Response to discussion Paper on innovative uses of consumer data by financial institutions
Go back
The EBA identifies in its Discussion Paper (‘the Paper’) a range of risks and potential benefits that exist around more sophisticated data processing and the use of non-traditional data sources such as social media. In discussing these issues, we wish to make some overarching points.
1 - Banking sector use of customer data
The Paper seems in many areas to be focussed on non-conventional data sources, such as social media sites, and on innovative uses of this data including big data analytics. However, it is important to remember that the bulk of banks’ data processing is for conventional purposes, such as:
- Processing customers’ transactions
- Regulatory compliance (eg: KYC checks, Treating Customers Fairly obligations, etc)
- Making lending decisions, including meeting responsible lending obligations
- Prevention of money laundering, fraud and other financial crime (eg: using mobile phone localisation when processing transactions)
- Using client feedback to improve customer services.
Similarly, although there is some limited use of social media-sourced data for fraud prevention purposes, the bulk of banks’ data are obtained from a small number of reliable sources, primarily:
- Credit ratings agencies (licensed and supervised entities)
- Regulatory sources such as Politically Exposed Persons lists
- From customers directly.
Banks are heavily regulated with regards to their conduct, capital and general risk management. This constrains the types of data processing they engage in. Similarly, though not something we would want to change, customer trust is central to banks’ business models. This limits banks’ appetite to develop innovative data uses that might be seen as ‘pushing the envelope’ in the same way as some non-banks. As such, we note that the discussion paper makes extensive references to financial institutions' use of data, but it is important that any examination of these issues cover all players, including non-banks.
Although innovative data uses will certainly increase over time, particularly with the Revised Payment Services Directive (PSD2) opening up access by third party providers to banks’ data, the protections of client confidentiality law and data protection will still apply.
2 - The General Data Protection Regulation
The General Data Protection Regulation (GDPR) has been entered into the Official Journal and will enter into force in May 2018. This is a significant evolution of the data protection regulatory framework, which firms, governments and indeed Data Protection Authorities (DPAs) are still considering. Domestic legislation and guidance from DPAs, the Article 29 Working Party and, once established, the European Data Protection Board (EDPB) still need to clarify key provisions such as (pseudo) anonymisation, data ownership and unambiguous consent which are still uncertain and need to be put in context in relation to the financial sector.
Furthermore, the GDPR contains provisions specifically designed to address the risks identified by the EBA.
This being the case, it is not clear which potential risks will crystallise in practice until the GDPR has been fully implemented and guidance is in place. Similarly, the benefits that emerge might not be as envisaged.
3 - Regulatory consistency and a level playing field
For innovation to occur, a level playing field and clear, stable rules of the game are required. This is already not the case. For example, the PSD2 requires banks to open up their customer data but does not create similar rules for third party providers, which are already subject to far less regulation and supervision.
We note that recent research suggests that SMEs and consumers do have a reasonable level of interest in services requiring the sharing of their banking data (such as aggregation), but that security was a key concern. Broadly, they expect any third party accessing their banking data to have bank level security and to be regulated. (See research available at https://www.ipsos-mori.com/Assets/Docs/Publications/marketing-open-api-barclays-2015.pdf )
Furthermore, PSD2, the Fourth Anti Money Laundering Directive (4MLD) and e-Privacy Directive all contain data protection provisions for specific circumstances. These provisions are in places inconsistent with the requirements of the GDPR, creating complexity for firms seeking to innovate and discouraging the development of new products and services.
There are certain situations in which very specific rules are required, such as security requirements to be set for data sharing under PSD2, but overall the GDPR sets up a cross-sectoral data protection framework that should be relied upon. Where clear gaps in specific sectors are identified, the appropriate approach is to engage DPAs and the EDPB rather than to create additional layers of rules independently. A clear and stable regulatory framework will help ensure beneficial innovation can take place.
We also anticipate the entry into the market of a range of new players. These are likely to include new online banks, as well as fintechs, social media firms, account aggregators and account comparison providers. This will be accelerated by the GDPR’s new right to ‘data portability’ and the data sharing requirements of PSD2 (see also comments on Risk 2, below). We anticipate that these new specialized players will be likely to advocate for access to additional types of data (for example customer profiles) going forward.
In order to ensure that consumers and businesses benefit from this emerging environment of increased data sharing with third parties, an effective set of rules is required, particularly to ensure strong security measures.
Lastly, we consider that cloud deployment by banks will boost innovation and facilitate big data customer analytics. This would create new opportunities for banks to provide innovative and tailored services to customers, thus improving users’ experiences.
Though exact market developments are hard to predict, we make a few high level observations:
- Increased data processing can enable better decision making by customers, based on insights that are more relevant, and provide them with additional personalised security tips. Behavioural analysis can enhance customer security by analysing such factors as location, device type and spending patterns to identify potentially fraudulent transactions.
- With regards to credit, we note an assumption by EBA that increased data processing will increase access to credit. This may not be the case; increased access to reliable data should improve lending decisions but this will in some cases involve denying credit to those that cannot afford it. Furthermore, if data is unreliable (eg: where derived from Facebook scraping) then results might not be accurate and customer detriment could result. Overall, any innovative use of customer data for lending purposes should be consistent with responsible lending principles.
As an example, though clearly important for the protection of customers’ information rights, data protection law can also create barriers to potentially beneficial innovation. For example:
- Prescriptive privacy notice obligations can require lengthy up front disclosures, which can risk customer disengagement and inhibit mobile technology for which limited screen space is available.
- Rules limiting the processing of ‘sensitive personal data’ can inhibit firms’ ability to build systems to proactively identify and assist customers in vulnerable circumstances.
Furthermore, there is for the time being uncertainty as to the interpretation of many GDPR provisions. These include for example:
- How outsourcing (‘controller-processor’) arrangements will work in practice.
- How data protection risk assessments will work.
Some banks may also be constrained by their IT systems. It may be either impossible or else prohibitively expensive to put in place some innovative data services.
The EBA correctly identifies a range of risks that exist for the processing of personal data by financial services institutions. It is worth noting that many of these are not specific to financial services and are relevant to other sectors’ data processing.
2 - Risks to customers and banks
In particular, as indicated above, existing data protection law is intended to address many of the risks identified by the EBA and the GDPR is intended to further mitigate them. For example:
- R1 – EBA is concerned about information asymmetries between firms and customers, but GDPR contains extensive requirements to explain how data will be used to data subjects. These include a requirement to provide detailed information up front to the customer about the data to be collected, how it will be used, who will be involved and how the customer can exercise his/her information rights (Articles 13 and 14).
- R2 – Consumers’ risk of being ‘locked in’ by their existing provider will be reduced by the new right under the GDPR to ‘data portability’ (Article 20), and also the framework for data transfers set up under PSD2. We also note that the ‘open banking’ work of the Open Banking Working Group and now the likely remedies of the Competition and Markets Authority are relevant in the context of the UK. (See footnote *)
- R3 – Misuse of data, as described by the EBA, is directly targeted by GDPR requirements:
o Disclosure obligations (see above)
o The requirement to have a legitimate basis for any data processing or onward transfer, though this does not necessarily require consent (Article 6)
o Rules limiting the use of data for new purposes (Article 6)
o Extensive rights to object to data processing and have data erased (Articles 17 and 21).
Sitting over the top of this is the overarching requirement that data processing be fair (Article 5). It is unlikely that the scenario in P 69-70 where firms over collect regulatory data and then on-sell it to third parties would be compliant with these rules, or indeed with other regulatory requirements such as AML (see MLD4, Article 41(2)).
- R4 – There is indeed a risk that inaccurate data could give rise to poor decisions by firms, particularly where data are scraped from social media. However, the GDPR requires that data be accurate and enables data subjects to dispute the accuracy of personal data held about them and to have errors corrected (Article 5(1)(d) and Article 16). More broadly, mis-selling might also occur if data analytics lead to inappropriate product recommendations or marketing. Firms and regulators will need to be alive to the importance of ensuring product suitability as these tools develop.
- P 73 – EBA highlights particular risks around profiling and the use of sensitive data. The GDPR contains provisions providing additional protections where sensitive data are to be processed or where profiling is to be used (Articles 9, 10 and 22).
- P 80 – GDPR’s rules will in most cases require firms to allow customers to challenge any automated decisions (Article 22).
These protections are backed up by the potential for significant financial penalties for breaches.
As noted above, it is correct to say that these risks exist. However, in considering the risks and possible response to them it is important to account for the existing / forthcoming regulatory framework. If and when potential gaps are identified, DPAs and the EDPB should be engaged in the first instance.
In the banking context there are wider reasons why some of the risks EBA identifies would not eventuate. As outlined above, customer trust is vital to banks’ business, requiring high levels of security and reliability. Therefore banks will not on sell customer data collected for regulatory purposes. Similarly, banks will not ‘spam’ customers because of the security risks created by sending emails to customers. Banks prefer instead to communicate online with customers via secure portals.
3 - Systemic risks
It is true that increased access to bank data by third party providers (TPPs), as per PSD2 and other developments, will impact more established firms such as banks. Customer data acquired by TPPs could be used to commit impersonation attacks on a bank or be otherwise misused. This could be done by the TPP itself or by another actor that hacks into the TPP’s systems. TPPs are not subject to the same regulatory controls as banks and may have less reliable security.
We note that there have been instances of large data breaches of online service providers and merchants which have already negatively impacted banks’ reputations, though these had not actually made any mistakes.
There are also risks against the data infrastructure, for example through DDOS attacks, though these are not necessarily within the EBA’s remit.
In this context, the protections and requirements of not only the GDPR but also PSD2 and the Network Information Security Directive are relevant.
More broadly, new attack vectors will appear as the market evolves. It is important that firms be free to innovate and adapt their own security, including through use of consumer data.
(* For information on the Open Banking Working Group, see http://theodi.org/open-banking-standard
See also the Competition and Markets Authority Provisional decision on remedies, particularly sections on APIs and data sharing from page 33. Available at: https://assets.publishing.service.gov.uk/media/573a377240f0b6155900000c/retail_banking_market_pdr.pdf )
1. In what capacity (i.e. consumer, financial institution, technology providers, etc.) have you had experience with innovative uses of consumer data?
The BBA is the leading trade association for the UK banking sector with 200 member banks headquartered in over 50 countries with operations in 180 jurisdictions worldwide. Eighty per cent of global systemically important banks are members of the BBA. As the representative of the world’s largest international banking cluster the BBA is the voice of UK banking.2. Based on your knowledge, what types of consumer data do financial institutions use most?
OVERARCHING COMMENTSThe EBA identifies in its Discussion Paper (‘the Paper’) a range of risks and potential benefits that exist around more sophisticated data processing and the use of non-traditional data sources such as social media. In discussing these issues, we wish to make some overarching points.
1 - Banking sector use of customer data
The Paper seems in many areas to be focussed on non-conventional data sources, such as social media sites, and on innovative uses of this data including big data analytics. However, it is important to remember that the bulk of banks’ data processing is for conventional purposes, such as:
- Processing customers’ transactions
- Regulatory compliance (eg: KYC checks, Treating Customers Fairly obligations, etc)
- Making lending decisions, including meeting responsible lending obligations
- Prevention of money laundering, fraud and other financial crime (eg: using mobile phone localisation when processing transactions)
- Using client feedback to improve customer services.
Similarly, although there is some limited use of social media-sourced data for fraud prevention purposes, the bulk of banks’ data are obtained from a small number of reliable sources, primarily:
- Credit ratings agencies (licensed and supervised entities)
- Regulatory sources such as Politically Exposed Persons lists
- From customers directly.
Banks are heavily regulated with regards to their conduct, capital and general risk management. This constrains the types of data processing they engage in. Similarly, though not something we would want to change, customer trust is central to banks’ business models. This limits banks’ appetite to develop innovative data uses that might be seen as ‘pushing the envelope’ in the same way as some non-banks. As such, we note that the discussion paper makes extensive references to financial institutions' use of data, but it is important that any examination of these issues cover all players, including non-banks.
Although innovative data uses will certainly increase over time, particularly with the Revised Payment Services Directive (PSD2) opening up access by third party providers to banks’ data, the protections of client confidentiality law and data protection will still apply.
2 - The General Data Protection Regulation
The General Data Protection Regulation (GDPR) has been entered into the Official Journal and will enter into force in May 2018. This is a significant evolution of the data protection regulatory framework, which firms, governments and indeed Data Protection Authorities (DPAs) are still considering. Domestic legislation and guidance from DPAs, the Article 29 Working Party and, once established, the European Data Protection Board (EDPB) still need to clarify key provisions such as (pseudo) anonymisation, data ownership and unambiguous consent which are still uncertain and need to be put in context in relation to the financial sector.
Furthermore, the GDPR contains provisions specifically designed to address the risks identified by the EBA.
This being the case, it is not clear which potential risks will crystallise in practice until the GDPR has been fully implemented and guidance is in place. Similarly, the benefits that emerge might not be as envisaged.
3 - Regulatory consistency and a level playing field
For innovation to occur, a level playing field and clear, stable rules of the game are required. This is already not the case. For example, the PSD2 requires banks to open up their customer data but does not create similar rules for third party providers, which are already subject to far less regulation and supervision.
We note that recent research suggests that SMEs and consumers do have a reasonable level of interest in services requiring the sharing of their banking data (such as aggregation), but that security was a key concern. Broadly, they expect any third party accessing their banking data to have bank level security and to be regulated. (See research available at https://www.ipsos-mori.com/Assets/Docs/Publications/marketing-open-api-barclays-2015.pdf )
Furthermore, PSD2, the Fourth Anti Money Laundering Directive (4MLD) and e-Privacy Directive all contain data protection provisions for specific circumstances. These provisions are in places inconsistent with the requirements of the GDPR, creating complexity for firms seeking to innovate and discouraging the development of new products and services.
There are certain situations in which very specific rules are required, such as security requirements to be set for data sharing under PSD2, but overall the GDPR sets up a cross-sectoral data protection framework that should be relied upon. Where clear gaps in specific sectors are identified, the appropriate approach is to engage DPAs and the EDPB rather than to create additional layers of rules independently. A clear and stable regulatory framework will help ensure beneficial innovation can take place.
3. Based on your knowledge, what sources of consumer data do financial institutions rely on most?
See comments under Q2.4. Based on your knowledge, for what purposes do financial institutions use consumer data most?
See comments under Q2.5. How do you picture the evolution of the use of consumer data by financial institutions in the upcoming years? How do you think this will affect the market?
Overall, we agree with the EBA’s assessment that there will be increased use of data to provide services and add value, along with increasingly powerful and efficient analytical tools and algorithms. These are likely to correlate with growing consumer expectations for personalised services and products, and ease of access. At the same time, consumers’ awareness of privacy, security and data protection is growing, which can be seen in the drive for data protection reform leading most recently to the GDPR.We also anticipate the entry into the market of a range of new players. These are likely to include new online banks, as well as fintechs, social media firms, account aggregators and account comparison providers. This will be accelerated by the GDPR’s new right to ‘data portability’ and the data sharing requirements of PSD2 (see also comments on Risk 2, below). We anticipate that these new specialized players will be likely to advocate for access to additional types of data (for example customer profiles) going forward.
In order to ensure that consumers and businesses benefit from this emerging environment of increased data sharing with third parties, an effective set of rules is required, particularly to ensure strong security measures.
Lastly, we consider that cloud deployment by banks will boost innovation and facilitate big data customer analytics. This would create new opportunities for banks to provide innovative and tailored services to customers, thus improving users’ experiences.
6. Do you consider the potential benefits described in this chapter to be complete and accurate? If not, what other benefits do you consider should be included?
New business models will likely emerge over time and it is impossible to predict exactly what these might be. It is therefore important to ensure a flexible approach is taken to ensure that new innovations can emerge.Though exact market developments are hard to predict, we make a few high level observations:
- Increased data processing can enable better decision making by customers, based on insights that are more relevant, and provide them with additional personalised security tips. Behavioural analysis can enhance customer security by analysing such factors as location, device type and spending patterns to identify potentially fraudulent transactions.
- With regards to credit, we note an assumption by EBA that increased data processing will increase access to credit. This may not be the case; increased access to reliable data should improve lending decisions but this will in some cases involve denying credit to those that cannot afford it. Furthermore, if data is unreliable (eg: where derived from Facebook scraping) then results might not be accurate and customer detriment could result. Overall, any innovative use of customer data for lending purposes should be consistent with responsible lending principles.
7. Are you aware of any barriers that prevent financial institutions from using consumer data in a beneficial way? If so, what are these barriers?
A range of regulatory requirements are relevant, with the details depending on the exact nature of the data and processing in question.As an example, though clearly important for the protection of customers’ information rights, data protection law can also create barriers to potentially beneficial innovation. For example:
- Prescriptive privacy notice obligations can require lengthy up front disclosures, which can risk customer disengagement and inhibit mobile technology for which limited screen space is available.
- Rules limiting the processing of ‘sensitive personal data’ can inhibit firms’ ability to build systems to proactively identify and assist customers in vulnerable circumstances.
Furthermore, there is for the time being uncertainty as to the interpretation of many GDPR provisions. These include for example:
- How outsourcing (‘controller-processor’) arrangements will work in practice.
- How data protection risk assessments will work.
Some banks may also be constrained by their IT systems. It may be either impossible or else prohibitively expensive to put in place some innovative data services.
8. Do you consider the potential risks described in this chapter to be complete and accurate? If not, what other risks do you consider should be included?
1 - Initial commentsThe EBA correctly identifies a range of risks that exist for the processing of personal data by financial services institutions. It is worth noting that many of these are not specific to financial services and are relevant to other sectors’ data processing.
2 - Risks to customers and banks
In particular, as indicated above, existing data protection law is intended to address many of the risks identified by the EBA and the GDPR is intended to further mitigate them. For example:
- R1 – EBA is concerned about information asymmetries between firms and customers, but GDPR contains extensive requirements to explain how data will be used to data subjects. These include a requirement to provide detailed information up front to the customer about the data to be collected, how it will be used, who will be involved and how the customer can exercise his/her information rights (Articles 13 and 14).
- R2 – Consumers’ risk of being ‘locked in’ by their existing provider will be reduced by the new right under the GDPR to ‘data portability’ (Article 20), and also the framework for data transfers set up under PSD2. We also note that the ‘open banking’ work of the Open Banking Working Group and now the likely remedies of the Competition and Markets Authority are relevant in the context of the UK. (See footnote *)
- R3 – Misuse of data, as described by the EBA, is directly targeted by GDPR requirements:
o Disclosure obligations (see above)
o The requirement to have a legitimate basis for any data processing or onward transfer, though this does not necessarily require consent (Article 6)
o Rules limiting the use of data for new purposes (Article 6)
o Extensive rights to object to data processing and have data erased (Articles 17 and 21).
Sitting over the top of this is the overarching requirement that data processing be fair (Article 5). It is unlikely that the scenario in P 69-70 where firms over collect regulatory data and then on-sell it to third parties would be compliant with these rules, or indeed with other regulatory requirements such as AML (see MLD4, Article 41(2)).
- R4 – There is indeed a risk that inaccurate data could give rise to poor decisions by firms, particularly where data are scraped from social media. However, the GDPR requires that data be accurate and enables data subjects to dispute the accuracy of personal data held about them and to have errors corrected (Article 5(1)(d) and Article 16). More broadly, mis-selling might also occur if data analytics lead to inappropriate product recommendations or marketing. Firms and regulators will need to be alive to the importance of ensuring product suitability as these tools develop.
- P 73 – EBA highlights particular risks around profiling and the use of sensitive data. The GDPR contains provisions providing additional protections where sensitive data are to be processed or where profiling is to be used (Articles 9, 10 and 22).
- P 80 – GDPR’s rules will in most cases require firms to allow customers to challenge any automated decisions (Article 22).
These protections are backed up by the potential for significant financial penalties for breaches.
As noted above, it is correct to say that these risks exist. However, in considering the risks and possible response to them it is important to account for the existing / forthcoming regulatory framework. If and when potential gaps are identified, DPAs and the EDPB should be engaged in the first instance.
In the banking context there are wider reasons why some of the risks EBA identifies would not eventuate. As outlined above, customer trust is vital to banks’ business, requiring high levels of security and reliability. Therefore banks will not on sell customer data collected for regulatory purposes. Similarly, banks will not ‘spam’ customers because of the security risks created by sending emails to customers. Banks prefer instead to communicate online with customers via secure portals.
3 - Systemic risks
It is true that increased access to bank data by third party providers (TPPs), as per PSD2 and other developments, will impact more established firms such as banks. Customer data acquired by TPPs could be used to commit impersonation attacks on a bank or be otherwise misused. This could be done by the TPP itself or by another actor that hacks into the TPP’s systems. TPPs are not subject to the same regulatory controls as banks and may have less reliable security.
We note that there have been instances of large data breaches of online service providers and merchants which have already negatively impacted banks’ reputations, though these had not actually made any mistakes.
There are also risks against the data infrastructure, for example through DDOS attacks, though these are not necessarily within the EBA’s remit.
In this context, the protections and requirements of not only the GDPR but also PSD2 and the Network Information Security Directive are relevant.
More broadly, new attack vectors will appear as the market evolves. It is important that firms be free to innovate and adapt their own security, including through use of consumer data.
(* For information on the Open Banking Working Group, see http://theodi.org/open-banking-standard
See also the Competition and Markets Authority Provisional decision on remedies, particularly sections on APIs and data sharing from page 33. Available at: https://assets.publishing.service.gov.uk/media/573a377240f0b6155900000c/retail_banking_market_pdr.pdf )