Navigating a Trilemma: How the introduction of the PSD2, AMLD5 and GDPR shaped a new paradigm for Payment Service Providers


Navigating a Trilemma: How the introduction of the PSD2, AMLD5 and GDPR shaped a new paradigm for Payment Service Providers

The introduction of the Revised Payment Services Directive (PSD2) coincided with that of the General Data Protection Regulation (GDPR) and 5th EU Anti-Money Laundering Directive (AMLD5). As a result, when (new) FSI players are thinking of entering and navigating the newly opened payments market, they must navigate three laws that differ greatly in goal and spirit. These two directives and one regulation form an intricate framework which occasionally generates conflict or contains aspects that have not yet fully been crystalized, creating what we call the “PSD2 Trilemma”.

PSD2 Trilemma

It does not happen often that a new EU directive sparks as much interest or discussion as PSD2, which came into force on 13 January 2018. This directive was highly anticipated by many, mostly because of its envisioned goal; ensuring legal certainty for consumers, merchants and companies within the payment chain and modernizing the legal framework for the market for payment services. In practice, it forces the payments markets to innovate, transform and open up to new, non-traditional FSI players.

Coinciding with the introduction of the PSD2 was that of the GDPR and AMLD5. The three laws were each drafted with a different goal in mind. Whereas PSD2 opens up access to payment data, GDPR is designed with an eye on data restriction and AMLD5 with a focus on combatting financial crime. This blog is the introduction to a series of blogs that will dive into various issues that make up this PSD2 Trilemma and aims to provide insight in the risks and opportunities that lie between big data, privacy and the prevention of financial crime.

Sign up to receive FinTech updates by email

Stay Informed


As the goal and spirit of PSD2, GDPR and AMLD5 differ greatly from each other, the three laws form an intricate framework in which various challenges lie ahead for parties that want to reap the opportunities enabled by PSD2. They will need to comply with the three laws which can lead to various scenarios in which interests will be conflicting. PSD2 allows for the processing of personal data of non-contracting parties (so called ‘silent party data’) by Account Information Service Providers (AISP’s) and Payment Initiation Service Providers (PISP’s). The European Data Protection Board (amongst others) has noted that these requirements could conflict with the GDPR, which regulates explicit consent of data owners, including silent parties.

Although AMLD5 does not conflict with PSD2 requirements per se, the goal of the Directive does add a burden to those that want to enter the payments market. AML requirements have become increasingly complex and many institutions are struggling with them for at least the last decade. Regulatory pressure is intense and so are fines for non-compliance. If large financial institutions with their significant resources already find it difficult to comply, how should start-ups or non-financial companies do so? And do all sorts of products mentioned in PDS2 fall under AMLD5 requirements? Moreover, can certain transactions executed by AISP’s even be seen as customer relationships which is the norm to decide whether AML requirements apply?

The status quo in the PSD2 Regulatory innovation journey

These and other questions determine what future lies ahead for the perceived benefits of PSD2. Up until now, PSD2 has instigated various new players, mostly BigTech companies like Google, Alipay, Amazon, Zalando and Uber, to enter the payments market. Banks, as incumbent parties, are using the momentum to further innovate and initiate agile, technology driven AISP’s and PISP’s. In the Netherlands, the mainstay of newly licensed parties offer services to non-retail customers where only a limited number focuses on solutions for the retail market.

Currently, some questions remain. We see that some regulators (including The Dutch Central Bank (DNB)) have issued further guidance but some important areas need further clarity. For example, no consensus exists on the practical meaning of the definition of a payment account, which is a key definition to determine the applicability of PSD2. Furthermore, the ever-increasing volume of transactions places a heavy strain on the capability to monitor transactions. The question whether the opportunities that derive from PSD2 are actually beneficial for the general public remains a topic of debate.

With the current pace of technological innovations and with increasingly clear questions that need answering, it is certain that the existing status quo within this PSD2 Trilemma will not endure forever. The first party that manages to integrate the regulatory obligations with a service-minded business plan will turn what is now perceived as a hurdle into a catalyst for growth. In the coming weeks, we will publish several blogs concerning key issues that need coverage in order to gain a better understanding on how to navigate the PSD2 Trilemma and to seize the full benefits of PSD2.

Blog series on PSD2

Now that PSD2 has been with us for about 2.5 years and enforcement of RTS SCA is coming close, we introduce a series of blogs, all focusing on specific issues related to PSD2 as mentioned above. The following subjects will be discussed in our blogs that will be published in the coming weeks:

Would you like to receive update on the latest PSD2 blog series? Please click “Stay Informed” on the right!

Did you find this useful?