Ethical data usage: the difference between ‘can’ and ‘should’ has been saved
Ethical data usage: the difference between ‘can’ and ‘should’
Navigating the PSD2 Trilemma
Since the Payment Services Directive 2 (“PSD2”) came into effect, its use and practicalities have created serious challenges. Whilst the PSD2 landscape continues to evolve, one thing is certain: PSD2 is a multifaceted topic. To shine light on this complexity and on where these different topics intertwine, Deloitte has started the blog series ‘Navigating the PSD2 Trilemma’. The fourth blog will touch upon the digital ethics issues that third party providers (“TPPs”) and Account Servicing Payment Service Providers (“ASPSPs”) might face. What is the difference between ‘can’ and ‘should’ when it comes to handling sensitive transaction data?
Written by Fatima Jarmohamed
Go directly to
- Access to more payment information
- Digital ethical data usage
- Different digital ethics approaches
- Duty of Care
- Conclusion on digital ethics
Access to more payment information
The basis of PSD2 is Access to Account (also known as: XS2A), enabling third parties to access accounts held at (ASPSPs), which are in practice mostly banks. Subsequently, a larger number of parties has access to the payment accounts of individuals and businesses, collecting the data necessary for Payment Initiation Service and Account Information Service. Especially the Account Information Service Providers (AISPs) provide their customers with (extensive) insights on their financial behavior and financial health, tailoring their usage of customer data to the exact service they want to offer.
XS2A is therefore certainly a widely discussed aspect of PSD2. And as always: with new opportunities, new responsibilities arise. Now that PSPs have access to more customer data, are the PSPs sufficiently reflecting on the ethics behind their new-found data processing responsibilities? With the current lack of ethical norm codification, parties need determine the ethical standards themselves.1
PSD2 blog series overview
PSD2 meets Digital Ethics
In general, society is facing more and more data surveillance from government and commercial entities. Evidently, this surveillance deserves a more broad discussion. On an ethical level, this mass data surveillance on citizens and consumers is highly controversial – for example the data mining methods used in the benefits scandal (toeslagenaffaire) that is engulfing Dutch politics and society.2 If we look within that context to the financial sector, it raises the question: how do ASPSPs deal with ethical data usage? For example, banks could recognize a possible divorce by looking at the transaction data of couples – to a certain extent. The ethical follow-up questions are if, and how, they can make use of this information: is this insight to be mentioned to the couple or used in way to monitor them and their (possibly lowered) credit score more closely?3 ASPSPs often have several approval committees and other resources to ensure that these questions are thoughtfully answered and that transaction data are not improperly used – albeit that these committees might slow down the implementation process. This is not standard procedure for all PSPs. So, how can they ensure they fully grasp the complexity of the matter? In regard to constructing sound ‘building blocks’ that can offer more guidance, compliance by design and privacy by design have already proven their worth in the financial sector. Therefore, digital ethics by design or implementing a specific digital ethics approach is something ASPSPs and TPPs can intertwine more in their business to ensure that the right questions are being asked and answered at the right time.
Ethical questions as to how to use the newly harvested insights and consumer data are relatively new, specifically for TPPs that offer Account Information Services. When it comes to digital ethics, there is a nuance to be made with the introduction of PSD2 in comparison with, for example, loyalty cards that also make use of consumer data. The specific PSD2 payment services, payment initiation and account information, can only be provided if the customer has given their continuous consent to receive and use their transaction data. This continuous consent in light of PSD2 differs from the consent in light of the General Data Protection Regulation (GDPR). Whereas GDPR consent is given out once, the PSD2 consent has to be renewed every 90 days. This gives the customer a more powerful position and gives the PSD2 consent a more thoughtful nuance: every 90 days, the PSD2 customer consent should be ‘earned’ by the PSP, which can be an incentive to focus on digital ethics as a market differentiator.
Different digital ethics approaches
Another important aspect of a (strategic) digital ethics approach lies within the difference of size and focus of TPPs and ASPSPs: considering that differences in their revenue model might cause them to have a different outlook on digital ethics matters, as explained hereafter.
AISPs can provide insights to cut avoidable costs – for example, how to lower the gas bill. They may also provide the customer with cheaper alternatives. Is it still acceptable for the AISP to provide these insights if they also make money when the customer chooses that cheaper option (by for example using affiliate links)? Different revenue models of AISPs might lead to different answers to this question.4 Therefore, AISPs need to draw a line regarding their digital approach beforehand: at which point is it not acceptable anymore if their service benefits not only their customers, but themselves as well?
Reflecting on the customer data usage is necessary when formulating a digital ethics approach. This approach can offer guidance when laws, regulation and internal policy are to be weighed. On a strategic level, the digital ethics approach will help answer questions that can’t irrevocably be answered due to inconsistencies that arise with the PSD2 Trilemma.
Duty of Care
Whereas this blog has been primarily focused on digital ethics approach of TPPs and ASPSPs, the latter have other obligations that need to be taken into account. Larger financial institutions need to meet with a higher duty of care standard and thus face other challenges that can be tackled with the right digital ethics approach. In case of a loan application with usage of the customer’s transaction data – do banks lower the customer’s lending capacity if their transaction data has a negative impact on their credit score or do they keep working with the ‘regular’ and thus higher lending capacity? And when they offer bookkeeping solutions, how will they act if insights of a possible insolvency arise before the account manager knows about this?
Conclusion on digital ethics
At the end of the day, one of the biggest themes regarding ethics remains the same: ‘just because you can, does not mean you should’. When it comes to digital ethics in the financial industry and the data-driven payment industry, this is more important than ever. Reflecting on a sound digital ethics approach is no luxury, but is becoming a bare necessity. Customers will increasingly expect financial institutions to have a sound digital ethics approach and a digital ethics statement. Financial institutions can therefore distinguish themselves as they now have the opportunity to get on track with their digital ethics approach.
1-In July 2019 DNB issued guidelines for the SAFEST use of Artificial Intelligence by financial institutions where attention is paid to the Soundness, Accountability, Fairness, Ethics, Skills and Transparency aspects of the applications they develop. It is possible that guidelines on ethical data usage by PSPs might follow. In a way, GDPR can also be seen as a codification of ethical data processing, but GDPR cannot answer all questions that PSPs will encounter due to PSD2.
2-Report of the independent research committee (Eindverslag Parlementaire ondervragingscommissie Kinderopvangtoeslag, Commissie Van Dam, 17-12-20), https://www.tweedekamer.nl/sites/default/files/atoms/files/20201217_eindverslag_parlementaire_ondervragingscommissie_kinderopvangtoeslag.pdf.
3-A recent study by De Nederlandsche Bank has shown that Dutch customers are not very keen on sharing their transaction data. This adds another layer to the question whether or not data should be used to provide (sensitive) insights in the customer’s personal life. https://www.dnb.nl/nieuws/nieuwsoverzicht-en-archief/DNBulletin2019/dnb385796.jsp
4-For example, a TPP might need to reach the break-even point and thus might need to make more money, whereas an ASPSP might not need to.