Europe has pioneered significant innovations in the regulatory space since the concept of the data-driven economy boldly came on the scene – what can the world learn from Europe’s experience?
The introduction of the General Data Protection Regulation (GDPR 2016/679, implemented May 2018) and open banking regulations (PSD 2007/64/EC, replaced by PSD2 [EU] 2015/2366, implemented September 2019 but with an extension on strong customer authentication (SCA) until December 2020) together represented both a breakthrough for all market players and a challenge for European banks, which were required to steer their investment priorities accordingly.
GDPR is considered a global point of reference in data protection, as many countries around the world are upgrading their privacy regulations along the European standards. The regulation aims at protecting personal information by providing individuals with enforceable rights (i.e., right of access, rectification, erasure, the right to object, portability, and enhanced transparency). It brought innovations in data collection and data retention on a global scale, affecting all online and offline businesses and organisations that interact with European residents and process their personal data. Between May 2018 and November 2019, more than 270,000 complaints over data protection breaches were reported to national data protection authorities, suggesting that users are now finally appreciating the measures brought in by GDPR. Notwithstanding this appreciation, only a few years on from its introduction, its effects on economies have been widely debated.
Cost and opportunity
Indeed, implementing the regulation has been a major burden not only for banks, but for all companies and an even greater challenge to small firms and start-ups. According to the International Association of Privacy Professionals (IAPP), the estimated average cost to comply to GDPR for Fortune 500 companies is around $16 million (mid-sized firms have spent $550,000), while the cost of non-compliance is potentially higher with fines up to the maximum of EUR 20 million or 4% of annual global turnover. Financial services and high-tech firms are bearing most of GDPR compliance costs, as besides adapting their operations they are required to hire a DPO (Data Protection Officer) to process and control user data.
Looking at opportunities, GDPR has created an entire new industry of specialised companies that offer data protection as a service (worth approx. $12 billion) and forced companies to rethink their existing business practices. While there is no doubt that getting compliant to GDPR takes time and effort, those companies that implemented the right technology and processes have built mechanisms of obtaining consent into campaigns, adapting strategies based on new types of customer segmentation. Firms are required to abide to rules, including gathering users’ opt-in to data collection and obtain their consent before permitting any third parties to use their data. While originally this seemed to limit marketing activities, purging the lists of unengaged clients represents a real opportunity for effective marketing campaigns. The typical example is the one of email marketing, which has been used extensively by small businesses to reach mass of potential customers. The overall addressee list quality has improved with a positive effect on open and click-through rates.
On the flip side, the effectiveness of GDPR to sustain and facilitate the growth of innovations is still questionable. It poses limitations to the development of advanced technologies (i.e., AI, blockchain, IoT applications) as they are heavily dependent on the ability to collect, store and use data. The ‘data minimisation’ requirement limits data collection and storage only to the extent that it is necessary to render the services for which the data were given and any exception has to be approved by users. Under this rule, it is intuitive to identify the constraints it poses to experiment with data in predictive models based on AI, where accuracy is driven by the amount of data processed. To mention another example in the domain of innovation, distributed ledger technology (blockchain) is an iconic case that clashes with GDPR prescription. As information on the blockchain is recorded permanently by design, the inability to delete old transaction data is not consistent with the ‘right of erasure’ offered by GDPR.
Looking at the second big area where the European Union has driven regulatory transformation, there is open banking. The second Payment Service Directive (PSD2) responds to the European Union’s mission to unify, modernise and open up payment systems and the financial ecosystem. In a nutshell, the introduction of PSD2 allows merchants to retrieve users’ account data from the bank, with users’ permission. Technically, this means merchants may apply to become Payment Initiation Service Providers (PISPs).
For those customers who hold multiple accounts, businesses will be able to display their account information in one place. The access to bank accounts also allows Account Information Service Providers (AISPs) to expand their services (e.g., by providing investment advice and personal finance management based on customers’ spending habits) and provide more functionalities. PSD2 foresees two key requirements that banks need to abide by:
- two-factor authentication on all payments (SCA - strong customer authentication);
- APIs to allow authorised third parties to request payments from accounts and access account information.
The transition to PSD2 has not been easy, as banks faced several challenges in their transformation journey to implement these two requirements, which is also the key reason why regulators granted delays. The first challenge that has been experienced has been applying SCA to existing online card payments.
Implementing the changes needed has been harder than expected as internet-based card payments are poorly suited for SCA. Secondly, while PSD2 set the rules, it did not define SCA and APIs standards. This led all European payment institutions to develop their own APIs and SCA without a standardised design, which had turned into problematic and expensive implementations for those organisations wanting to use these services. Lastly, what possibly hampered smooth adherence to PSD2 has been that players were forced to implement expensive changes with no business benefits and with no incentive from regulators.
Responding to PSD2
Banks experienced two options in their response to PSD2: a defensive approach to comply and defend, ensuring compliance by offering only no more than mandated APIs and maintain existing products or stepping into a platform business model as tech giants typically do. While the defensive approach does not create any business opportunity and requires the least number of changes, the platform business model allows banks to build a partner ecosystem, and streamline their non-core product offerings by replacing them by third party products. This will ultimately result in a highly profitable and scalable business model that will disrupt banking.
PSD2 and GDPR were both focusing on consumer data, however from very different perspectives: while PSD2 aims to create access to personal data, GDPR aims to protect it. While PSD2 encourages competition and innovation in different product and services, access to these has to comply with GDPR. The hefty fines connected to noncompliance and reputational damage have pushed traditional banks to focus on data protection rather than innovate and harnessing PSD2 opportunities to create competitive advantage against new entrants.