ICO: Open banking 'a key way' for banks to meet data portability duties under the GDPR

Out-Law News | 10 May 2017 | 2:46 pm | 2 min. read

The adoption of open banking could help payment service providers (PSPs) meet their obligations under new EU data protection laws, the UK's Information Commissioner's Office (ICO) has said.

In a response (4-page / 224KB PDF) to a Treasury consultation on the implementation of the revised EU Payment Services Directive (PSD2) in the UK, the ICO urged firms involved in facilitating open banking to engage with it on the project, and highlighted the potential open banking has for aiding compliance with the General Data Protection Regulation (GDPR).

"We encourage industry to maintain an open dialogue as it designs and implements an open API standard," the ICO said. "The information commissioner views open banking as a key way in which individuals’ rights to data portability under article 20 of GDPR may be given practical effect, and it should therefore help financial institutions meet their data portability obligations."

Under the GDPR, data controllers must make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to provide that data direct to other businesses at the request of consumers where it is "technically feasible".

Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by "automated means".

The data portability obligations will apply from 25 May 2018 when the GDPR takes effect. However, banks and other businesses in the payments market face further new regulation under PSD2 and the UK's open banking initiative. Open APIs are seen as an enabler of both open banking and the PSD2 reforms.

The Competition and Markets Authority (CMA) has mandated the establishment of new standards that will allow businesses and consumers to share their own transaction data from their current accounts with other banks and third parties and to manage multiple providers through a single app. 

Under PSD2, banks and other PSPs will be obliged to enable access to their accounts by third parties acting on the request of customers. The move is aimed at supporting the growth of  payment initiation service providers (PISPs) and account information service providers (AISPs) – such as businesses that allow customers to access information from their payment accounts in one place – which have emerged into the payments market in recent years as technology has advanced.

In its consultation response, the ICO referred to the data security obligations that businesses in the payments market will have under PSD2, including the regulatory technical standards on strong customer authentication and secure communication which have been developed by the European Banking Authority (EBA).

National laws implementing PSD2 will come into effect from 13 January 2018. However, certain provisions on security, and the standards on strong customer authentication and secure communication, will not apply until the autumn of 2018. The ICO reminded firms in the payments market, though, that they will still face obligations on data security during the transitional period before the PSD2 security measures and standards on strong customer authentication and secure communication take effect.

"Both the DPA (UK Data Protection Act) and GDPR require organisations to take appropriate technical and organisational measures to protect the security and integrity of any personal data that they process," the ICO said. "Payment service providers therefore need to ensure that they have adequate systems in place to protect the security and integrity of the personal data they process as soon as they begin processing this data."

"We would agree that as the draft RTS (regulatory technology standard) is now available, systems and procedures should be designed in line with the RTS wherever possible in order to ensure minimal disruption when the RTS eventually comes into force. We are keen to ensure that the provisions of PSD2 are implemented in a way that is harmonious with, and complements, data protection requirements. To this end, we will continue to engage with HM Treasury, the Financial Conduct Authority, industry bodies and other relevant stakeholders about this matter," it said.