Banking industry was widely put under regulations by the European Union. Anti-money laundering (AML), Payment Service Directive (PSD2), Markets in Financial Instruments Directive (MiFID II), Foreign Account Tax Compliance Act (FATCA) – these are all compliance requirements that imply collection and processing of personal data. And now all of them cross GDPR regulations.

GDPR compliance in a big company is a complex process; now GDPR adds an extra layer that makes things even more challenging for the financial sector.

Appointing a DPO (Data Protection Officer) does not entirely solve the problem, as he or she is not personally responsible for the organization’s GDPR non-compliance. To put it in plain words, responsibility is distributed between DPO, CEO/ Board, data stewards and other persons involved in the process.

How to balance GDPR and banking compliance

  • AML/KYC – Legitimate interest analysis when not all data processing is made exclusively with a legal basis. Also, keep in mind the right to information and to rectification – data subjects don’t always have a direct relationship with the financial institution
  • PSD 2 – PSD2 and GDPR both were introduced in 2018 as comprehensive sets of legislation focusing on consumer data. However, these regulations were developed from very different perspectives. PSD2 aims to create access to personal data. GDPR aims to protect personal data, making it easier for consumers to know where their data is being used and raise objections about its use. Therefore, watch out for the differences regarding consent between PSD2 (contractual consent) and GDPR (explicit consent) 
  • FATCA – All business lines involved in the on-going compliance with FATCA and Common Reporting Standard (CRS) are impacted by GDPR

Bottom line: Financial organizations must implement the appropriate measures in order to achieve full compliance. They must identify the responsibilities they assumed and the necessary resources to fulfill them. Also, they need to make sure they have implemented a workflow which allows periodically revise of the activities they have responsibilities for. And whenever there is a doubt or a concern, it’s necessary to ask the DPO’s advice.

This article contains the main ideas presented by Sypher Solution at “Banking Compliance Summit 2019”, an event organized by Romanian Banking Institute.