How does PSD2 interplay with the GDPR?

Questions continue to arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). Both PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers, including banks. For example, when is “consent” required to access payment data and what does consent mean? To this end, the European Data Protection Board (EDPB) — the EU body composed of representatives of the data protection authorities of each Member State, responsible for the consistent application of the GDPR across Member States — has published draft guidelines for consultation that has now closed. A number of firms and industry bodies, however, have voiced concerns over their workability for providers. For example, the European Banking Federation’s (EBF) response emphasises that the draft guidelines should be coherent with payments regulation, its terminology and regulatory technical standards, in particular on Strong Customer Authentication. Read more…