GDPR: Balancing Privacy And Innovation To Create Opportunities In Banking

Shutterstock

The season three premiere of the sci-fi drama Black Mirror features a dystopian world in which everyone rates personal interactions on a scale of one to five. This creates a public social ranking that has chilling implications for the well being and liberty of citizens. This type of social ranking is now becoming a reality in China, with the growth of a government endorsed Social Credit System where 1.3 billion people will be able to similarly judge each other’s trustworthiness. We are already seeing this score impact everything from job prospects, to how easily you can get a restaurant reservation, to the speed at which a ride-hailing system responds to your request.

This example of life imitating art highlights the challenges facing banks as they try to balance the desire of customers to have innovative and compelling financial services experiences with the parallel desire to protect their data and privacy. That tension is abundantly clear in new regulations coming into effect in Europe, and also in speculation in the U.S. about the need for privacy and data management oversight that goes beyond the caveat emptor clauses buried deep in many product user agreements.

On May 25, the most significant data privacy law ever comes into effect — the European Union’s General Data Protection Regulation (GDPR.) It’s a change that’s been called “the biggest overhaul of the world’s privacy rules in more than 20 years.” The new rules give EU citizens far more control over the use and storage of their data and specifies punitive fines for companies that fail to keep that data safe; up to 20 million euros or 4% of global revenue, whichever is greater. In what on the surface could appear to be a dissonant piece of parallel regulation, European banks are also being forced into the age of open banking through PSD2, which requires that – with customers’ permission – banks must share raw account data (such as balances and transactions) with third parties and also allow those third parties to initiate payment transactions on behalf of the customer. Outside of Europe, we are seeing similar open banking regulation being considered in both Australia and Canada; in the U.S. and Asia, competitive forces and the desire to improve the customer experience are creating a surge in open API availability.

These countervailing forces are creating a huge challenge for banks. On one hand, 4% of global revenue is an incentive to lock data in a digital vault and limit access to minimize any chance of a breach. On the other hand, customers increasingly see the value in sharing their data and expect reciprocity. Accenture research shows that two out of three consumers will share their banking data in exchange for some perceived value, as long as they trust whom they are sharing the data with. Set against the threat of a 4% fine is the huge opportunity to use data to improve the banking experience for customers and create new revenue streams. Recently, the World Economic Forum predicted that the global data market could be worth more than half a trillion dollars by 2024.

Any freshman psychology student will tell you that the human brain is perfectly capable of holding mutually exclusive views on different topics without feeling the need to reconcile them. So, we shouldn’t be surprised that consumers want both compelling digital experiences and high levels of privacy and data protection. To innovate and grow, banks will need to find ways to help customers navigate the choices they have on data sharing and educate them on why sharing information can be beneficial. Take, for example, ride hailing services like Uber and Lyft. To enable those services, we need to share our location information and where we want to go, but those services also rely on customers and drivers ranking each other so that good behavior on both sides is rewarded and encouraged. Despite the stated desire for privacy, the reality is that many of the things we love about the digital world wouldn’t work without a high degree of data sharing. Waze wouldn’t be a great navigation app if hundreds of thousands of people weren’t willing to share their location, and Netflix wouldn’t be able to read my mind about what I like to watch on a Friday night if it knew nothing about my tastes and preferences – by the way the answer is almost always another British crime drama.

As banks comply with both GDPR and PSD2, and banks in other geographies grapple with their own privacy vs. innovation tradeoffs, they need to develop customer consent mechanisms that help individuals easily share different levels of data, but also simultaneously help them understand the types of enhanced products and services that the sharing enables. For example, in return for sharing simple cash flow data with robo wealth platforms, consumers can receive advice about how to save more money. Sharing can also reduce risk; for example, sharing your phone’s location data can help fraud systems detect when an attempt is made to make a payment from a unusual geography. When customers choose not to share such data, they will lose out on leveraging such capabilities and their banking experience will be poorer as a result.

So, as banks increasingly collaborate with third-party providers to develop value-added services, they will need more far more granular consent from their customers. Instead of a blanket, one-time sharing of data, customers will be asked for consent on a transaction-by-transaction basis. This might include confirming details such as the identity of third-party providers, the types of data customers agree to share, and the frequency and expiration date of such consent. Such detailed consent benefits both banks and customers by reducing fraud and giving customers more control over the process.

Today, far too much data sharing consent is based on binary agree/don’t agree prompts — a blunt instrument for living in the digital economy. In the coming years, banks will need to develop ways to give consumers the ability to share their information at a significantly more granular level without making the customer experience clunky and unappealing. That sharing may ultimately be enabled by consumers agreeing to have all of their personal data stored on a blockchain, giving them the freedom to share the “key” to portions of that data as needed on a case-by-case basis. But until that type of technology is available, banks should think about better “plain English” navigation embedded in well-designed, easy-to-understand interfaces that highlight the pros and cons of certain sharing choices and don’t ask for carte blanche data access.

While the banking industry develops such granular permissioning systems, try not to be frightened by dystopian TV visions of how your data will be mishandled – unless of course you think your social score will drop below 500 and you’ll be left in the rain waiting for an Uber that will never arrive.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *