Thu, Apr 19, 2018
What’s in a Name? It’s a Question Regulators Are Increasingly Asking
Across the acres of coverage around General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2), some subtleties have been largely overlooked. One of them is the interaction between the two when it comes to the new subject access rights.
Executive Summary
Apr 19, 2018
Too Much of a Good Thing?
Apr 18, 2018
Too Much Too Soon?
Apr 19, 2018
Cyber Risks Beyond Your Four Walls
Apr 19, 2018
Brexit: The Catalyst for Substance Over Style in Asset Management
Apr 19, 2018
A Reality Check
Apr 19, 2018
New Priorities at the SEC
Apr 19, 2018
The Consequences of Concentration in Private Equity
Apr 19, 2018
The SEC Looks to the Most Vulnerable
Apr 27, 2018
Client Protection at the Heart of MiFID II
Apr 19, 2018
The Paradise Papers: The Unreported Facts
Apr 19, 2018
What’s in a Name? It’s a Question Regulators Are Increasingly Asking
Apr 19, 2018
New Guidance From The Trump Administration Regarding FCPA Prosecutions
Apr 19, 2018
Lifting the Veil
Apr 19, 2018
A Fool’s Errand
Apr 19, 2018
Alternative Data Brings Different Problems
Apr 19, 2018
The Price of Everything but the Value of Nothing
Apr 19, 2018
Counting the Cost
Apr 19, 2018
A Big Step Towards Consistency in Fair Value
Apr 19, 2018
Finally Addressing Forgotten Assets
Apr 19, 2018
- View all articles

This article was contributed by Andrew Churchill, Vice Chair for Funding and Business Development, European Alliance for Innovation.
Read Global Regulatory Outlook 2018
Under General Data Protection Regulation (GDPR) and the U.K.’s Data Protection Bill, individuals have the right to access their personal data. Organizations, meanwhile, have an obligation to check the identify of any person making such a request before releasing that data or, indeed, accepting explicit consent to process their data.
Neither GDPR nor the Data Protection Bill currently prescribe how that authentication should be done, only that businesses should log that they have done so “so far as possible,” as the bill puts it. It’s unclear what that means in practice. We are working towards an accepted definition of what strong customer authentication may look like. (I’m lead author of the British Standards in Digital Identification and Authentication.) But we are not there yet.
There is one place where standards for authentication are already defined, however: in PSD2. While it may be impractical to fully apply those standards to online retailers or utilities companies, they are the standards expected of financial services. It seems logical, then, that PSD2’s authentication requirements will be those applied to financial services dealing with GDPR.
In the U.K., far from being undermined by Brexit, that’s reinforced. Although EU regulations (as opposed to directives) apply directly to member states, the U.K. has sought to promote certainty by writing the requirements of GDPR into the Data Protection Bill. However, the bill is also seeking to align with the Network Information Systems (NIS) Directive, which increases the technical security requirements for critical national infrastructure, such as utilities companies. The U.K.’s approach has therefore seen the tougher standards of NIS leach into its application of GDPR for these businesses.
Payments, though part of critical infrastructure, have an exemption from these requirements, but only on the basis that stronger sector-specific security standards for these companies already exist—in this case, those under PSD2.
The end result is that with the advent of GDPR, all organizations must be able to authenticate customers for the purposes of subject access requests and explicit consent; critical national infrastructure, meanwhile, will have to go further under the NIS rules and employ stronger standards. However, there are financial services companies exempt from NIS because they are subject to even stronger standards under PSD2. But if “best practice” for financial services is required for transactions above 30, surely access to other data, such as medical records or our online profiles, should be at least as well-protected.
It all adds up to a considerable workload facing financial services businesses come May. Many are still getting to grips with the requirements of PSD2, but if security standards, such as the forthcoming British Standard, can have wider application, then there will be additional business opportunities for those organizations that best meet this challenge. Identity as a service could truly come of age in 2018.
Financial Services Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
Financial Crime Prevention
Financial crime risk has again risen to the top of the regulatory agenda, and remains one of the most immediate risks for many firms, with criminals constantly seeking new ways to circumvent protective controls.
U.S. Compliance Services
Comprehensive support for asset managers registering in the U.S.
European Compliance Services
Comprehensive compliance and regulatory support for EU firms.
French Regulation
A range of support from a review of your suitability arrangements, training, controls and procedures to conducting bespoke reviews on past business activities.
UK Compliance Services
Comprehensive compliance and regulatory support for FCA authorized firms.
Irish Regulation
Kroll is uniquely placed to assist firms in negotiating the regulatory landscape.
Channel Islands Regulation
Kroll provides a range of regulatory and compliance consulting services for firms registered in the Channel Islands.