What does the GDPR mean for FinTech?

UK and EU banks and financial institutions are now under the new guidelines provided from the General Data Protection Regulation after a two year rollout plan. Institutions in the EU and worldwide are affected by this broad mandate on how how user data will be treated by financial institutions and third-party providers. Firms that fail to evolve with new compliance will face harsh fines as much as twenty million euros or 4% of annual revenues.

The GDPR is the latest privacy law that was passed in April of 2016 with an enactment plan to start enforcing this month in 2018. This directive applies to any personal data that is considered sensitive. This could mean identifying categories of race, sexual orientation, or data relating to health. User consent is at the heart of this regulation. Third party providers must ask for user consent before collecting data. One of the more controversial aspects to this regulation is the article known as the “right to be forgotten.” This will enable individuals task providers to erase personal information collected by a platform like Facebook and allows individuals to see explicitly what data has been collected from them and how some providers view them as users online. Data can only be utilized for the reason provided by a platform and is verified erased after it is no longer needed by the provider. A user can request this information in downloadable form and move this information to a different service provider. This directive also mandates that companies must collect the consent of parents before collecting data from children under the age of sixteen for online services but no collection is allowed for users under thirteen years of age.

After major breaches of consumer data, like the Cambridge Analytica scandal and the massive Equifax break, financial institutions have already begun to evaluate their data practices. Financial institutions are now going to have to update their regulatory affairs departments with the recent Payment Services Directive (PSD2) released alongside the notable GDPR. The payments directive is intended to increase competition and improve innovation within the payments industries. This directive was first brought to the attention of the EU council in 2013, and after years of revisions the latest release of regulation will require third-party organizations to gain consent from users before receiving valuable access to the financial histories provided in user accounts.

The difference between these two directives involve the regulatory language around user data. The Payments Services Directive allows each EU country to use discretion when defining user data. Both directives, of course, place user privacy and security at the ultimate goal of new regulation. Financial institutions will have to organize their revenue structure around a central goal of privacy and incorporate these guidelines into design mandates.

Major breaches of personal data have increased consumer paranoia when it comes to new technologies and trusting some FinTech institutions. Merchants and FinTech institutions have to update company policies with the best practices to prevent users from feeling vulnerable. Online retailers have to integrate advanced anti-fraud practices to make sure their platforms can distinguish real users from fraudulent accounts that use stolen personal data to slip through the system.