Data security and regulatory compliance PSD2 directive, GDPR

In France, the control of banks and insurance is ensured by The French Prudential Supervision and Resolution Authority (ACPR). 

The ACPR is an administrative authority whose independence in the fulfillment of its missions and financial autonomy is provided by the French monetary and financial code.

The ACPR oversees the banking and insurance sectors.

 It ensures the financial system and client protection’s stability.

PSD2 is a revision of the Payment Services Directive aim to modernise the payment service in Europe for the consumers and compagnies. It fosters online services and mobile payments, more secured payments and a better consumers’ protection.

At the same time, the directive aims to improve competitive conditions for payment services providers – including new players or Fintechs as Budget Insight. Many PSD2 elements have already been applied in the EU since January 13, 2018.

PSD2 solves the problem of online payment fraud:

1. PSD2 introduces strict security requirements for online payments and the protection of consumer financial data to ensure that their privacy is respected by all market providers (since September 2019).
2. PSD2 opens the EU payment market to competition: PSD2 settles the rules for the future. With online financial services constantly evolving, the new rules will apply to traditional banks, innovative payment services and new providers such as Fintechs. From now on, the third-party providers (TPP) will be ruled by the EU rules. Budget Insight initiates payment on the name of its clients and give the insurance to the retailers that the money is coming, or give them an outlook of the accounts and the available amount for their client’s bank accounts 
3. PSD2 improves complaint procedures

A payment institution’ means a legal person that has been granted authorization in accordance with Article 11 of PSD 2 to provide and execute payment services throughout the Union and which is not a credit institution.

Payment services essentially comprise:

• Services enabling cash to be deposited into or withdrawn from a payment account and the transactions required to manage such an account;
• Execution of payment transactions associated with a payment account (card payments, credit transfers and direct debits);
• Transmission of funds;
• Issuance of means of payment and/or acquisition of payment orders.
• Payment initiation and account information services (Services provided by Budget insight).

A payment institution is licensed by a national competent authority (in France: ACPR).

The main innovation of the PSD2 is the acknowledgement of two new payment services which allows a third party to interpose between a user and its banks or credit institutions: 

1. Payment initiation service
2. Account information service

Preliminary, only the payment accounts are included in the PSD2 perimeter. For example, bank accounts with a payment card or cheque are considered as payment accounts, which are under PSD2 perimeter. A “Livret A” is a saving account so it is not in the PSD2 perimeter. 

The providers who provide these services, like the other payment institutions, need to obtain an authorization from the ACPR (the French Prudential Supervision and Resolution Authority) and to be insured by an public liability insurance equal covering the territories where they provide their services. For more transparency, the authorized service providers are registered on the financial agents register (Regafi).

In BtoB cases, for example for the automatic accountancy service of the transiting operations on payment accounts, the customer loyalty program, the verification of the client’s solvency; three categories are available with different regulatory consequences: 

1. White labels : the partner has to be authorized by the ACPR as a credit institution, or account information provider (PSIC) and/or payment initiation and has to comply with the requirements of this status as an insurance subscription of professional indemnity. It is important to remember that, as said in the 3rd November of 2014 concerning the internal control, the externalized service provider has to be authorized as a PSIC by the ACPR too.
2. The Agent or the co-branding : The partner has to be  appointed as a payment service Agent of the PISC. The payment services are delivered under the responsibility of the PSIC who has a control power as stated in the L.523-3 article of the monetary and financial code.
3. The partnership or redirect : No formality is required by the ACPR for the partner, who has no implication in the delivery of the payment services. The aggregation and the data security are the responsibility of the aggregation and payment initiation service provider.

Personal Data are not processed outside of France. Indeed, these are located in our servers managed by our subcontractor SEWAN located in France for the hosting of data.

Our supplier Sewan stored your data in France. In addition, those data are encrypted by GEMALTO (groupe Thalès) which is located in France. Our suppliers are GDPR-certified.

In order to be GDPR compliant, Budget insight has taken organizational and technical measures to ensure the confidentiality and security of the end user personal data.

Upon request of the end user to access their personal data in accordance to art. 15 of the GDPR (delete, copy, …) to dpo@budget-insight.com , the data would be proceed accordingly to the consent of the data subject. Please read our personal data protection for further information: https://www.budget-insight.com/en/confidentiality

The data protection officer email: dpo@budget-insight.com

An internal process regarding personal data breach is implemented and a data breach record is kept. 

In case of personal data breach, Budget insight would not later than 72 hours after having become aware of it: 

• Assess the breach
• If necessary, relevant service may be temporarily stop 
• Carry out a technical audit and set up an emergency meeting
• implement effective remedies and submit a post incident report
• if appropriate, notify the CNIL

Budget Insight has taken the following security measures to ensure that your data are protected: 

• access control systems
• encryption of data
• equipment authentication
• organizational measures (clearance)
• tracking (access logging)
• monitoring (audit)
• notification of security breaches to relevant entities and increase of security measures
• Backup servers
• Safety of materials (servers)
• Maintenance
• Archival storage

Budget Insight is covered by a cyber security insurance. The insurance certificate can be made available on request to dpo@budget-insight.com