New banking regulations involving customer data sharing and data protection are a “headache for everyone”, according to a fintech advisor at the Royal Bank of Scotland.

Alan Lockhart, head of open banking and fintech solutions at RBS said banks are slow to respond and would have to play catch up with the fintech industry due to the new rules in the incoming banking legislation.

Speaking at the London Fintech Conference on Monday, Lockhart said the possibility of fintech startup companies working with banks is a huge opportunity.

“One of the huge opportunities that is right on the doorstep is bringing the strengths of fintech startup companies and getting them working with banks – institutions which have been very closed in their thinking. That’s not going to happen overnight because it requires a mindset change,” Lockhart said.

He further added that this change in mindset was “inevitable” however and would come over time.

Lockhart’s warning comes six months before the European Union’s Revised Payment Service Directive (PSD2) comes into force. This directive would enable what those in the fintech world call “open banking”, by giving third party non-banking firms – from corporations like Amazon to small fintech startups – the ability to perform payment services for banking customers and access their data.

“The issue today is you’ve only got one institution you’re dealing with, it’s the bank. And if the bank misuses your information or somehow it was shared inappropriately then you know where to go to get it sorted,” Lockhart said.

“But in the future world where you have tens, maybe hundreds of third parties that have legitimate access to customer data, that’s a completely different kind of situation. From a tech point of view, all of those third party companies will have different approaches to security.”

Third party access to customer data is a clear concern for banks and legal experts in the run up to January next year, when PSD2 is set to be established as law.

Yvonne Dunn, partner at law firm Pinsent Masons, pointed out that the new EU directive could contradict another regulation, the General Data Protection Regulation (GDPR), a confidentiality law which also becomes enforceable in 2018.

“I think the interesting thing about consent and data is that this is where you start to bring in other new legislative developments and start to put them up against things like PSD2 and open banking and start to identify new issues,” Dunn said. “A key one is GDPR, which is due to come in next year as well.”

The GDPR aims to return control to citizens inside and outside the EU over their personal data. It brings current EU data protection regulation in line with the regulatory framework for all international businesses.

Dunn added that there was the “potential for some frictions to develop” between open banking and data sharing, and confidentiality and data protection.

RBS’ Lockhart added that this was a problem for the big banks, which he believes have responded slowly to the concept of open banking due to the structure in which teams follow these processes.

“However this change to open banking is fundamentally the biggest change to the banking system since the invention of the checkbook,” he said.

Application programming interfaces (APIs) – codes which allows different financial programs to communicate with each other – would be vital to revolutionizing the banking system, Lockhart said.

He described an “open API ecosystem” which would create a connected network of financial institutions and third-party companies.

“We’re moving into the global, open API ecosystem, and there is no choice,” Lockhart said. “So all of the large organizations will come – kicking and screaming in some cases.”

He added: “What we (RBS) are doing as best as we can within our own institution is seeking to accelerate the change to be an enzyme to force a reaction so that we really get there. And we will take advantage of the opportunities that are going to come.”

Lockhart called for “collaboration rather than direct competition” with third party fintech companies.

But he admitted that not all customers would be so enthused by the prospect of third parties managing their data, adding: “We’ll win some and we’ll lose some”.