Data Privacy – No longer a nice to have, it is a must have!
Blogs on 14th May 2019
Over the past 18 months, we have seen a flurry of new regulations coming into enforcement. Arguably the most popular amongst those, are Open Banking and the EU General Data Protection Regulation (GDPR) – an interesting mix when you look at the requirements. For example, both Open Banking and GDPR were aimed at giving power back to the consumer BUT one cannot overlook the paradoxes, and in there lies the complexity.
Broadly speaking, Open Banking is the use of open Application Programme Interfaces (APIs) that enable developers to build applications/services around financial institutions. The idea is to bring more competition and innovation to financial services, by offering better products and services. The introduction of Open Banking gives power back to the consumer, allowing them to decide who should have access to their data and what services can be provided by this data. The reforms require all EU-regulated banks to enable the sharing of your financial data, such as spending habits, with authorized providers – so long as you have given permission for them to share your data. In doing so, the policy around how banks handle financial information has changed.
Of course, with more and more open APIs, security and privacy become major concerns. This is because Open Banking brings down traditional security barriers. In order to make available their customer’s personal or business current account information externally, banks need open communication ports to provide access to third-party providers (TPPs) that exist beyond the banks’ perimeters. This means the banks’ security perimeters are stretched outside their existing perimeters, increasing the risk of cyber attacks.
Transferring client data to and from these TPPs exposes the data to more risks. It involves taking the data from its legacy systems where it’s safe(r), and moving it to where it can be compromised, whether during transit, at-rest (storage) or in-use. The TPPs running their security controls are now responsible for protecting any shared data they process. Any inadequate protection of data could result in potential fraudulent financial activity, reputational damage and jeopardise the Open Banking initiative. More importantly, it could completely undermine the trust their customers have given the banks.
On the other hand, GDPR empowers consumers to restrict access to data. It aims at empowering the consumer to take ownership over their data, adding more control on how financial institutions collect, process and distribute their personally identifiable information (PII). GDPR has certainly been a major challenge for many financial institutions (and beyond), as the reforms empower consumers to the Right to be Forgotten, Right to Erasure and Rectification, Subject Access Requests, Explicit Consent and so on. The challenge is not so much the rights themselves but more the data the banks hold. Many financial institutions have imperfect data and aren’t always aware of where the data is within their organisation, who has had access to it, nor how to find it. It is these challenges around data that make compliance with GDPR so complex and why technology is top of mind.
Many working within Financial Services may often find themselves bewildered with Open Banking and GDPR, one is asking for data to shared/seen, whilst the other is saying it needs to be withheld/kept private. To become compliant with both, banks have invested huge sums of money into its architectures to improve the ability to both share and protect data, also known as data privacy. So why the big investment? Is it simply to become compliant and avoid fines or is there something else in the works?
Avoiding regulatory fines and reputational damage (affecting share price) are certainly two of the main motivators. However, the banks have something more to fear. Enter; Apple, Amazon, Facebook, and Google, also known as TechFin – large organisations with the technology, resources and budgets to revolutionise banking. Far-fetched? Ask yourself, what did Amazon do to the traditional brick and mortar retailers? What did Apple just launch (not to say it is revolutionary, but it’s a start)? It comes down to adapt or die in the global movement towards digital. We as consumers expect a seamless digital journey, whereby, we have unfettered access to banking globally. If I asked you to check your bank account balance today, you would reach for your phone – this is exactly the convenience and journey we all want. However, an app is not enough. Open Banking is proof we want more product offerings, more services and better customer experiences.
Unfortunately, banks are constrained by the 30+ year-old legacy systems they still use today, making the journey towards digital complex and very slow. In turn, they are struggling to provide new innovate offerings due to legacy and other factors which take their focus away from innovating, including regulation and political instability. This is where FinTech and TechFin differ. Many define FinTech by the likes of Monzo, Revolut, OakNorth and so on, but in fact, these are outliers. Yes, these particular FinTechs are threatening to banks but more generally, FinTech is about enabling the banks to digitalise, offer better products and compete against the likes of TechFin. However, as in Open Banking, to digitalise requires data to be moved from where it is safe to where it is more exposed and vulnerable to risks. The question is how do banks make the data secure, yet mobile? Protected, yet accessible? Available to all, yet visible to view? It all comes down to data privacy.
We expect digital but we, as individuals, also expect our data to be protected and the regulator demands it! This is the challenge and why data privacy is no longer a nice to have but a must have…