The revision of the payment services European legal framework operated by the Second Payment Services Directive (PSD2) deems to respond to the challenges set forth by the thriving innovation in the industry. Its aim is to allow Fintech companies and incumbent players (aka banks) to keep creating novel business models, while ensuring the enhancement of consumer protection and electronic payment safety.
When providing payment services to natural persons, those players – in particular, TPPs accessing banks’ client databases – will have access to their customers’ transaction data which, in some cases, may reveal sensitive aspects of their personal life (notably, through the analysis of customers’ spending habits). In this respect, customers’ consent could play a central part, as consent is mentioned in both the PSD2 as a pre-condition to provide payment services, the GDPR as one of the legal grounds allowing for the processing of personal data, and in national banking regulations as one of the derogations to the secrecy obligation applicable to banks and other financial institutions.
However, this article will show that the concept of “consent” under the PSD2, the GDPR and the Portuguese regulations on matters of banking secrecy do not match, thus bringing legal uncertainty to payment service providers concerning compliance with all three regimes.
PSD2, GDPR and Banking Secrecy: What Role for Consent? by Sebastião Barros Vale from Viera de Almeida & Associados, Sociedade de Advogados, SP, RL. on TerralLex