Why Financial Services Face Stricter Cookie Compliance Standards
Financial institutions operate under more regulatory scrutiny than almost any other sector online. A retail website might set a _ga analytics cookie and face a GDPR question. A banking portal setting that same cookie faces questions from the GDPR, the FCA, PCI DSS auditors, and potentially the PSD2 framework - all at once.
The Spanish Data Protection Authority issued fines totalling EUR 6.2 million against a major bank in 2024 for inadequate security measures, and enforcement against financial services organisations across Europe continues to intensify. The UK ICO launched a systematic review of the top 1,000 websites in 2025, with financial services among the priority sectors. For any organisation handling payment data, authentication tokens, or account information, getting GDPR-valid cookie consent right is not optional.
Essential vs Non-Essential Cookies in Financial Applications
Not every cookie on a banking website requires consent. The ePrivacy Directive, specifically Article 5(3), exempts cookies that are strictly necessary to provide a service explicitly requested by the user. For financial services, this category is broader than most sectors realise.
Session cookies like JSESSIONID that maintain authenticated states are essential. Fraud detection cookies set by payment processors qualify as strictly necessary because they protect the transaction itself. Strong customer authentication (SCA) tokens required under PSD2 fall into this category too - without them, the payment flow breaks.
The line blurs with behavioural analytics. A cookie tracking how users interact with a mortgage calculator might seem useful for product development, but it is a non-essential cookie requiring prior consent. The same applies to session recording tools, marketing pixels, and personalisation engines that recommend financial products based on browsing history.
| Cookie Type | Example | Consent Required? | Regulatory Concern |
|---|---|---|---|
| Session authentication | JSESSIONID, __Secure-session | No (strictly necessary) | PSD2 SCA, PCI DSS |
| Fraud detection | _stripe_mid, __paypal_fraud | No (strictly necessary) | PCI DSS Requirement 6 |
| Load balancing | AWSALB, __cfduid | No (strictly necessary) | PCI DSS infrastructure |
| Analytics | _ga, _gid | Yes | GDPR, UK GDPR, PECR |
| Marketing/retargeting | _fbp, _gcl_au | Yes | GDPR, ePrivacy, FCA conduct |
| Personalisation | product_rec_id | Yes | GDPR Article 22, FCA Consumer Duty |
PCI DSS 4.0.1 and Cookie Management
Since 31 March 2025, all PCI DSS 4.0.1 requirements are mandatory. Organisations still operating under version 3.2.1 are in violation. While PCI DSS does not directly regulate cookie consent, several requirements intersect with how cookies are managed on payment pages.
Requirement 6.4.3 demands that all payment page scripts are authorised, inventoried, and integrity-checked. If your cookie consent banner loads third-party scripts on a payment page - even with consent - each script must appear in your authorised inventory. A vendor risk assessment becomes essential for every tag and pixel that could fire on pages handling cardholder data.
Requirement 11.6.1 introduces change-and-tamper detection for payment pages. Your CMP itself, if it injects JavaScript on payment pages, falls under this requirement. The script must be monitored for unauthorised modifications.
The practical implication is significant. Many financial services websites load their cookie banner globally, including on payment and authentication pages. Under PCI DSS 4.0.1, every script that banner triggers on those pages needs documentation and monitoring. Consider scoping your CMP carefully - some organisations exclude payment iframes or hosted payment pages from the banner entirely, since those pages should not set non-essential cookies in the first place.
PSD2, Strong Customer Authentication, and Session Cookies
The Revised Payment Services Directive (PSD2) requires strong customer authentication for most electronic payments and account access within the EEA. SCA demands verification using at least two of three factors: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). Each factor must be independent - compromising one must not compromise the other.
Session cookies play a direct role in SCA flows. After a user completes multi-factor authentication, a session token stored as a cookie maintains that authenticated state. These cookies are strictly necessary and do not require consent under Article 5(3) of the ePrivacy Directive.
Open banking adds another layer. PSD2 enables third-party providers to access account information through APIs (known as XS2A - Access to Account). When a user authorises a third-party provider to view account data, consent for that data access is governed by PSD2, not by your cookie banner. Conflating PSD2 consent with cookie consent confuses users and may undermine the validity of both.
The FCA Consumer Duty and Cookie Practices
UK-regulated financial services firms face additional obligations under the FCA's Consumer Duty, which came fully into force in July 2024. The duty requires firms to deliver good outcomes for retail customers, including clear and fair communications.
Dark patterns in cookie banners - such as making rejection harder than acceptance, using confusing toggle designs, or burying opt-out options - conflict directly with the Consumer Duty's requirements. A financial services website that makes it easy to accept all tracking cookies but requires five clicks to reject them risks both a GDPR complaint and an FCA conduct concern.
The Data Use and Access Act, enacted in June 2025, raised the maximum PECR penalty from GBP 500,000 to GBP 17.5 million or 4% of global annual turnover, aligning it with UK GDPR levels. For financial services firms already under FCA supervision, a cookie compliance failure could trigger parallel investigations from both the ICO and the FCA.
Practical Steps for Financial Services Cookie Compliance
Separate Payment Pages from Marketing Pages
Payment and authentication pages should load no non-essential cookies or third-party scripts. Keep your PCI DSS cardholder data environment clean. If your CMP loads on these pages, configure it to block all optional categories by default with no option to enable marketing cookies on payment flows.
Audit Every Script on Payment Pages
PCI DSS 4.0.1 Requirement 6.4.3 demands a documented inventory of all scripts on payment pages. Run a cookie audit that specifically maps which cookies and scripts load on pages within your cardholder data environment. Use your CMP's scanning functionality to detect cookies set before consent is granted.
Classify SCA Cookies Correctly
Authentication and SCA session cookies are strictly necessary. Do not lump them into a generic "functional" category that users might disable. Miscategorising these cookies could break login flows or payment authorisation, creating both a compliance gap and a poor user experience. Refer to guidance on cookie categories to ensure correct classification.
Document Your Consent Architecture
Regulators increasingly request evidence of consent mechanisms during investigations. Maintain records showing what your consent interface looked like, when it was displayed, and what choices users made. The evidence requirements for DPA investigations apply with extra weight in financial services, where regulatory expectations are higher across the board.
Common Mistakes Financial Services Websites Make
Loading analytics and marketing tags on internet banking pages is surprisingly common. A _ga cookie on a page displaying account balances creates an unnecessary data protection risk and a potential PCI DSS finding.
Another frequent error is treating payment gateway cookies as non-essential. Fraud detection cookies from processors like Stripe or PayPal are strictly necessary for the transaction to complete securely. Blocking them behind a consent wall can cause payment failures and increase fraud exposure.
Some firms also use cookie consent banners that conflict with their PSD2 obligations. If a user must accept cookies to proceed with a payment, that is not freely given consent under GDPR. The payment must work with only strictly necessary cookies enabled.
Frequently Asked Questions
Do banking websites need a cookie consent banner?
Yes. Banking websites must comply with the ePrivacy Directive (or PECR in the UK) and GDPR just like any other website. While strictly necessary cookies for authentication and fraud prevention do not need consent, any analytics, marketing, or personalisation cookies require a consent mechanism.
Are fraud detection cookies from payment processors considered essential?
Fraud detection cookies set by payment processors like Stripe or PayPal are generally classified as strictly necessary because they protect the security of the transaction. Blocking them behind a consent wall can cause payment failures and increase fraud risk.
Does PCI DSS require cookie consent?
PCI DSS does not directly mandate cookie consent. It does require that all scripts on payment pages are authorised, inventoried, and monitored under Requirements 6.4.3 and 11.6.1. This means your CMP and any scripts it triggers on payment pages must be documented and integrity-checked.
Can I use Google Analytics on my online banking portal?
Technically yes, but only with valid prior consent and careful implementation. The _ga cookie is non-essential and requires consent under GDPR. On pages displaying sensitive financial data, the additional data protection risk may outweigh the analytics benefit.
How does the FCA Consumer Duty affect cookie banners?
The FCA Consumer Duty requires clear and fair communications with retail customers. Cookie banners that use dark patterns, such as making rejection harder than acceptance, conflict with this duty and could trigger FCA conduct concerns alongside ICO enforcement.
What happens if my cookie banner blocks SCA authentication cookies?
If your cookie banner incorrectly classifies SCA session cookies as non-essential and allows users to reject them, authentication flows will break. SCA cookies are strictly necessary under Article 5(3) of the ePrivacy Directive and should never be placed behind a consent toggle.
Take Control of Your Cookie Compliance
If you are not sure which cookies your financial services website sets - or whether your payment pages are loading scripts they should not - start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie, so your visitors get a clear choice and you stay on the right side of both privacy law and financial regulation.
