Council Post: Personal Data Protection In The Open Finance Era—An Ever-Changing Puzzle

Dmitrii Barbasura is the COO of Fintech Galaxy. He is also the CEO & Co-Founder at Salt Edge, a pioneer in open banking solutions.

The last decade has hugely transformed banking. The space stepped it up to open banking, then to open finance and then to tackling open data/open economy for a not-so-far future. The basis for the industry’s progress has been and continues to be data—user data shared voluntarily with financial institutions and third-party providers for the greater good of the users themselves.

But does this “greater good” come with a price?

The cornerstone in data sharing under open banking/open finance (OB/OF) is trust: It must be built and overcome the deep-rooted prejudice regarding the concept of opening up.

The burden hasn’t fallen on the financial institutions and third-party providers’ shoulders only; regulators worldwide have been intensely developing data protection and privacy laws. According to UNCTAD, 71% of countries have data privacy laws in place and 9% are in the drafting phase.

The General Data Protection Regulation (GDPR) adopted in the EU in 2018 has become the baseline for data protection legislation around the globe. Other notorious laws are Japan’s Act on the Protection of Personal Information, Brazil’s General Data Protection Law and the U.S. state laws, among others.

As for the Middle East, it’s catching up quite productively. Bahrain has had its Personal Data Protection Law no. 30 in force ever since 2018, Saudi Arabia’s amended Personal Data Protection Law will have come into force by March 17, while the UAE’s Federal Decree-Law on the Protection of Personal Data came into force on January 2, 2022.

The Data Sharing ‘Elephant’ In The OB/OF Room

OB/OF is all about data sharing and the opportunities stemming from it. Banks had long assumed the role of data owners and gatekeepers, but then OB regulations came and canceled it all. OB regulations put all the power into the end-user’s hands while driving banks to implement top-notch security measures to mitigate risks associated with opening up access to consumer data.

Naturally, questions regarding the interaction of OB/OF with data privacy and data protection legislation keep arising, since at first glance it may seem they don’t really work together. Just take a look at the EU’s PSD2 and GDPR. Despite the European Data Protection Board (EDPB) publishing guidelines on the interplay of PSD2 and the GDPR, confusion is still encountered among payment initiation and account information service providers.

The joint payment industry expressed its concerns about the guidelines and the answer, in short, was that the payment sector is entitled “to prepare and submit a code of conduct for approval intended to contribute to the proper application of the GDPR and provide further solutions and legal certainty for the sector.”

In other words: We hear and understand you, but you must play by our rules.

Take a step backward and you’ll see that this attitude is quite appropriate. PSD2 itself stipulates that the processing of personal data under OB must comply with Directive 95/46/EC (subsequently replaced by GDPR) and Regulation (EC) No 45/2001 of the European Parliament and the Council on the protection of individuals.

‘Once Burned By Milk You Will Blow On Cold Water’

Of course, we do feel for the financial institutions that have found themselves in a difficult position to comply with data privacy and protection and OB/OF laws. One tries to minimize data sharing, while the other requires financial institutions to share user data upon their consent. It is not an easy job, but considering some notorious data breach examples, suddenly—it all makes sense.

Some of the most “preferred” data breaching methods include:

• Phishing.

• Portable device loss/theft.

• Payment card fraud.

• Unintended disclosure.

• Skimming.

This list is not exhaustive and new means of illegally accessing data keep popping up. Still, most of them target plastic payment cards, as other means of using financial services are enjoying higher levels of security.

Take OB/OF, for example. It’s much more difficult to play around with it. Card details are excluded from the journey, and users approve payments via facial recognition/fingerprints. The intermediate agent (e.g., credit/debit card) is ruled out, leaving just the customer and their bank account.

We’ve come such a long way in terms of security, from scratching our signature on paper to PIN codes and CVVs, and now enjoying OTPs and strong customer authentication. But is that enough?

How can businesses ensure their users keep leveraging OB/OF possibilities while minimizing the risk of data breaches?

The keyword here is “security” (an absolutely imperative element that defines the success of the entire data-sharing process), and it must come both from the data provider (the financial institution) and the data recipient (the third-party provider). Here are some tips to ensure a secure process:

• Share data with third parties only based on explicit and well-informed consent.

• Share and use data ethically. It is on the regulators to adopt the necessary provisions stating what this means and how liability is determined if things go wrong.

• Any party accessing personal data must do it in full compliance with data privacy laws.

• Users hold the power of NOT sharing their data and instructing their banks accordingly.

• Consumers should be informed and educated about the possibility of requesting their personal data deletion from any data holder (also known as the right to be forgotten).

• It is not enough for data protection and privacy laws to exist. Practical measures against information misuse and data breaches must be in place for the laws to be effective.

• Consumers must be informed about the extent of personal data held and shared on their behalf.

• Not all personal data held by banks is helpful in improving products/services.

In Conclusion

Anything can go wrong when it comes to such sensitive topics. From forged data-sharing requests to erroneous data being accessed or transferred to a third party—the spectrum is, unfortunately, wider than one could ever imagine. The burden of making it right lies on every single one of us—from the consumer to the regulators. Just as data protection mechanisms are constantly developing, so are the data-breaching ones. We always need to stay alert and be at least one step ahead of the latter.

---

Forbes Finance Council is an invitation-only organization for executives in successful accounting, financial planning and wealth management firms. Do I qualify?

---