Weitere ähnliche Inhalte
Ähnlich wie PSD2 un GDPR savstarpējā ietekme. Intersections of PSD2 and GDPR (20)
Mehr von Latvijas Banka (20)
Kürzlich hochgeladen (20)
PSD2 un GDPR savstarpējā ietekme. Intersections of PSD2 and GDPR
- 2. © Deloitte Latvia 2
The EC have set out an agenda of payments regulatory change which will force the
European Payments market to become open, more competitive, innovative whilst
protecting its citizens
Payment Services Directive 2
New entrants
Foster
innovation
Promote
competition
Protect
consumers
Respond to changes in the
payments landscape
1
Deliver a competitive,
innovative and open
European Payments market
2
Provide level playing field for
new entrants competing with
Banks
3
• Recognize Third
Party Providers
(TPPs)
• Define PISP and
AISP services
• Require TPPs to
be licensed and
regulated as
Payment
Institutions
• Banks forced to
allow TPPs access
to their platforms
via a standard
API
• No contracts for
standard
AISP/PISP
services
• New payment
services will
compete with
cards
• Transaction fees
and banking
charges are
expected to
come under
pressure in time
• Improved
authentication
and data
protection
measures
• Decreased user
liability in case of
unauthorized
payment
A better consumer experience when using payment services within the EU
- 3. © Deloitte Latvia 3
Who Would be a Bank?
FinTech and BigTech are eroding Banking revenues
New Market Players
Evolution of the Business Model
Enhanced Services Offering
Organizational Impact
Strategic Options
- 4. © Deloitte Latvia 4
General Data Protection Regulation
The key concepts
GDPR
New rules
on personal
data
protection
New rights
GDPR brings for consumers a full range of new rights in the area of the data privacy.
The main rights are: right to data portability, right to be erased (right to be
forgotten), right to object, right to rectification, right to restriction of processing,
etc.
Increases of fines
GDPR introduces a new maximum monetary penalty of 20 000 000 EUR or
4% of annual global turnover that can be imposed in cases of serious
non-compliance with new regulatory rules for data privacy protection
International Reach
Organizations based outside the EU that process data to offer goods or services to
European residents, or to monitor the behavior of European residents will also be
subject to GDPR requirements
New obligations
Increased demands on data controllers and new obligations for personal data
processors. The GDPR requires organizations to take a more proactive
approach towards privacy compliance including new consent, documents,
organization roles and processes and technology design and sets forth new
principles such as data minimization.
- 5. © Deloitte Latvia 5
Scope of the General Data Protection Regulation (GDPR)
Quick GDPR Overview
Broader territorial scope
Enforcement
Accountability
Expanded definitions
Data subjects rights
Consent
Data breach notification
One-stop shop
International data transfers
General
Data
Protection
Regulation
Applies to players not established in the EU but whose activities consist of
targeting data subjects in the EU
Data Protection Authorities will be entitled to impose fines ranging between
2 to 4% of annual turnover
Explicit obligation to the controller as well as the processor to be able to
demonstrate their compliance to the GDPR
Personal data now explicitly includes location data, IP addresses, online
and technology identifiers;
Reinforced rights: Access, rectification, restriction, erasure, objection to
processing; no automated processing and profiling
Spelled out more clearly and focus on ability of individuals to distinguish a
consent
Report a personal data breach to the Data Protection Authority within 72h…
Data Protection Authorities (DPA) of main establishment can act as
lead DPA, supervising processing activities throughout the EU
BCRs as tools for data transfers outside the EU and EEA are now embedded in
law
- 6. © Deloitte Latvia 6
General Data Protection Regulation
GDPR mainly impacts four layers of the business model
Governance, organisation
& people
Processes
Data
Technology
New GDPR requirements will mean changes to the ways in
which technologies are designed & managed, including a
focus on profiling, security & Privacy by design
Organization tasked with data governance and data
management will be challenged to provide clearer, more
proactive oversight on data storage, journeys, and
lineage
Policies and processes to allow companies to deliver
value to customers in a consistent and scalable
manner
Determine the “GDPR vision” and adopt an
organizational model to lead, manage and coordinate
a program aligned with it.
Governance,
organisation &
people
Policies and Processes
Data
Technology
InformationSecurityandRiskManagement
- 7. © Deloitte Latvia 7
Proposition of GDPR and PSD2 in to the financial ecosystem
Payer
Bank account
payeee
Bank account
payer
Clearing
Settlement
Payee
Traditional
payments
chain
Operator
DistributorDistributor
Producer
New consumer & merchant
propositions
Rise of parallel payment
infrastructures
PSD2 as disruptive enabler
GDPR as compliance trigger
- 8. © Deloitte Latvia 8
Leverage mandatory investment and embrace “open banking” as an opportunity
PSD2 key requirements
• Adapt current compliance and
risk mechanisms to new PSD
guidelines
• Mitigate fraud risk of opening
up the access to Third Party
Providers
• Ensure 2-factor authentication
for secure payment transactions
and access to payment data
(already applicable for internet
payments since mid 2015)
Security
Services
IT development
• Assess what services to offer
to third-parties that require
the development of APIs
• Consider how to make the APIs
flexible while complying with the
standards
• Budget and plan for significant IT
investment to grant TPPs access
to account information
through APIs and to allow
access differentiation
- 9. © Deloitte Latvia 99
Data Protection
Strategy
Organization &
Accountability
Policies &
Procedures
Communication,
Training &
Awareness
Privacy
Operations
IT Risk
Management
Technology &
Architecture
Data Governance
Data Subject
Rights Capabilities
Demonstrate “privacy by default”, assure compliance for business process and IT
GDPR key requirements
- 10. © Deloitte Latvia 10
Main concepts – similarities and differences
Intersections of both regulations – Usage of personal data
GDPR PSD2
No common structure between
GDPR and PSD2 definition for
Sensitive and Sensitive payment
data
?
Personal data
Sensitive data
Data protection (as prescribed by the GDPR) should therefore be fully considered in the
design and implementation of all PSD2 related services.
PSD2 defines this as ‘data, including
personalized security credentials which can
be used to carry out fraud’
‘personal data revealing racial or
ethnic origin, political opinions,
religious or philosophical beliefs, or
trade union membership, genetic
data, biometric data for the
purpose of uniquely identifying a
natural person, data concerning
health or data concerning a natural
person's sex life or sexual
orientation.’
Personal data
Sensitive payment data
- 11. © Deloitte Latvia 11
PSD2 states that a PSP may only access, process
and retain the personal data necessary for the
provision of their payment services with the explicit
consent of the payment service user. This is on the
whole in line with the GDPR
Legitimate bases for banks to
process personal data
1. Compliance with the legal
obligations
2. Contract
3. Vital interests
4. Explicit consent
Intersections of both regulations - Consent
Main concepts – similarities and differences
consent for separate
processing operations
Can be withdrawn at
any time
contract
performance must
not be conditional
on consent
Any freely given,
specific, informed and
unambiguous indication
of data subject`s
wishes
1. Is separate consent is needed
and under which specific
GDPR/ PSD2 rules
2. Purpose of processing
?
- 12. © Deloitte Latvia 12
Relations among parties
Intersections of both regulations – Transfer to the third parties
Main concepts – similarities and differences
Contractual liability
Data
subjects
Joint-
Controller
Controller
Processor
• As TPP’s will want to use (process)
personal financial data of European
customers will be required to take the GDPR
rules into account.
• Banks who provide financial data are
also obligated to do so in accordance with
the GDPR, as sharing personal data is also
a form of processing.
1. Consent management issue
2. Legitimate ground for
processing
?
Under GDPR, banks are the data
controllers of their customers’
information and are responsible for the
purposes and the manner in which
personal data is processed and shared
PSD2 adds additional data protection
requirements by stating that TPPs are
only permitted to access
information for the specific
purpose(s) “explicitly requested
by the customer” relating to the
provision of the account information or
payment initiation services, and not for
any other reason.
- 13. © Deloitte Latvia 13
Strong authentication
Management of Consent
Base for digital banking
business model
Security
Intersections of both regulations – Technology readiness
Main concepts – similarities and differences
• Push to develop open banking by legislation
• Banks forced to open their platforms via APIs to
provide TPPs access to previously privileged data
Physical Online Channels
Client
Web /
App
Bank
Branch /
Terminal
• Movement towards opening up banks data to
third party providers (TPPs)
• New propositions that help consumers and
businesses transact, save, borrow, lend and
invest
Prospectively – Open banking
Open APIs
App-Store
3rd Party
Developers
Banking as a
platform
- 14. 14 | Copyright © 2018 Deloitte Central Europe. All rights reserved.
Enable
Comply Reconfigure
Innovate
Advancedpayment&
dataservices
Account and access provider
XS2APISP&AISP
Enable TPPs via premium APIs and
or use of banking license
Strategic Responses
Banks are asking how they develop a PSD2 strategy, the question should be
how do Banks wish to position themselves in a interconnected economy
Retire and reconfigure platforms
and products
Internally driven proposition innovation
- 15. 15 | Copyright © 2018 Deloitte Central Europe. All rights reserved.
Differences among CEE countries can be well illustrated on budgets
assigned for PSD2 regulatory and strategy initiatives
10%
29%
28%
40%
36%
16%
18%
29%
20%
18%
13%
16%
18%
43%
29%
50%12%21%
58%
35%
28%
43%
40%
46% Other
Latvia
Romania
Czech Republic
Poland
Hungary
4% Western Europe
5%
29%
17%
14%
20%
9%
13%
11%
17%
14%
18%
14%
8% 79%
84%
71%
58%
80%
66%
73%
0
€150-€500k<€150k No dedicated budget currently assigned>€10m€5-€10m€500k-€5m
Compliance budget Strategy budget
Source: Deloitte analysis based on the European PSD2 Voice of the Banks survey by Deloitte, further details are available in a separate Deloitte report
.
- 16. 16 | Copyright © 2018 Deloitte Central Europe. All rights reserved.
Most CEE banks regard PSD2 as an opportunity or with neutral
outcome
47%
24%
14% 14% 20%
27%
42%
21%
24% 43% 43%
40%
9%
8%
11%
17%
14% 14%
20%
55%
21%
21%
35%
29% 29%
20%
9%
29%
Neither
Other
11
Threat
5
Don’t know
Latvia
Opportunity
Czech RepublicHungary
719
Poland
17
Romania
7
Western Europe
24
Do you perceive PSD2 to be a strategic threat or opportunity for your organisation?
Source: Deloitte analysis based on the European PSD2 Voice of the Banks survey by Deloitte, further details are available in a separate Deloitte report
.
- 17. 17 | Copyright © 2018 Deloitte Central Europe. All rights reserved.
Analysis of responses by country reveals that most CEE banks
are considering the cooperative approach
12% 14%
29%
12%
42%
12%
43%
20%
46%
16% 47%
43%
14%
40%
13%
12%
14% 9% 42%
16% 14%
27%
26%
17%
29%
40%
18%
25%
4%
24
4%
Western EuropeLatviaCzech RepublicPoland
7 115
OtherHungary
17 719
Romania
Aggressive
Cooperative
Wait and see
Other
Defensive
Still evaluating
How would you characterise your strategic response to PSD2?
Source: Deloitte analysis based on the European PSD2 Voice of the Banks survey by Deloitte, further details are available in a separate Deloitte report
.
- 18. © Deloitte Latvia 18
Rudīte Sprinģe
Manager, CGEIT, CISM, PRINCE2
Deloitte Latvia
Email: rspringe@deloittece.com
Mobile: +371 29226670
Janis Kaulins, CFA, FCCA, CAMS,
CISSP
Assistant Director
Deloitte Latvia
Email: jkaulins@deloitteCE.com
Mobile: +371 2515 0995
Deloitte experts profile
Janis Kaulins is an Assistant Director with more than 9
years of professional experience in financial services
industry. Janis serves as the AML, Sanctions and
Financial Crime Leader at Deloitte Central Europe, and
leads the Financial Services Industry (FSI) Advisory
and Forensic services in the Baltic States.
Rudite has more than 13 years of professional and
project management experience in ICT governance,
solution architecture, requirements definition,
security design, as well business process re-
engineering and ICT development quality assurance
engagements.
Rudite has been engaged as Advisory project leader
and ICT professional in number of IT deployments
for public sector and private clients.
- 19. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”),
its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please
see www.deloitte.com/about to learn more about our global network of member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple
industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings
world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex
business challenges. Deloitte’s more than 244,000 professionals are committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or
their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice
or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who
relies on this communication.
© 2018. For information, contact Deloitte Touche Tohmatsu Limited