The UK Payments Systems Regulator (PSR) recently published a Discussion Paper (DP18/1) seeking stakeholders’ views and evidence on how data is used in the payments sector. The Discussion Paper defines “payments data” as a mix of financial, transactional, behavioural and other types of data, which payment service providers (PSPs) and other entities collect in the process of providing payment services to end-users. Such data includes, but is not limited to, personal data protected under data protection law.

The PSR is the UK’s regulator for designated payment systems including Bacs, CHAPS, Faster Payments, LINK, MasterCard and Visa Europe. Its statutory objectives are to ensure that payment systems take account of the interests of users, and to promote competition and innovation in payment systems.

What’s the purpose of the Discussion Paper?
The PSR wants to understand what role it might play to make sure new uses of payments data work well for the people and businesses that use payment systems. This could be through removing barriers to setting up new services, or through mitigating risks associated with them. The regulator is keen to gather industry and stakeholder views on its findings to make sure that it takes the right actions.

Designated payment systems are becoming a staple of modern life, with the majority of transactions now being conducted using them. The UK payments sector is evolving rapidly; cash is increasingly being replaced by plastic and internet and mobile banking use continues to rise.

Payments data is therefore an increasingly important part of the UK payment industry and is collected, analysed and used at various points during a payment transaction. This includes both data which is essential to payment processing, and “ancillary data” such as the location where the payment was made, and the channel and device used. However, the regulator is aware that end-users are becoming ever more data-wise and the sensitivity around payments data could result in roadblocks when it comes to sharing and utilising the data effectively.
In the Discussion Paper, the PSR identifies three key areas concerning how data is collected, used and shared that can directly affect its objectives to promote competition and facilitate innovation, namely:

Sharing: Some people may be reluctant to share their payments data with third-party companies providing other payments-related services (known as “overlay services”);

Access: Potential providers of new services may have limited access to data about transactions across a whole payment system (which the PSR calls “global” datasets), including those needed to develop new industry anti-money laundering (AML) and anti-fraud measures; and

Barriers: There are potential barriers that could stop consumers and businesses receiving benefits from additional “enhanced” data attached to transactions.

The PSR’s preliminary findings
The Discussion Paper builds on the PSR’s 2017 scoping work and concludes that there are three main ways in which payments data could be used to create commercial products or improve services:

    selling the raw data to other entities;
    analysing the data and generating insights; and
    applying insights from the data.

The PSR recognises that there are legal obligations associated with data collection and use. In particular, the EU General Data Protection Regulation (GDPR) has increased the level of control over how personal data is collected and used, and those who collect payments data will have obligations under various AML, counter-terrorism and anti-fraud laws. However, where permissible under data protection and other laws, PSPs use the data they collect to (amongst other things) provide services and personalise products, develop and improve products and services, cross-sell, prevent and detect fraud, derive commercial value and improve regulatory compliance.

The PSR also recognises the need to work with other regulators where they have the lead role in a particular area; and to remain cognisant of the various industry, policy and regulatory initiatives also underway with respect to data including the second European Payment Services Directive (PSD2) and Open Banking.

What does the PSR want from stakeholders?
The PSR is seeking stakeholder responses to:

1. understand the opportunities and risks associated with the increasing collection and use of data; and

2. identify the key areas where the PSR should consider developing policies or taking other action.

There are a number of opportunities identified in the report which PSPs and other stakeholders may wish to comment on.

In particular, the PSR recognises that sharing data could help build better consumer profiles around shopping habits, tastes and purchasing preferences and such profiles could be used to set prices or target discounts. However, the PSR accepts that concerns about end-user willingness for this activity need to be considered. (That said, consumer spending profiles are not a new concept – retailers have adopted similar approaches in creating profiles and targeted discounts for loyalty card holders.)

The Discussion Paper also acknowledges certain barriers to entry for smaller operators. Although payments data provides many opportunities, due to high fixed costs, data may be more readily used by larger institutions with the ability to create economies of scale. Furthermore, studies indicate that consumers tend to have more trust in established PSPs, which gives them a “head start”. However, the regulator also points out that technology can help bridge the gap (for example, cloud technology which brings down the cost of data storage reduces one barrier of entry for smaller players).

Another issue which is likely to lead to a variety of views from stakeholders will be the PSR’s proposal to require open access to global datasets, such as for the purpose of developing industry-wide anti-fraud and AML measures.

The Discussion Paper is an important opportunity for those in the industry to highlight any impediments they face, plus any competition issues that may arise from increased use of payments data. The Paper also gives stakeholders a chance to voice their opinion on what the role of the PSR should be with respect to payments data.

How can you get involved?
Stakeholders are invited to submit their responses to the Discussion Paper by 5pm (UK) on 3 September 2018. Companies may also wish to consider contributing to any industry trade association submissions.

Picture of Lucy Hart

Lucy Hart is an IT/C lawyer in Baker McKenzie's London office. She advises on regulatory issues as well as general contractual aspects of commercial and consumer agreements, and is particularly focused on EU General Data Protection Regulation compliance. Prior to joining Baker McKenzie, Lucy spent nearly ten years working for an FSA/FCA-regulated firm, including four years in its in-house legal department. Lucy has a particular interest in combining her previous background in payment services with her current practice.

Picture of Dan Relton

Dan Relton is a trainee in the IT/C department in Baker McKenzie's London office. He advises clients from various industries on general contractual aspects of commercial and consumer agreements and has a particular interest in the financial services industry.