What’s in a Name? It’s a Question Regulators Are Increasingly Asking

  • Andrew Churchill Andrew Churchill

Across the acres of coverage around General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2), some subtleties have been largely overlooked. One of them is the interaction between the two when it comes to the new subject access rights.

This article was contributed by Andrew Churchill, Vice Chair for Funding and Business Development, European Alliance for Innovation. 

Read Global Regulatory Outlook 2018 

Under General Data Protection Regulation (GDPR) and the U.K.’s Data Protection Bill, individuals have the right to access their personal data. Organizations, meanwhile, have an obligation to check the identify of any person making such a request before releasing that data or, indeed, accepting explicit consent to process their data.

Neither GDPR nor the Data Protection Bill currently prescribe how that authentication should be done, only that businesses should log that they have done so “so far as possible,” as the bill puts it. It’s unclear what that means in practice. We are working towards an accepted definition of what strong customer authentication may look like. (I’m lead author of the British Standards in Digital Identification and Authentication.) But we are not there yet.

There is one place where standards for authentication are already defined, however: in PSD2. While it may be impractical to fully apply those standards to online retailers or utilities companies, they are the standards expected of financial services. It seems logical, then, that PSD2’s authentication requirements will be those applied to financial services dealing with GDPR.

What is in a Name? - Global Regulatory Outlook 2018 

In the U.K., far from being undermined by Brexit, that’s reinforced. Although EU regulations (as opposed to directives) apply directly to member states, the U.K. has sought to promote certainty by writing the requirements of GDPR into the Data Protection Bill. However, the bill is also seeking to align with the Network Information Systems (NIS) Directive, which increases the technical security requirements for critical national infrastructure, such as utilities companies. The U.K.’s approach has therefore seen the tougher standards of NIS leach into its application of GDPR for these businesses.

Payments, though part of critical infrastructure, have an exemption from these requirements, but only on the basis that stronger sector-specific security standards for these companies already exist—in this case, those under PSD2.
 
The end result is that with the advent of GDPR, all organizations must be able to authenticate customers for the purposes of subject access requests and explicit consent; critical national infrastructure, meanwhile, will have to go further under the NIS rules and employ stronger standards. However, there are financial services companies exempt from NIS because they are subject to even stronger standards under PSD2. But if “best practice” for financial services is required for transactions above 30, surely access to other data, such as medical records or our online profiles, should be at least as well-protected.

It all adds up to a considerable workload facing financial services businesses come May. Many are still getting to grips with the requirements of PSD2, but if security standards, such as the forthcoming British Standard, can have wider application, then there will be additional business opportunities for those organizations that best meet this challenge. Identity as a service could truly come of age in 2018.

What’s in a Name? It’s a Question Regulators Are Increasingly Asking 2018-04-19T00:00:00.0000000 /insights/publications/compliance-and-regulatory-consulting/global-regulatory-outlook-2018/what-is-in-a-name /-/media/assets/images/publications/thumbnails/global-regulatory-outlook/gro-whats-in-a-name.ashx publication {DA6CC51B-740E-439A-B283-2BBFB5326BAA} {DE05ECA4-1852-4BEF-A4E1-491CB497F9CB} {EBC1AB28-1393-493C-AF32-19B3B0B6E171} {1C3CB363-1B9A-40E2-AF19-5C433260F861} {E1E71CC6-CE33-46BD-A6CF-B547EF2D052C} {4FD55120-2DD8-4DB5-8DAA-3D9212C2436D} {4984481D-079C-4B42-B985-EA34752D3CD5} {E8669D15-7AE5-41D4-BE77-6C5E07C03F38} {19B96101-31A4-4C6D-9597-A39E0C9E24C8} {742DB722-E4B5-4E18-A540-4BFA6F8D6843} {AB22E3A7-0FD2-43A7-91E0-C3590E9141B9} {5AA4BE28-97DD-427B-A8CA-7B3BF3B5E4BF} {C9A6FAA4-0FA0-40A8-B4D2-2A0DDD29F14D} {F9A927B5-B65A-4F14-B590-DD46B5DC907A} {063D2ACD-1006-4DAD-8E9F-A8084C7358F8} {2361D727-0847-4B20-B8E9-68E7DBA5C7DC} {B062D54C-1425-4A04-8F9F-95EA14068E6D} {5BF06FE7-E88C-4627-A701-3E042F076F1F} {65648E61-ED08-40DF-AEE6-DB90ABD49289} {C8894F56-FF6C-4DEA-AB91-58D66A7F0624} {B7CF2537-1DBA-485F-A14F-8BD1524F1A8B} {95D7F66C-11BB-4E7D-B07C-48874A321F98}

Related Services

Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

By Jurisdiction

Regionally targeted assistance for asset managers in compliance program development, implementation and maintenance

By Jurisdiction
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

U.S. Regulation

Comprehensive support for asset managers registering in the U.S.

U.S. Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

EU Regulation

Comprehensive compliance and regulatory support for EU firms.

EU Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

UK Regulation

Comprehensive compliance and regulatory support for FCA authorized firms.

UK Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Irish Regulation

Comprehensive support for asset managers registering in Ireland.

Irish Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Hong Kong Regulation

Comprehensive SFC licensing support.

Hong Kong Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Channel Islands Services

Range of regulatory and compliance consulting services for firms registered in the Channel Islands.

Channel Islands Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Compliance Due Diligence

Regulatory operational due diligence for asset managers.

Compliance Due Diligence
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Cybersecurity Services

Cybersecurity support for asset managers.

Cybersecurity Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Financial Crime Prevention

Guidance on preventing financial crime.

Financial Crime Prevention
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Hosted Regulatory Solution

FCA hosted regulatory solution for UK and EU asset managers.

Hosted Regulatory Solution
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Market Services

Assistance with markets, transaction reporting and surveillance.

Market Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Regulatory Enforcement

Compliance support during an enforcement investigation.

Regulatory Enforcement
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Valuation and consulting for financial reporting, federal, state and local tax, investment and risk management purposes.

Valuation Advisory
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Alternative Asset Advisory

Transparent valuations of illiquid investments and complex securities and liquidity solutions through secondary market transactions.

Alternative Asset Advisory
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Portfolio Valuation

Alternative investment valuation for private equity and hedge funds.

Portfolio Valuation
Duff & Phelps Disputes

Governance, Risk, Investigations and Disputes

Combined Duff & Phelps and Kroll disputes, investigations, cyber, business intelligence, cross-border restructuring and other advisory.

Governance, Risk, Investigations and Disputes
Duff & Phelps Disputes

Governance, Risk, Investigations and Disputes

Securities Litigation

Assistance with complex securities litigation.

Securities Litigation