02 FéVRIER 2018

Experts of the future

PSD2, MIFID2, GDPR: What are the challenges for the banking industry and how to best address them?

2018 is a year of key regulatory changes for the payment and finance industry with the entry into force of two European Directives: MIFID2 and PSD2, and a regulation: GDPR, all with a very broad impact. Every organization is urged to identify strategic approaches and technological platforms enabling to transform compliance challenges into opportunities, while minimizing impacts on costs and margins.


The MiFID2 (Markets in Financial Instruments Directive), the new Investment Services Directive, has entered into force on January 3, while the PSD2 (Revised Payment Service Directive) 10 days after, on January 13. May 25 will be the turn of the GDPR (General Data Protection Regulation), the new legal framework intended to strengthen and unify data protection for all individuals within the European Union.


Regulatory changes are a big challenge for banks because they often imply a paradigm shift in the way they do business, forcing them to face new competitors and greater constraints. To the question "What are the most relevant competitive challenges for the banking sector?” the audience of a recent European House-Ambrosetti workshop confirmed: "regulation and compliance" (43%) and "digitalization and new connected business models" (40 %); also relevant the "new customer behaviors" (23%).

At the same time, regulatory innovations also open the door to great opportunities for expanding banking activities, and being able to offer new, more relevant services to the market.

For example, MiFID2 expands the spectrum of so-called Product Governance, obliging in the "construction" phase of a financial product to define both a positive and a negative target (i.e.  the subjects for whom the product is suitable and the subjects always excluded). Increased pressure on revenues, new service models offered on an independent basis, demand for broader skills for consultants are the main challenges, with an impact especially on the business of financial intermediaries and advisors.  

PSD2, also called the game changer directive, increases competition for traditional banks, while at the same time restricting the boundaries of certain payment activities. The directive gives the possibility to third party operators outside the banking sector to enter the payments market (acting as PISPs-Payment Initiation Service Providers or AISPs-Account Information Service Providers), and introduces Open Banking, the sharing of customers’ data with authorized third parties through opening up of programming interfaces (Open API). The implementation of this directive also pursues greater security for the end-customer, requiring new entrants to be accredited and subject to supervision by Financial Authorities, as well as being forced to apply to the same rules that bind banks in terms of the security of services provided online. With PSD2, the digital innovation of the entire payments ecosystem is strongly stimulated. The new regulatory framework represents a unique opportunity for traditional banks to place themselves at the center of the ecosystem as real protagonists, leveraging their deep know-how, data assets and customer relationships.

As for the GDPR, banks are faced with an extremely complex regulatory framework. The regulation - which applies to any organization collecting personal data - introduces new restrictions on the storage and processing of data. The organizations will be held accountable (accountability principle) for the non-compliance with the law, with the risk of sanctions that can reach 2% to 4% of the annual global turnover of the company in default. Organizations will have to detect and promptly report any breach in the processing of personal data (communicating it within 72 hours to the Privacy Guarantor) and appoint a Data Protection Officer (the smaller companies are excluded).


Faced with the double implication of the new rules - challenges but also opportunities - the attitude of the banks is also twofold, divided between distrust and resistance on the one hand, awareness of the strategic opportunity introduced by the innovations on the other.

Regarding PSD2, only 50% of Italian banks interviewed in the summer of 2017 by CA Technologies indicated that they would be able to meet the minimum requirements of the directive by January 2018. At the same time, 68% of Italian banks said that full compliance with the PSD2 will allow them to achieve long-term strategic objectives, and 96% agreed that the PSD2 is an opportunity to innovate, differentiate and create new products and services.

Regarding GDPR, the EU Justice Commissioner Vera Jourova recently launched the alarm on the risk for Italy - as for many others European countries - to be unprepared at the 25 May deadline. Banks have an advantage over businesses in other sectors because they already fulfill various obligations in terms of data security and management; however, security and privacy are not synonyms and it is not to be taken for granted that the instruments adopted so far by the banks are sufficient to guarantee compliance with the GDPR.

Thanks to decades of experience, existing products and frameworks, and a consultancy approach on developing a strategy and building solutions, TAS Group supports customers in the finance sector, both traditional players and Fintechs, as well as Public Administrations, helping them to quickly and efficiently adapt to the new European directives and regulations.

TAS Group offers its customers both ready-made solutions, such as the TAS Open Banking framework, which allows rapid and flexible implementation of the requirements imposed by the PSD2, and the "Orizzonte Regulatory Reporting" suite for regulatory reporting, and customizable solutions to be shaped based on customer needs.

 Ask us how our technologies and consultancy services can help your