The new EU Payment Services Directive for banks to share customers’ data with other companies is fraught with unmitigated risks surrounding consent, security and liability, argues Chris Skinner.

We are all aware of wild happenings on the web – hate campaigns, false news, trolling and revenge porn. The fact that these activities continue shows how governments and regulators treat technology firms as different beasts to banks.

If a bank allowed such things to happen, they would be in serious trouble. If, for example, a bank leaked any financial data, they would be sanctioned and fined. However, as a banking friend pointed out to me, technology firms are not regulated in the same way as banks.

They operate with far less reference to regulations and, when governments do try to introduce rules for internet firms, it proves hugely difficult. Just look at the arguments over taxation or the right to be forgotten. The reason for this is that internet firms are global, not domestic.

Different treatment

That is why if the European Commission ruled that Facebook, Google and others had to share their data through open APIs – as is the case for banks under the new Payment Services Directive (PSD2) – they would laugh in its face. Technology firms don’t share data and would resist such a move fundamentally, as that is their monopoly in the markets. 

If Google were forced to give away all its search and advertising structures, or if people could build better Facebook newsfeeds than Facebook through an API, the revenue model of both firms would be damaged. Advertisers would go to where the user accessed, and if that was via a trusted third-party newsfeed or search supplemented, Facebook and Google would take a massive hit on revenue.

Yet this is exactly what the banks must deal with, and why they protest. Under the latest European regulation coming into force in 2018, banks are being forced to open their data to third-party access from the likes of Google, Facebook and Twitter. These internet giants will then be able to plug customers’ bank details into their engines and create a payments ecosystem outside the banks’ control.

The biggest issue is the question of what happens when that data is compromised. Who will be to blame: the bank, the internet firm or the customer?

Fundamental principles

To me, it reflects three fundamental principles of data, and this should be built into the technology firms and the banks. 

The first is consent. If I post something online, should it be there forever? Many argue yes, but what if I change my mind? What if others are posting things about me that are untrue? Or what if I consent that this person can access my data today, but it cannot be shared or uploaded, and I want to rescind access to that data in the future?

The second principle is security. How damaging could this data be to my health or my wealth? If I consent to share data, can I ensure it is truly secure? Sure, if I am sharing data that is erroneous about my lunch or a visit to the zoo, maybe it doesn't need to be so secure. However, if my lunch is fatty food and I weigh 150 kilograms, then is it right that my health insurer can see it? If I visit the zoo with my children, how secure are my children’s profiles from prying eyes?

The third principle is then liability. Should my data be shared inappropriately, or be seen by eyes that should not see it, who is accountable? Am I accountable for posting in the first place; is the third party who shared it liable for sharing it; or is the technology firm or the financial institution that allowed it to be accessed liable? And having addressed liability and accountability, what is the response and how is it enforced?

These are all key questions about data, data sharing, APIs and open markets that are unanswered in PSD2. Equally, the issues of consent, security and liability are unanswered when it comes to the global players such as Google, Facebook and Twitter. Allowing these players to gain access to bank data through open APIs under PSD2, without the detail around data sharing consent, security and liability, is irresponsible to say the least and potentially dangerous at worst. 

There have been suicides resulting from online hate campaigns and revenge porn. Will we now see people having suicidal thoughts if their financial information is compromised? Maybe it is time to think about this move towards open data access and sharing once more. 

Chris Skinner is an independent financial commentator and chairman of the London-based Financial Services Club.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter