Directive (EU) 2015/2366 (the so-called Payment Services Directive2 or PSD 2) has contributed greatly to the consolidation of the European payment services market and, as a consequence, to the growth of open banking in the EU. In Italy, PSD2 has been implemented by the Italian Legislative Decree 218/2017, published in the Official Journal on 13 January 2018 (Legislative Decree).

Open banking is generally defined as a system of technologies that allow consumers to access traditional banking or financial services and products through the use of digital means and tools, such as apps, web platforms, software and the like.

PSD 2’s provisions contributed to the rise of open banking by breaking down banks’ and financial services’ consolidated monopoly on the use of customers’ data for making payments, investments and managing money, both online and offline.

Thanks to the rise of open banking the European FinTech ecosystem has flourished, covering everything from personal finance apps to robo-advisory, from innovative payment service providers to online banking.

This disruption led traditional banks and financial firms to re-think their ways to approach customers, especially younger generations, in light of the challenges posed by ‘openness’ in their respective sectors.

Data is fueling this rapid change and fostering further innovation in open banking and FinTech. However, data brings all the challenges and legal issues associated with its collection, use and sharing, as covered by the General Data Protection Regulation (GDPR).

What are the main legal issues connected to open banking?

When it comes to PSD2’s provisions the processing of personal data must take place in full compliance with GDPR. The territorial scope of GDPR is quite extended: it applies to the processing under controllers located within the European Union and to the processing related to data subjects who are in the European Union by a controller not established in the European Union, subject to a number of criteria (e.g. the processing concerns the offering of products and services to data subjects in the European Union).

Data controllers are required to put in place a number of compliance measures. By way of example, the relationship between the bank and the third player providing financial services should be clearly defined: the parties should guarantee security standards and they should have access to data only when necessary for providing the services. In addition, data controllers are required to ensure that data subjects can effectively exercise their rights; such duty may entail difficulties, especially when it comes to requests of access to the criteria applied for performing profiling activities.

In light of the potential risks that may derive from the processing of personal data related to financial services, it is highly recommended to perform a data processing impact assessment in order to identify which actions are necessary to lower the risks.

Concerning data security, the risk level has increased with the digitalization of financial services. This is particularly true with reference to “open systems”, as such systems expose data to external attacks that may affect system functionality. Consequently, data controllers are required to set security measures that ensure the continuity of the systems, the access to their customers’ data and the update of the information stored.

Last but not least, the new services should protect consumers’ rights and ensure that the applicable consumer laws are properly taken into account.

Focus: what about GDPR and PSD2?

PSD2 provisions state that payment service providers shall only access, process and retain personal data necessary for the provision of payment services, and with the explicit consent of the payment service user.

This means that payment service providers have to obtain consent under the GDPR (i.e. free, unambiguous and explicit approval) that their processing activities are strictly necessary for the provision of their innovative services.

In practice, this would make the provision of FinTech services based on open banking subject to consent, whereby FinTech providers process consumers’ data on a contractual basis or, as alternatively, according to their legitimate interest or that of third parties (e.g., banks and financial firms).

For instance, PSD2 has three types of consent for processing: (i) explicit consent to the payment service provider’s access to personal data; (ii) explicit consent to the payment order or transaction; and (iii) explicit consent to access to the payment account for gathering a user’s account and payment information.

In light of the above, the question is therefore how to interpret this obligation to obtain all PSD2 consent(s) under a GDPR perspective, and whether an alternative legal basis to consent is acceptable for such processing activities.

PSD2 passed at the end of 2015, when the GDPR trilogy negotiations had not yet been finished, so it may be that there are some misalignments between the two norms.

In a sense, PSD2 could be lex specialis with respect to GDPR’s wider provisions concerning the protection and processing of personal data (such as in the case of the ePrivacy directive/regulation, clinical trials regulation, AML directive, etc).

This means that specific consent to certain types of processing (i.e., FinTech-related processing activities) would still be required even in those cases where another legal basis for the processing may apply.

This is important because it draws a line between the payment service / FinTech sector and the enforcement of EU’s data protection laws and regulations. Furthermore, it also poses important legal issues concerning open banking.

What are Italian regulators saying?

Although the PSD2 was implemented in Italy by means of a Legislative Decree, there is no guidance on the interaction of this law with applicable national privacy provisions yet.

In this regard, the Italian data protection authority (the Garante) did not provide any particular statement relevant to FinTech-related data processing activities or to data protection issues in open banking services in general.

On the one hand, this is because the European Data Protection Board has created a specific focus group for investigating the relationship between PSD2 and GDPR, whose activity may result in official guidance on the issue.

On the other hand, according to some commentators, this may also due to the fact that the Garante’s board is set to change by this summer on the expiry of the board’s term. Therefore, it will be up to the new board to handle most (if not all) the “thorniest” issues left opened.

In any event, prior to taking its stance on this issue, the Garante should most likely inform or coordinate with other entities, such as the Italian Ministry of Economy, the Italian Commission for Stock Exchange Control and the Bank of Italy.

Finally, given the rapid growth of FinTech and open banking, in Italy as well as in the EU and the rest of the world, we would expect to see more shared guidance by regulators in the coming years.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.