, KRIIs – such as those regulating cryptocurrencies – are treated differently from region to region, which further muddies the payments’ waters. If the current ambiguity is unscrupulously exploited, multinational corporations may shelve collaborative opportunities and investment in blockchain-based payments’ initiatives.
Conflicting KRIIs: PSD2 versus GDPR
Although GDPR and PSD2 converge around five pillars – enhanced customer and data protection, improved data compliance (the use must comply with the law), data quality (including accuracy, consistency, and lineage), boosted user experience, and keener competition – implementation inconsistencies exist.
The main difference between the GDPR and PSD2 is that while the former is a regulation, the latter is a directive open to interpretation by the individual EU Member States. While the GDPR applies directly across the EU, PSD2 is subject to translation into member states’ local laws such as France’s Code Monétaire et Financier and Germany’s BaFin ZAG.
Only 21.4% of global finance leaders said their firm was fully compliant with PSD2, according to an executive survey in the World Payments Report 2018, indicating a conundrum as the industry seeks to comply with the Regulatory Technical Standards (RTS) coming into effect in September 2019.
With no rigid standardization guidelines or non-compliance penalties, total and efficient compliance may take more time, as 18% of survey respondents said they are still in the compliance implementation stage.
On the other hand, 44.1% of survey respondents said they were fully compliant with GDPR requirements. However, that number is low considering that the compliance deadline was May 25, 2018 (and participant polling took place in July) and the penalty for non-compliance or breach is quite punitive.
Given the ambiguity around certain KRIIs – and the impediments to progress caused by conflicting regulations – standardization to solve anomalies and inconsistencies is required. Action in areas including data access, data storage and disposal, identity and trust, and interpretation of the term data controller, may help bolster and expand industry compliance with both PSD2 and GDPR.
For example, both initiatives diverge on data access. While PSD2 emphasizes data sharing with PSPs, GDPR aims to protect personally identifiable information (PII) from third-party payment service providers (TPPs).
When it comes to data control, GDPR requires customer consent for processing data, while PSD2 requires consent for sharing with other institutions when the account information service provider (AISP) is not the controller. Access to data, fragmented compliance activity, and missing identity and trust details were rated highly as areas of concern, by executives surveyed.
To further complicate matters, GDPR inconsistencies exist over timeframes mentioned in the SEPA Direct Debit (SDD) rulebook and a few FATF recommendations. The SDD rulebook specifies that customer transaction mandates must be deactivated after 36 months of inactivity. The mandate ID is usually retained even after deactivation, which may violate GDPR norms. FATF recommends that payer and payee information be retained for a maximum of five years; while GDPR stipulates that data be discarded immediately after use unless the customer consents otherwise. PSD2 allows for rectification of unauthorized transactions for 13 months, which may again violate GDPR requirements on data disposal.
Whatever the interpretation, regulations require a more structured implementation process. Since May 2018 when GDPR entered into force, enterprises and firms have recorded a variety of problems (After about 8 months since the implementation of the EU’s landmark privacy law, more than 95000 complaints have been registered with the European authorities.)
However, most of these incidents were not addressed officially.
In a first-of-its-kind rebuke, French regulatory body CNIL slapped Google with a nearly $57-million (GDRP-based) fine in early 2019 for lack of transparency, unsatisfactory information, and a lack of valid consent for the personalization of advertising. In another similar instance, IT giant Microsoft is facing scrutiny by the Dutch government for breach of privacy rules by carrying out large scale gathering of private data through its Office apps. The Irish Data Protection Commissioner (DPC) is investigating Twitter for a breach notification received from the social media platform, for its compliance with Article 33 of the GDPR.
In cases that are more than an incident or a non-compliant process itself, a repeated lack of collaboration to correct and prevent must be called out. Similar policy breaches may also be anticipated with PSD2, although PSPs might reduce fines or formal reprimand if they can demonstrate a compliance process is in place. Hence, it is more about program management and industry dialog than having interpretation and implementation right from the start.
Catalysts such as modernization initiatives, IP systems, and the adoption of ISO 20022 may eventually spur standards and interoperability measures that harmonize the fragmented payments ecosystem of regulations and frameworks.
For more insights on how the payments industry is evolving, and what this means for you, please download a complimentary copy of the World Payments Report 2018 developed by Capgemini and BNP Paribas.
# # #
 Capgemini SME input, World Payments Report 2018
 BaFIN, “Payment services: BaFin provides information on the new regulations”, February, 2018, https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2018/fa_bj_1801_Zahlungsdienste_en.html
 The Financial Action Task Force (FATF) is an intergovernmental organization that sets standards and promotes effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.
 Capgemini internal analysis 2018, BNP Paribas SME input 2018
 RTE, “More than 95,000 data breach complaints since EU rules kicked in”, January, 2019, https://www.rte.ie/news/business/2019/0125/1025507-gdpr-complaints/
 CNIL, or Commission nationale de l’informatique et des libertés, is an independent French administrative regulatory body dedicated to ensuring data privacy law is applied to the collection, storage, and use of personal data
 The Register, “Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office”, November, 2018, https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/
 Reuters, “Irish data watchdog investigates Twitter over privacy rules breach”, 25 January, 2019, https://www.reuters.com/article/us-twitter-cyber-ireland/irish-data-watchdog-investigates-twitter-over-privacy-rules-breach-idUSKCN1PJ28G
 AdExchanger, “France Slaps Google With 50 Million Euro Fine – Largest Yet Under GDPR,” Allison Schiff, January 21, 2019, https://adexchanger.com/privacy/france-slaps-google-with-50-million-euro-fine-largest-yet-under-gdpr