skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Straight Talk IT

Ovum view

The issue of "open banking," or more specifically the creation of APIs that provide third parties with (authorized) access to customer account data or other services such as payments, is one of the hottest topics in the financial services industry at the moment. For retail banks, the potential for open APIs to act as a catalyst to innovation in customer-facing services, and consequently to reshape the competitive landscape, is now well understood.

The second European Payment Services Directive (PSD2) has been the biggest single driver of activity, and requires banks present in any member state to enable account information and payment initiation services for use by third parties by January 2018.

However, while the deadline for PSD2 compliance is rapidly approaching, the impact of this directive may be severely limited by another piece of European legislation that will also apply to retail banks, and is in direct opposition to the principle of making customer data available to third parties: the General Data Protection Regulation (GDPR).

The GDPR, which is due to come into force across the EU28 on May 25, 2018, will set a common framework for how personal data is protected, managed, and processed by any organization holding personal customer data (such as payment or bank account records). Crucially, the GDPR stipulates that the administrative fine that will be levied in the event of a data breach will be up to €20m or 4% of an organization's global turnover, whichever is the greater. For a large pan-regional bank, this fine would be substantial, and risking noncompliance with GDPR will not be an option.

Under PSD2, European banks will also be obliged by the relevant competent authority in each market to comply with any customer request that comes via an authorized third-party provider (TPP) from within the EU to share their personal customer data. Sanctions will apply for noncompliance under the PSD2, although as PSD2 is a directive rather than a regulation, the level of any penalty will be determined by the national competent authority (and can vary across the region).

The first test case will occur if and when a TPP is the subject of a data breach, whether through a compromise or if the TPP itself was a fraudulent entity created to harvest customer data. In this scenario, it is highly unlikely both that this would not be viewed as a data breach under the GDPR and that the bank/s themselves would not be viewed as liable.

In effect, a bank not 100% certain about the provenance of a TPP requesting customer data will need to decide between declining the request (and being noncompliant with PSD2) or accepting it and, if there is a data breach, becoming liable for a sanction of up to 4% of global turnover under GDPR. As things stand, the outcome would presumably be to risk noncompliance with PSD2 and reject the request. The impact here will be to prevent small and mid-sized companies from becoming TPPs, ultimately restricting the impact that new entrants and propositions have in the market.

Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.

Recommended Articles

  • Service Provider Markets, Consumer & Entertainment Services,...

    MWC 2018 Highlights

    By Ronan De Renesse 27 Feb 2018

    Over 20 of our senior Ovum analysts and consultants attended this year’s Mobile World Congress in Barcelona at the end of February. In between meetings, briefings and presentations, our analyst team were blogging and tweeting about key developments, trends and rumors. Have a look through our daily MWC 2018 Highlights to find out what happened.

    Topics 5G AI IoT Cloud Payments SDN/NFV Smart home

  • Internet of Things

    IoT Viewpoints 2018

    IoT Viewpoints explore the IoT opportunity in 2018 and beyond. Download our latest e-book to get our newest collection of thought leadership articles on the emerging IoT trends, technologies and opportunities.

    Topics IoT

  • Consumer & Entertainment Services

    US pay TV: Is it facing an existential threat?

    By Adam Thomas 28 Mar 2018

    With US pay TV having endured the worst year in its history, thoughts have inevitably turned to the future. The likelihood remains that the immediate future will remain highly uncomfortable for everyone except the scaled multinational digital platforms.


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700

Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now