2018 has been a big year for compliance, with the second iteration of the Payment Services Directive (PSD2) going into effect in January and General Data Protection Regulation (GDPR) launching in May. Still trying to wrap your head around these two regulations and what your business needs to do to properly process the personal data of your prospects and customers? If you’re afraid to raise your hand to ask questions about these two regulations at this point, don’t worry! We are happy to provide a refresher.
General Data Protection Regulation
What is it and who’s impacted?
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens. It came into effect in May 2018 and covers how data is collected, stored, processed and destroyed.
Don’t think your organization is off the hook if it’s based outside of the EU—GDPR applies if an organization conducts business with EU citizens, not just if an organization is based in the EU. In other words, you need to understand the impact of GDPR if you deal with the data of EU businesses, residents or citizens, even if you don’t have a European presence. Fear of losing market share to EU-based competitors is another reason U.S. businesses are motivating to become GDPR compliant.
GDPR applies both to the organization (or “data controller,” basically the organization that owns the data and the relationship with EU citizens) and to the third-party solution providers (also known as “data processors”) that capture or manage any EU citizen data on behalf of the controller.
It’s the responsibility of a controller to vet processors for GDPR compliance, and both parties are now liable in cases of data breaches and data misuse.
GDPR compliance and identity verification
Companies in many industries, from banking to the sharing economy, need to establish that a person’s digital identity (who they claim to be) matches their real-world identity (who they truly are). But this imposes strict requirements on the vendor that is managing sensitive personal information including images of government-issued IDs and biometric data, as this information can unfortunately be compromised and exploited by fraudsters.
It is because of this intersection between identity verification and GDPR compliance that it is so important to understand what to look for in an online identity verification solution. Here are five key factors to look out for in a GDPR-compliant solution:
- Human review—GDPR gives individuals the right not to be subject to decisions solely based on automated processing that produce “legal effects” in which there are material and financial impacts on the person who is denied (such as denial of credit, employment or favorable terms on a mortgage), or other significant effects. As increasingly more online verifications are carried out by algorithms, concerns have been raised about the lack of transparency behind the technology, which leaves individuals with little understanding of how decisions are made about them.
- Compliant machine learning—Many identity verification vendors aggregate data across multiple customers to develop their machine learning algorithms. With GDPR, vendors should develop specific AI models trained on the data of a given customer and cannot leverage data from other business customers to create more comprehensive models.
- Data retention—GDPR requires that personal data should be “limited to what is necessary for the purposes for which they are processed,” and requires personal data storage being “limited to a strict minimum.”
- Breach notification—GDPR requires data processors to quickly notify the controller once aware of a data breach. Most identity verification vendors don’t have established or tested processes in place for data breach notifications.
- Data encryption—GDPR requires data processors to have “appropriate” measures to ensure security of personal data, including encryption, ensuring confidentiality, restoring data access and regular auditing/testing. Jumio is PCI-DSS compliant and this Good Housekeeping Seal of Approval means we have a big headstart with GDPR because PCI requires us to lock down data, encrypt everything, and be subject to third-party audits. These actions prove we take data protection and privacy very seriously.
Revised Payment Service Directive (PSD2)
What is it and who’s impacted?
PSD2 is the second iteration of the Payment Services Directive (PSD) implemented by the EU and went live in January 2018. PSD2 affects both individuals and businesses and enables bank customers to use third-party providers to manage their finances. PSD2 applies to modern payment services including banks, credit unions, fintech companies and payment companies based in the EU.
Under PSD2, “account servicing payment service providers” must open up three sets of APIs giving registered third parties access to customer accounts. The customer must give permission to the bank using two-factor authentication, a process PSD2 refers to as Strong Customer Authentication (SCA), before the third party is allowed access. Most access to customer accounts, including card payments, is covered under this process—sometimes even when the customers directly query their own account details.
PSD2 and identity verification
PSD2 sets out very specific standards for secure electronic identity verification in order to protect the funds and personal identities of customers. The European Banking Federation encourages trust in digital identity verification tools that can guarantee that the person claiming an identity is, in fact, the assignee of that identity.
One of PSD2’s key requirements is that banks must add SCAs for all remote access to customer accounts. This means that when authentication is required, two of three factors will be applied: something the customer is, something the customer has and something the customer knows. Identity verification is clearly critical as part of this, as banks will need customers to re-identify themselves if they forget or lose a key factor.
Account access dependent on two-factor authentication makes it more likely that customers will lose or forget their credentials, leading to more reset requests. PSD2 requires this credential reset process to also use two-factor authentication but needs the end customer to use two authentication factors different than those utilized in the account access process for the open APIs. The credential reset process means the customer has to re-identify themselves to their bank using a Strong Customer Identity Verification (SCeID) process to verify or re-verify their identity.
Both SCA and SCeID are mandated by PSD2, and failure to implement these capabilities exposes banks to penalties under PSD2 as set by national regulators. However, a failure to implement these capabilities properly may also expose banks to potential loss of sensitive customer data and, under GDPR, this opens up the possibility of fines of up to 2 percent of global annual turnover.
At a time when we’re not without our smartphones and we use them for just about everything, personal data is abundant…and also susceptible to theft by fraudsters. A well-designed SCeID process, built through a strong digital identity verification solution, allows customers to painlessly perform digital onboarding and reset their authentication credentials while keeping their personal information secure. You’ll want to watch for the following four characteristics when looking for a PSD2-compliant credential reset program:
- Strength—Use two factors of identity document verification to demonstrate that the consumer is in possession of their ID and live facial biometric matching to establish the person behind the transaction matches the person holding the ID.
- Speed—Online and near real-time process to get customers transacting quickly.
- Accuracy—Deliver a high level of accuracy using proven technologies and services.
- Simplicity—Convenient for the customer, while limiting additional compliance costs for the business.
Still have questions about GDPR and PSD2? Download Compliance Made Simple for more information about key regulations, including GDPR and PSD2, you need to consider as you subject your customers and online users to ID, identity or document verification processes. If you’re headed to Money20/20 USA, don’t miss Robert Prigge, Chief Revenue Officer at Jumio, speaking about “GDPR, Identity & The Right to Be Forgotten” at 10:50 a.m. Sunday, Oct. 21. Learn more: http://sched.co/FHGP