Data security and regulatory compliance PSD2 directive, GDPR

In France, the control of banks and insurance is ensured by The French Prudential Supervision and Resolution Authority (ACPR). 

The ACPR is an administrative authority whose independence in the fulfillment of its missions and financial autonomy is provided by the French monetary and financial code.

The ACPR oversees the banking and insurance sectors.

 It ensures the financial system and client protection’s stability.

PSD2 is a revision of the Payment Services Directive aim to modernise the payment service in Europe for the consumers and compagnies. It fosters online services and mobile payments, more secured payments and a better consumers’ protection.

At the same time, the directive aims to improve competitive conditions for payment services providers – including new players or Fintechs as Budget Insight. Many PSD2 elements have already been applied in the EU since January 13, 2018.

PSD2 solves the problem of online payment fraud:

1. PSD2 introduces strict security requirements for online payments and the protection of consumer financial data to ensure that their privacy is respected by all market providers (since September 2019).
2. PSD2 opens the EU payment market to competition: PSD2 settles the rules for the future. With online financial services constantly evolving, the new rules will apply to traditional banks, innovative payment services and new providers such as Fintechs. From now on, the third-party providers (TPP) will be ruled by the EU rules. Budget Insight initiates payment on the name of its clients and give the insurance to the retailers that the money is coming, or give them an outlook of the accounts and the available amount for their client’s bank accounts 
3. PSD2 improves complaint procedures

A payment institution’ means a legal person that has been granted authorization in accordance with Article 11 of PSD 2 to provide and execute payment services throughout the Union and which is not a credit institution. 

Payment services essentially comprise:

• Services enabling cash to be deposited into or withdrawn from a payment account and the transactions required to manage such an account;
• Execution of payment transactions associated with a payment account (card payments, credit transfers and direct debits);
• Transmission of funds; 
• Payment initiation and account information services (Services provided by Budget insight);
• Issuance of means of payment and/or acquisition of payment orders.
•  

A payment institution is licensed by a national competent authority (in France: l’ACPR).

Les services permettant de verser ou retirer des espèces sur un compte de paiement ainsi que les opérations de gestion d’un tel compte ;

• L’exécution d’opérations de paiement associée à un compte de paiement (paiements par carte, virements et prélèvements) ;
• La transmission de fonds ;
• L’émission d’instruments de paiement et/ou l’acquisition d’ordre de paiement.
• Les services d’initiation de paiement et d’information sur les comptes (services proposés par Budget Insight)

Un établissement de paiement est agréé par l’ACPR.

The main innovation of the PSD2 is the acknowledgement of two new payment services which allows a third party to interpose between a user and its banks or credit institutions: 

1. Payment initiation service
2. Account information service

Preliminary, only the payment accounts are included in the PSD2 perimeter. For example, bank accounts with a payment card or cheque are considered as payment accounts, which are under PSD2 perimeter. A “Livret A” is a saving account so it is not in the PSD2 perimeter. 

The providers who provide these services, like the other payment institutions, need to obtain an authorization from the ACPR (the French Prudential Supervision and Resolution Authority) and to be insured by an public liability insurance equal covering the territories where they provide their services. For more transparency, the authorized service providers are registered on the financial agents register (Regafi).

In BtoB cases, for example for the automatic accountancy service of the transiting operations on payment accounts, the customer loyalty program, the verification of the client’s solvency; three categories are available with different regulatory consequences: 

1. White labels : the partner has to be authorized by the ACPR as a credit institution, or account information provider (PSIC) and/or payment initiation and has to comply with the requirements of this status as an insurance subscription of professional indemnity. It is important to remember that, as said in the 3rd November of 2014 concerning the internal control, the externalized service provider has to be authorized as a PSIC by the ACPR too.
2. The Agent or the co-branding : The partner has to be  appointed as a payment service Agent of the PISC. The payment services are delivered under the responsibility of the PSIC who has a control power as stated in the L.523-3 article of the monetary and financial code.
3. The partnership or redirect : No formality is required by the ACPR for the partner, who has no implication in the delivery of the payment services. The aggregation and the data security are the responsibility of the aggregation and payment initiation service provider.

1. le service d’initiation de paiement et
2. le service d’information sur les comptes.

A titre liminaire, seul les comptes de paiements sont dans le périmètre de la DSP2. Par exemple, les comptes bancaires avec une carte de paiement ou chèque sont des comptes de paiement, cela est sous le périmètre de la DSP 2. Un livret A est un compte d’épargne qui n’est pas dans le périmètre de la DSP2.

Ces prestataires qui fournissent ces services, comme les autres établissement de paiement, font l’objet d’un agrément auprès de l’ACPR (autorité de Contrôle Prudentiel et de Résolution) et être couverts par une assurance responsabilité civile professionnelle équivalente couvrant les territoires où ils fournissent leur service. Pour plus de transparence, les prestataires agrémentés sont indiqués au registre des agents financiers (Regafi).

Dans le cas du BtoB, par exemple pour des services comptabilisation automatique des opérations transitant sur les comptes de paiement, la mise en place d’un programme de fidélisation ou l’évaluation de la solvabilité d’un client, trois catégories impliquant des conséquences réglementaires différentes en terme de statut existent:

1. Les marques blanches : le partenaire doit alors être autorisé par l’ACPR en tant qu’établissement de crédit, ou prestataire d’informations sur les comptes (PSIC) et/ou d’initiation de paiement et doit donc répondre aux exigences de ce statut comme la souscription de l’assurance en responsabilité professionnelle. Il est par ailleurs important de souligner que, conformément à l’arrêté du 3 novembre 2014 relatif au contrôle interne, le prestataire de service essentiel externalisé doit lui-même être autorisé par l’ACPR en tant que PSIC.
2. L’agent ou le co-branding: Le partenaire doit alors être mandaté en tant qu’agent de service de paiement du PSIC. Les services de paiement sont fournis sous la responsabilité du PSIC qui dispose, par ailleurs, d’un pouvoir de contrôle conformément à l’article L.523-3 du code monétaire et financier.
3. Le partenariat ou redirection : Aucune formalité auprès de l’ACPR n’est requise en ce qui concerne le partenaire, qui ne joue ici aucun rôle au regard de la fourniture de services de paiement. L’agrégation et la sécurité des données sont de la seule responsabilité du fournisseur de service d’agrégation des comptes, ou d’initiation de paiement.

Personal Data are not processed outside of France. Indeed, these are located in our servers managed by our subcontractor SEWAN located in France for the hosting of data.

Our supplier Sewan stored your data in France. In addition, those data are encrypted by GEMALTO (groupe Thalès) which is located in France. Our suppliers are GDPR-certified.

In order to be GDPR compliant, Budget insight has taken organizational and technical measures to ensure the confidentiality and security of the end user personal data.

Upon request of the end user to access their personal data in accordance to art. 15 of the GDPR (delete, copy, …) to dpo@budget-insight.com , the data would be proceed accordingly to the consent of the data subject. Please read our personal data protection for further information.

En effet, dès lors qu’un utilisateur final manifeste la volonté d’exercer ses droits conformément aux articles 15 et suivants du règlement auprès de vous ou directement à l’adresse de notre délégué à la protection des données : dpo@budget-insight.com, aussi, dans le cadre de notre politique de confidentialité que nous vous invitons à consulter à cette adresse : https://www.budget-insight.com/data-policy, nous rappelons aux utilisateurs finaux leurs droits.

The data protection officer email: dpo@budget-insight.com

An internal process regarding personal data breach is implemented and a data breach record is kept. 

In case of personal data breach, Budget insight would not later than 72 hours after having become aware of it: 

• Assess the breach
• If necessary, relevant service may be temporarily stop 
• Carry out a technical audit and set up an emergency meeting
• implement effective remedies and submit a post incident report
• if appropriate, notify the CNIL

Budget Insight has taken the following security measures to ensure that your data are protected: 

• access control systems
• encryption of data
• equipment authentication
• organizational measures (clearance)
• tracking (access logging)
• monitoring (audit)
• notification of security breaches to relevant entities and increase of security measures
• Backup servers
• Safety of materials (servers)
• Maintenance
• Archival storage

Budget Insight is covered by a cyber security insurance. The insurance certificate can be made available on request to dpo@budget-insight.com