Foreword: strategy and policy dimensions of consumer data

In an online digital environment consumer data comes in all shapes and forms: personal data, rec-ords and history across a wide span of life events, including mails and interactions and patterns thereof, but also photos, videos and soundtracks, biometrics as well as contextual behavioural pat-terns (e.g. strokes on a keyboard). Such data is increasingly generated by machines (sensors, termi-nals, GPS signals…).
In an online digital environment consumer data is acquired by an almost infinite range of parties: of course government and related entities, financial service providers, health services and utility providers, merchants and retailers, travel and entertainment providers, social media platforms, hackers… The amount of data acquired is foreseen to continue and grow vigorously in years to come.
The sum of consumer data acquired can be categorised into primary and secondary markets. The former is constituted of data acquired for a specific, well defined purpose, usually enabling the issuing consumer to immediately perform a transaction: access a service, purchase a good or ser-vice…. The latter encapsulates the usage of consumer data beyond that specific and well defined, initial purpose, either by the initial acquirer of such data, and/or by (an)other part(y)ies. In this secondary market data may be agglomerated, anonymised or not, transmitted (sold) to other par-ties.
Consumer data is acquired and processed to enable parties to make decisions, and/or to prompt a decision. Acquisition and use of consumer data may be a legal requirement (e.g. compliance with CDD, AML/FATF).

The emergence of massive consumer data is – with e.g. the mobile, cloud architectures, open source software – one of the macro-forces that today reshape society and business. Consumer data in the online digital environment raises 3 types of challenges for the (in particular: European) poli-cy maker – notably in the context of the secondary market described above:

• One objective traditionally at the forefront of the policy maker’s preoccupations is consumer protection. Several pieces of legislation apply, the most recent one being the just published and soon to be transposed General Data Protection Regulation (GDPR). The GDPR requires that consent to process sensitive data be explicit. The consumer (aka: data subject) is furthermore granted the right of erasure and the right to data portability. The consumer also has the right not to be subject to a decision solely based on profiling that produces legal effects concerning him/her and significantly affects him/her. Whilst the GDPR certainly raises the bar for con-sumer protection, one may wonder how much it takes account of the consumers’ increasing demand for personalised services, fuelled by the mobile and one-to-one communication revolu-tions.

• Whilst the GDPR holds the promise of an increased harmonisation of data protection legisla-tion in the EU, for businesses it also becomes as significant as antitrust or anti-corruption leg-islation in terms of compliance risk. Yet business’ challenges do not stop here. From the policy maker they expect responses that encompass how to enable a competitive business value chain, allow to innovate at higher pace, and at lower cost, in a geographical context which cannot be limited to the EU, and against a background of business boundaries which become increasingly blurred (and leave regulators and supervisors helpless at times), with e.g. non-financial data used to inform financial decisions by non-supervised providers. In particular fi-nancial institutions who are traditionally custodians or stewards of sensitive client data – and who are well aware of their responsibilities and their impact on their reputation, beyond any law or contractual obligation – have a requirement for clarity and stability in terms of consum-er data.
The transposition of the revised Payment Services Directive (with the acknowledgment of payment initiation and account information service providers) already opens a long period of uncertainty, which will only close once the conditions for interaction with the new providers will have been set. Yet the rest of the world remains impervious to these developments, and platforms, social media, handset manufacturers and software developers worldwide increase their footprint day by day and acquire, use and exchange consumer data, regardless of locations (theirs, and/or their customers’). Creating a genuine level playing field should certainly contin-ue to top the legislator’s agenda.
Against such a background, would it be appropriate for the European legislator to contemplate now further steps in the field of consumer data? The grounds for policy maker concerns – con-sumer consent, data ownership and transfer, security of data, system resilience of system, data sharing, i.a. - are unlikely to vanish in the short term. Yet most of such concerns can be ad-dressed through the GDPR and other initiatives, such as the NIS Directive and the announced Commission proposal on flow of data and European cloud. Last but not least, there is also the existing European competition law which provides the appropriate safeguards, in particular be-cause consumer data processing (notably in the secondary market described above) presents all the characteristics of a network industry.
The policy imperative is to view consumer data as a new asset class, at a par with e.g. deposits – this is actually what financial institutions have traditionally been doing. Failing this, consum-er data could rapidly be turned into a utility, which certainly would not help establishing Eu-rope as one of the leading digital societies.

• A third policy maker objective will no doubt be to maximise societal utility with a longer term perspective. Apt use of consumer data holds vast potential for e.g. enhancing societal inclu-sion, through e.g. opening further access to affordable credit. But there are at least 3 precondi-tions for harnessing this potential. First, policy makers should sponsor public awareness cam-paigns extolling the benefits of the movement towards a digital society, at the same time edu-cating citizens to enhance their confidence by making them more risk-savvy. Second, policy makers should facilitate a balanced dialogue between consumers and data controllers and pro-cessors in order to develop a general understanding of the boundaries for which e.g. financial institutions can use consumer data for business purposes. Third – but not least – the policy maker is invited to recognise the dearth of European data and analytics talent, and with a sense of urgency develop policies to train and retain the resources needed by European indus-try.

In sum, there is no need (except for the barriers mentioned under Q7 below) for any regulatory nor supervisory action regarding the innovative of consumer data, on one side due to the re-cently published and not yet transposed GDPR, which is expected to adequately protect con-sumer rights, on the other as regulatory action affecting solely the financial sector wouldn’t make sense in a domain where many business boundaries overlap and an ever increasing num-ber of players and intermediaries are involved in any value chain.

These responses are submitted by ESBG as banking association, yet with direct input from its Members. ESBG Members have most experience with innovative use of consumer data in the context of tailor-made offers and more generally product and service marketing and advertising.
Currently financial institutions use most both structured personal information provided voluntarily, data extracted from transactions, as well as semi-structured personal infor-mation. Types of data used most by savings and retail banks in Europe are (the list below is for illustration, not exhaustive):
A. Identity data (information on the person of the consumer)
- Name: first name, last name, title
- Person: gender, date of birth
- Address: street, number, city, ZIP code
- Phone: home, mobile
- E-mail: personal, work
- Social networks: Facebook identifier, Twitter address, LinkedIn identifier
- Account: details of account IDs or user IDs
- Occupation: company, department, job title
B. Descriptive data (further information communicated by the consumer to a financial in-stitution to obtain a certain financial product or service)
- Family: marital status, number of children, age of children
- Finances: salary, outstanding loans
- Lifestyle: property type, car type, pet ownership…
- Career: general profession, education level
C. Quantitative data (information around the bank account and related activities as well as behavioral data)
Data collected varies depending on banking models and on national legislation but may include e.g.
- Transactional (online and offline): actual products, order/subscription value, or-der/renewal dates, product abandonments (abandoned baskets), etc…
- Communication (inbound and outbound): communication data, communication channels, click history
- Online activity: website visits, product views, online registrations, etc…
- Social network activity: for instance, Facebook likes, Twitter interactions, etc…
- Customer service: details of complaints, customer query details, etc…
D. Qualitative data ((information gained through consumer surveys and questionnaires)
- Attitudinal data: consumer preferences, satisfaction with products/services
- Consumers’ opinions: range of questions, e.g. favorite holiday destination or favor-ite color
- Consumer motivation: for choosing and purchasing a certain product or service
Sections 36 and 37 of the Discussion Paper present a fair overview of the sources of con-sumer data. One could add innovative sources such as behavioral data derived from e.g. keyboard stroke patterns when using online banking.
Generally speaking savings and retail banks use 2 sources of data:
- Traditional internal sources: such data result from the contractual relationship with the consumer (and usage should be possible within the group of the data proces-sor).
- External data sources (such as public registers and third party providers). Public registers can be for instance credit registers or insolvency registers. Data from other sources or third party providers which are publicly available can also be used (yet more rarely so). Such data may complement existing if necessary for a specific con-sumer.
Section 39 of the Discussion Paper presents a fair overview of the purposes of the use of consumer data by financial institutions. One should add a specific reference to risk man-agement, notably in the context of transactioning, where profiles and patterns contribute to mitigate in particular fraud.
For illustration (the list below is not exhaustive), savings and retail banks use consumer da-ta for the following purposes:
- Creditworthiness assessments
- To develop credit risk policies or models
- Tailor-made commercial offers taking into account the consumer’s individual situa-tion and interests
- Marketing purposes such as an improvement of the consumer experience, i.e.:
o Customer segmentation
o Market share analysis
o Pro-active marketing campaigns
o Relationship management
- To detect and prevent fraud and anomalies
- To comply with anti-money laundering and KYC obligations
In coming years the use of consumer data by financial institutions will change in both scale and scope. Indeed many financial institutions acknowledge that today only a small portion of data is effectively used. Market research finds that only half of banks analyze customer external data and less than 1/3 analyze “share of wallet”. In addition, financial institutions must be expected to gradually overcome current constraints (dearth of analytics talents, or-ganizational silos, IT limitations, complexity of structuring big data sets).
With many more financial institutions being capable of harnessing consumer data, competi-tion will shift again, and financial institutions able to efficiently retrieve (and when relevant provide to customers) “just the right information at the right time” (often meaning: in real time) will stand out.
Portfolios of financial institutions will contain specific short term and personalized prod-ucts (reflecting life style, life events and preferences). Better decisions will increase compe-tition in pricing due to lower risk contingencies and increase speed to market. The majority of interactions will occur through digital channels where advanced analytics will play a key role. A focus on innovative usage of consumer data may open the doors to fintechs and disrupt current business models. The sketched scenario of a customer centric (rather than strictly product oriented) model more focused on the customer journey and relevant life events very much depends on alleviating the barriers described under Q7 below. In future the market could also feature real time self-learning models (such as stock forecasts based on predictive algorithms) and increased customization options.
The headlines contained in this chapter cannot be disputed. What is however far from cer-tain is how they will play out. Indeed, as highlighted earlier in this response, harnessing consumer data in a useful manner first requires investing in both systems and skills. Fur-thermore, the very existence of consumer data exploitation enables a movement in the di-rection of “segments of one” (with real-time offers – which will of course be both geo- and time-specific), where competition will be in terms of product relevance. Hence there is not necessarily across the board a direct relation between use of consumer data and reduction in costs.
Some of these barriers have already been referred to earlier in this response: dearth of ana-lytics talents, organizational silos, IT limitations, complexity of structuring big data sets. In addition, a certain amount of uncertainty may prevail as to exactly what type and source of data may be processed in compliance with applicable legislation – in particular in a cross-border/multi-country context.
On one side, the purpose limitation principle introduced by European data protection law (and reflected in the national laws of Member States) prevents financial institutions from using consumer data collected in the course of fulfilling contractual or legal obligations for other purposes. In parallel to the introduction of the non-incompatible legitimate purpose clause in Art. 6 para. 4 of the General Data Protection Regulation (applicable from 25 May 2018 onwards), industry specific exemptions should be granted to allow for the re-use of consumer data without the need for data subjects’ consent. On the other side, the existing banking secrecy obligations in some parts of Europe might create a barrier as internal bank-ing secrecy hinders the use of consumer data for other than regulatory purposes. It is sug-gested that the Commission works with Member States towards a harmonized approach in this respect.
A significant barrier has also been created by GDPR Art. 22, as fully automated processing would be prevented (there being a right to obtaining human intervention). This will jeop-ardize the possibility to take personalized decisions in real time, thus depriving consumers from one of the most beneficial effects of using their data.
From an intellectual perspective the potential risks described in this chapter would be complete. However it would be in most circumstances very complex to infer a specific “detriment” to a given consumer from an information asymmetry, misuse of data, or wrong information.
A contrario, data security, reputational and new entrant risks are very real risks, which are taken very seriously by financial institutions – as (should they materialize) these risks could indeed undermine the integrity of the financial sector. Furthermore, missing from the risk description is the fact that not all participants in the consumer data market are supervised and regulated, and that e.g. transaction data may be spread by others than financial institu-tions. To adequately protect consumers, it should be ensured that (risky) financial services related to data innovation are only offered by entities who provide the same level of pro-tection and security as regulated and supervised financial institutions.
A linkage between dependency on use of consumer data as a source of revenue and the in-tegrity of the financial sector should also for the foreseeable future be viewed strictly as a very hypothetical risk.
As stated above these risks have not materialized yet. However financial institutions must remain very alert vis à vis data security, reputational and new entrant risks – in particular in the context of the transposition of the revised Payment Services Directive.
[Trade association"]"