Towards more adaptability in data governance for fintechs in Europe



Fintech’s rapid growth simultaneously excites and alarms. It threatens traditional banking’s market grip by challenging core functions like payment processing and risk management. Meanwhile, Big Tech entering finance intensify competition, offering personalised financial services using their vast data resources. This shift disrupts long-standing banking practices, emphasising the urgent need for adaptive strategies in the traditional banking sector.

GDPR and PSD2

Regulatory frameworks such as the General Data Protection Regulation (GDPR) and the Payment Services Directive 2 (PSD2) have emerged as critical mechanisms to recalibrate the industry. The GDPR, implemented across the EU, fundamentally alters the data power dynamics. It introduces the right to data portability, a significant shift from traditional data ownership models. This change is not just a data protection measure but a strategic initiative aimed at intensifying market competition. By empowering users with the ability to easily transfer their personal data between service providers, the GDPR disrupts entrenched data monopolies and encourages a more dynamic and competitive ecosystem.

PSD2, on the other hand, specifically targets the financial services sector. It mandates that banks must provide access to consumer financial data to authorised third-party service providers upon customer consent. This directive significantly democratises access to financial information, previously the reserved domain of banking institutions. By breaking down these data silos, PSD2 paves the way for innovative financial services and products, fostering a more diverse and competitive market. This regulation effectively lowers barriers to entry for new fintech players, challenging the dominance of traditional banks and enhancing consumer choice and service quality.

Together, GDPR and PSD2 represent a regulatory push towards a more open, competitive, and consumer-centric financial services environment. While GDPR broadens consumer rights over personal data, PSD2 specifically dismantles long-standing barriers in the financial sector, enabling a surge in innovation and competition. These regulations signal a transformative period in financial services, where data accessibility and control become key drivers of market dynamics.

Access to account… denied?

However, there is a subtle interplay between GDPR and PSD2. PSD2’s Access to Account (XS2A) rule, preceding GDPR, established the basis for financial data portability, compelling banks to open customer data to third parties. This move reshaped the banking landscape, aligning with GDPR’s later introduction of broader data portability rights. However, GDPR’s wide personal data scope overlaps with PSD2’s financial data focus, creating regulatory ambiguity. This requires further guidelines for users and providers, clarifying data portability rights and responsibilities.

The different focus of the two regulations – PSD2’s sector-specific financial data approach versus GDPR’s notion of personal data – highlights the challenge of implementing universal data governance principles across diverse industries. This regulatory overlap calls for a refined understanding of how these laws intersect, especially in data-sensitive sectors like finance. Both regulations coexist in the digital economy, requiring clear compliance paths for service providers and transparent rights for consumers.

Implementing data portability

The implementation under PSD2 is fraught with technical and policy challenges. The directive’s push for standardised APIs ensures consistency in data sharing, yet risks inhibiting innovation by limiting the scope for new data solutions. This standardisation-innovation dilemma is central to PSD2’s effectiveness.

Additionally, GDPR’s broad and less prescriptive approach to data format requirements complicates the landscape. Its mandate for data to be “structured, commonly used, and machine-readable” lacks specificity, leading to potential inconsistencies in implementation. This vagueness requires a nuanced approach to regulatory standardisation, one that supports innovation while ensuring operational consistency and interoperability. Achieving this balance is crucial for a dynamic and competitive digital financial marketplace.

Conclusion

Setting the right competition and data portability rules for fintech requires a nuanced, sector-specific approach. The EU’s blend of broad GDPR guidelines and specific PSD2 rules acknowledges this complexity, but also reveals the difficulties in creating a harmonious regulatory environment. Future regulatory efforts should be more industry-specific, ensuring that they are sufficiently adaptable to meet unique sectoral challenges while fostering a competitive and innovative financial services landscape.