Where does GDPR sit in finance’s regulatory puzzle?
For any financial service organization, failure to comply with regulations is front page news, which can majorly impact brand reputation, customer loyalty, and the bottom line.
The drive for greater transparency over customers’ finance data has led to a number of regulations and legal standards such as PSD2, Open Banking and, most recently, GDPR being introduced to the mix. In this article, I will discuss how we should view regulations as an opportunity rather than a barrier to innovation.
The regulatory minefield known as 2018…
This year has been a milestone one for regulatory changes in financial services. Open Banking launched in January 2018 with a whimper more than a bang. One possible explanation for this was a reluctance to cause a panic among consumers. Research by Ipsos MORI found that while almost two thirds (63%) of UK consumers see the services enabled by Open Banking as ‘unique’, just 13% of them would be comfortable allowing third parties to access their bank data. These figures are likely to have been impacted by high-profile breaches affecting the finance industry, which soured attitudes towards data protection policies.
Open Banking is built on the second Payment Services Directive, more commonly known as PSD2. Despite its fame being somewhat dwarfed by that of the General Data Protection Regulation (GDPR), PSD2 is a data revolution in the banking industry across Europe. By opening up banks’ APIs to third-parties, consumers will be able to take advantage of smoother transactions, innovative new services and greater transparency in terms of fees and surcharges. In the UK, this is partly enabled through the Competition and Markets Authority’s (CMA) requirement for the largest current account providers to implement Open Banking.
Creating these experiences for consumers requires APIs which seamlessly draw together information from multiple datasets and sources. Step in GDPR, which has tightened up the controls consumers have regarding their data and introduced greater financial ramifications on companies and organizations that do not adhere to it. $20,000,000 or 4% of global revenue, whichever is highest, is the penalty for non-compliance. One of the fundamental principles of GDPR compliance is providing greater transparency over where personal data is and how it is being used at all times.
PSD2 and Open Banking align with this because it is the consumer that has the control over whether their data is shared with third parties, as well as the power to stop it being shared. In addition, the concept of the ‘right-to-be-forgotten’ enshrined in GDPR means that consumers can demand that any data held by the third-party service provider be permanently deleted. Similarly, because GDPR puts the onus of data protection on both data controllers (i.e., banks) and data processors (i.e., PISPs and AISPs) it is in the interests of both to ensure that their data governance strategies and technology are fit for purpose. As has been pointed out by Deloitte and Accenture, there might be contradictions within these regulations, but the overriding message is that transparency and consent are key for banks who need good quality data to provide more innovative services.
Regulating the world’s most valuable commodity
Having untangled the web of data regulations facing the finance industry, we must remember that with the rise of big data, the cloud, and analytics based on machine learning, data is no longer something which clogs up your internal systems until it needs to be disposed of. Data is the world’s most valuable commodity – the rocket fuel that has powered the rise of Internet giants like Facebook, hyperscalers like AWS, and industry disruptors like Uber. To the finance industry, data is a matter of boom or bust, and given the vital role they play in society, consumers and businesses need banks to have data. This is why banks must take a proactive view towards data governance and treat it as an opportunity rather than a necessary evil.
EY’s 2018 annual banking regulatory outlook stresses the importance of banks staying on the front foot when it comes to regulatory compliance. It lists five key actions as achieving good governance: creating a culture of compliance; exerting command over data; investing in the ability to analyze data, and developing strategic partnerships. As these key points suggest, a proactive view of data governance does not stop at compliance. It’s about creating a virtuous cycle of data being analyzed and the insight gleaned from this analysis being turned into services which customers appreciate. This will make customers want to share their data as they can see the hyper-personalized and customized services which they get as a result.
As a rule of thumb, the more information you give your bank, the more personalized the service they can provide. This is true in the context of an entire range services such as calculating credit ratings, advising on savings and borrowing. However, this scenario works both ways, and regulations such as Open Banking, PSD2, and GDPR put the power firmly in consumers’ hands. So, the more data organizations ask for, the higher the expectation of personalized services from customers. Customers need to see what their data is being used for, so transparency is key if financial firms are to build and maintain trust with customers. Furthermore, to offer highly personalized products and services based on complex analysis of big data, organizations should already know where data is stored and how it is being used.
In summary, data protection regulations such as Open Banking, PSD2, and GDPR must be viewed as opportunities for financial services organizations to re-establish trust with consumers, which may have been eroded by high-profile data breaches in 2017. In a way, this brings us back to the basics of what financial services are all about: being a steward of people’s assets. “When it comes to customer trust, financial leaders shouldn’t wait on regulators to keep their companies in check”
Understanding where data is and that it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalized and predictive services that customers crave. Therefore, the requirements of the regulation are by no means at odds with the strategies of data-driven finance firms, but in actual fact perfectly aligned.