BEUC, the European Consumer Organisation, represents 42 independent national consumer organisations from 31 European countries (EU, EEA and applicant countries). BEUC acts as the umbrella group in Brussels for its members and our main task is to represent them at European level and defend the interests of all Europe’s consumers.
The issue of personal data protection, regardless of the sector involved, is one of the top priorities for BEUC and its members. In this respect, we are actively involved in the current discussions on the digital single market in its different dimensions: from connected products to collaborative economy, from smart appliances to demand-response energy schemes.
Data is considered the new gold. So digital giants like Google, Facebook, Apple, Amazon, as well as other service providers strive not to miss the gold rush. Consumers’ online behaviour is continuously tracked and recorded, while it becomes increasingly difficult to stay offline and anonymous. With the explosion of digital technology and connectivity, financial and non-financial institutions strive to collect more and more consumer data in an attempt to predict with a high level of accuracy consumer preferences, future behaviour and risk profile. Your banker or car insurance provider, without forgetting all types of services providers like private credit registers that collect personal data without your knowing, probably know more about you than you would expect. Financial institutions use consumer data of both non-financial and financial nature.
At the same time, it is difficult to know exactly what consumer data financial institutions are already using, which is part of the problem itself.
Test-Achats, our Belgian member has been contacted by several consumers who were surprised by their bank's requests to access data stored on their mobile phone by installing a m-banking app (see attached file that lists the different access requests from some major banks operating in the Belgian market). One may wonder, for example, the relevance of access to contacts or pictures.
A Which? magazine investigation in 2011 found that personal details such as name and email address were being sold for as little as 6p but if additional information, such as your occupation, what car you drive and where you live, is added the value of this information rockets. Personal details could be worth thousands of pounds if sold to numerous other companies. One UK car insurer was found to make 5% of its profits from selling on the details of customers who had been involved in accidents.
Both internal and external sources of consumer data are used by financial institutions. With the new developments, there seems to be a trend towards using more external sources.
Financial institutions are also obtaining more consumer data by expanding their interaction with consumers, for instance through additional services like budgeting programmes or via social media.
When commenting on potential benefits and risks to consumers, we set out BEUC’s views about the objectivity and validity of data used by financial institutions.
Financial institutions use consumer data for various purposes, including:
- To make credit risk assessment;
- To select profitable customers and exclude those who are financially not interesting;
- To segment offers made to targeted customers based on their profile,
- To send personalized offers of investment products to consumers who have large deposits.
- To sell data to data brokers for use by other industrial sectors based on the customers’ financial profile.
B1-B2 - In an attempt to boost their income, banks and other financial firms try to find other revenue streams. One such new development is the use of banking channels to promote non-financial goods and services. Banks partner with retailers and marketing companies to market their goods to bank customers based on their past spending behaviour. This practice is widespread on the other side of the Atlantic, and has apparently started to emerge in the UK . For example, if the consumer bought a new pair of shoes, he could find in his online account statement an ad from a rival company offering a coupon or gift card. Or after having bought a smart TV, your bank may suggest you a high speed internet offer. In the US, bank customers are usually automatically enrolled into such schemes, without explicit consent having been given.
With growing digitalisation, the use of smartphones and social media, consumers’ online behaviour is continuously observed by all kinds of traders and they are flooded with general and targeted advertising, which is mostly considered as spam. Do consumers need to find such spam when they log in to their online banking? Is that a service expected from financial institutions? Do consumers wish a third party to spy and scan all their payment transactions and advice what should be the next purchase ?
We strongly disagree with the claim that targeted ads from banks’ trading partners constitute a benefit to consumers. Such developments would certainly not be desirable in the EU. First, unsolicited spam should be banned. Second, the practice would pose privacy and security concerns: third parties have full access to the consumer’s payment transactions and shape his future spending behaviour. Even though the industry pioneers claim that the data is anonymised and the consumer’s identity is not revealed to third parties, the fact is that a person can be relatively easily identified by putting together data elements from different sources . In this context it is important to stress that consumers should always have the freedom to fully protect their privacy .
And most importantly, consumers’ expectations from financial institutions are different: they want simple and transparent financial products, unbiased sales practices and fair treatment with regard to their finances .
The comparability of products with so many additional offers attached is also questionable. Additionally, mobility might also decrease because getting out of a part of a package might worsen the conditions of the remaining package.
B3 - The use of consumer data in lending is not new. Lenders need sufficient information to conduct accurate creditworthiness assessment, i.e. to check whether the potential borrower can afford to repay the loan.
BEUC strongly supports the principle of responsible lending that is provided for by the Mortgage Credit Directive, and advocates for the same principle to apply to personal loans . A key question is the following: what information is needed to assess the borrower’s creditworthiness?
Banks, credit unions and other traditional lenders conduct such assessments based on information and documents directly provided by the borrower, plus data registered by third parties (public credit registers, private credit bureaus). More recently, some lenders, especially online providers such as peer-to-peer lending platforms, have been using alternative information sources (web and social media profiles). Recently Facebook patented a technology that could be used by lenders to determine whether the borrower is a good credit risk, based on credit scores of his/her Facebook friends . Though, later on the social network giant opted to limit the amount of information available to third-party services, perhaps following the hint by the US Federal Trade Commission that the company could be regulated as a consumer-reporting agency which was not yet the case .
Depending on the EU country, consumer credit data is collected and registered by public credit registers or private credit bureaus. The sector is strongly regulated in some Member States, where only public registers exist and collect minimum data related to consumers’ pending and/or delayed credit commitments (positive and negative data). For example, Belgian, French and Slovenian registers are managed by these countries’ central banks and aim to fight against over-indebtedness. The French register contains only defaults of payment. There was a legislative attempt to expand the register to all loans being held by consumers (our French members were against that proposal), but the Constitutional Court opposed it.
The Belgian register records all loans held by a consumer. Lenders are pushing for the credit register to contain other data related to consumer contracts; our Belgian member, Test-Achats, is totally opposed to this.
On the other side, private credit bureaus (also called credit reference agencies) like Experian, Equifax, and Creditinfo are present in many EU countries and collect extensive information on consumers’ financial and non-financial commitments that they sell to lenders and non-financial service providers. Furthermore, in many countries several credit bureaus compete with each other.
Link between the amount of data and responsible lending: Credit bureaus claim that collecting more data on individual consumers contributes to a more accurate creditworthiness assessment by lenders. Yet, the reality seems to be different. FSUG (The Financial Services User Committee of the European Commission) recently conducted an investigation to assess the role of credit bureaus in responsible lending and prevention of over-indebtedness. One of the key findings was that “… no clear link exists between the frequency of arrears in the different EU countries and the extent of credit data used. France, Spain, Finland Portugal, Belgium and Austria have similar frequency of arrear levels with a limited use of credit data. The United Kingdom, the Netherlands and Germany also have comparable frequency of arrear levels with a very high use of different credit data. On the other hand, countries such as Poland have very high arrear levels while the use of credit data is high; Cyprus has a very high arrear levels while the use of credit data is relatively low.” The FSUG concludes that the levels of arrears is much more dependent on other variables such as employment, income, social policies than the depth and breadth of credit data used .
Link between the amount of data and lower interest rates: The claim that increased and “innovative” use of data for creditworthiness purposes improves access to more affordable credit for consumers is also questionable. For example, a US study carried out by the National Consumer Law Center (NCLC) assessed, inter alia, whether the use of big data actually improves the choice for consumers in the area of credit. The authors tested a number of claims made by big data proponents, such as: multiplying the number of variables will expand access to borrowers with thin credit files; by using a constellation of factors to price credit, the cost of credit will be reduced for low-income borrowers, thus enabling lenders to provide lower-cost small loans as alternative to payday loans. The study concluded that big data is a big disappointment and does not live up to its big promises. The use of big data in the lending area does not appear to result in more affordable products for low-income consumers. While some loans are marginally better, for the most part, credit products using alternate data are just as expensive as payday loans .
Some scoring assumptions, although statistically relevant, can also be detrimental for consumers who act responsibly. For example, lower scores for consumers without credit history or for consumers who have an overdraft facilities and credit card only for the case of liquidity emergency but don’t use these for their daily consumption. Such detriment increases with increased use of assumptions used during credit worthiness assessment.
Consumers not in control of their data: There are also issues around how credit registers handle and process consumer data. Frequent problems experienced by consumers include: inaccurate data that adversely affects the consumer’s credit application, difficulty for consumers to access and correct inaccurate data about themselves, opaque credit scoring mechanisms, and automated processes without human intervention. In addition, in some countries consumers are incentivised to borrow more to build their credit score, i.e. potential borrowers are judged on their capacity to borrow and refund, rather than capacity to save money. A recent awareness campaign by our UK member Which? informed consumers about various aspects and their rights related to credit scores .German consumers complain about opaque scoring mechanisms applied by credit bureaux, as well as the difficulty to understand assessments. According to BEUC’s German member vzbv, consumers’ ability to repay a loan must be evaluated based on valid criteria, and should never depending on whom they are friends with on social networks, what they like to shop for or what apps they install. A necessity is seen to correct wrong assessments.
BEUC considers that most of the above issues could be addressed based on a holistic analysis and appropriate measures by policymakers. We believe it is the right time to conduct an in depth analysis covering the following questions:
• What data is necessary and sufficient to assess the borrower’s ability to repay a loan ?
• What is the role of credit bureaus and do they perform their role appropriately?
• Is it appropriate that consumers’ credit data is controlled and traded by third-party commercial entities?
BEUC’s suggestion: In our view, all the information (income and expenses) necessary for creditworthiness assessment can be found on the consumer’s bank/payment account statement. This information is objective and should allow the lender to conclude whether the borrower has sufficient and stable income, whether the level of the loan-to-income ratio is appropriate, whether the consumer already has other pending mortgage credit or personal loans, including payment arrears, what are other financial and non-financial commitments (rent, utility bills, insurances, etc.). We see no reason to add other data elements, which are likely to be subjective and increase the risk of wrong assessment of the consumer’s financial situation. The information derived from the account statement (covering a sufficiently long period of time, e.g. one year) can be provided directly and quickly by the consumer to the lender, including new types of lenders such as peer-to-peer platforms, in a friendly format – digitalisation and new technologies should help with that. Data belongs to the consumer; it should not be collected, controlled and traded by private credit bureaus, which result in much consumer detriment.
B4 - Financial products which are better adapted to each consumer’s needs are welcome. Regrettably, recent financial scandals in different EU countries revealed that consumers are often tricked by financial firms into buying unsuitable or toxic products (see for instance FX loans crisis in Eastern, Central and Southern Europe, PPI mis-selling in the UK, advice that does not fit the retail investor’s profile, etc.). So far the financial sector has not proved that selling products tailored to its customers' needs forms really part of its priorities, quite the contrary. Technology advances do not always focus on consumers’ needs nor do they always provide consumers with more control over the products they use (e.g. blocked cards, forced NFC, rigid bank account or credit packages).
In that context, BEUC calls to tackle the market failures that cause most financial consumer detriment. Thus, sales incentives in retail investments must be banned, otherwise investment distributors will never put the consumer’s interest first.
As regards the use of data, we believe that more intelligent analysis of consumer data by providers may help them adapt financial products to each consumer’s specific needs. This is still a new trend, which implies that more time is needed to assess potential benefits and detriments, if any.
The midata scheme in the UK looks promising in that respect. The tool jointly launched by several banks helps consumer to choose a current account better adapted to their needs. To use the service, the consumer needs to download his data from his online banking in a specific format, and then upload the data on the dedicated website. The site then produces an account comparison based on the consumer’s personal data and displays the amount he could earn - or lose - if he switched to any of the accounts on the market . This type of tools could also potentially be used to help consumers to choose other financial services.
B5 - Before talking about ‘better advice’, it should be mentioned that most of consumers have never received any financial advice from their financial institutions and are only in contact with pure salespeople. The number of cases of mis-selling and using misleading information that led many consumers to severe financial detriment is present all over the EU. This helps to explain why financial services have the lowest rating in the EU consumer scoreboard for many years.
We are not convinced that more extensive analysis of consumer data (e.g. payment data) by financial institutions could enable financial institutions to provide better advice to consumers, tailored to their specific needs: Financial institutions should first change their model, i.e. putting their customers' interests at the centre of their business first, which is far to be the case.
Today, consumers in the EU are not getting the advice they really need when looking for mortgages, insurance or seeking to better invest their savings, and they are too often recommended products they do not need (e.g.: a bank account which is too sophisticated or bundled products). Especially in the retail investment area, the low quality of advice has been documented widely, both by our members and by public authorities. Third-party commissions or in-house sales incentives tend to steer consumers towards overly complex and expensive retail investment products, often not suitable for their risk profile.
BEUC is in favor of introducing measures to develop independent and unbiased financial advice outside of the financial sector.
BEUC considers that getting advice in financial services, in all its different forms, will be one of the areas where consumers may potentially benefit a lot from smart technology, if designed well. BEUC response to a recent EBA consultation on automated advice set out our views regarding potential benefits and challenges to consumers. For example, one of the key factors determining market outcomes will be the quality of the algorithm guiding consumers through the advice process. Regulatory oversight of the software involved is therefore crucial, as all the features of unsuitable “human” advice (e.g. a product bias toward unsuitable products because of commissions) can easily be mimicked by an algorithm It should be noted that the quality of the algorithm will become increasingly important in retail finance and influence the consumer experience in general, as traditional providers and fintechs invest heavily into such tools and rely on them to process and interpret massive volumes of data.
More generally, potential benefit B5 as described by EBA is very similar to B4, thus requires more time to assess the impact on consumers.
B6 - Budgeting tools that give consumers better insight into their financial situation can be beneficial. Many tools of this kind are already present on the market in different EU countries, the so called ‘account information services’ regulated by the revised Payment Services Directive.
We are not certain that banks are the most appropriate suppliers for these services. For example, BEUC’s Spanish member OCU developed an app called Mooverang that helps consumers to better manage their money. Mooverang analyses the data on the consumer’s bank account(s) in order to improve their financial situation through matching user’s consumption data with OCU’s market data and sends unbiased recommendations to the user. The app detects the potential savings in the main spending categories (utilities, financial products, petrol station, etc.) and automatically informs the user .
At the same time, one should be cautious here. The same technology that warns someone not too overspend in a nearby store can also be used to encourage them to spend as much as possible.
B8 - Security of payments is very important for consumers and payment service providers alike. We agree that the use of consumer’ transactional and behavioural data by financial institutions can contribute to detecting unusual transactions and preventing fraud from happening. Behaviour-based fraud prevention is already being performed by payment service providers such as card schemes . Those techniques may be efficient to block potentially fraudulent transactions, for example, where the transaction is initiated from an unusual place, country or IP .
On the other hand, users are sometimes unfairly penalised due to automated behaviour-based techniques. For example, many consumers complain that their credit card gets blocked by the issuer when making payments outside the EU, sometimes without any prior notice. Getting the card unblocked is usually a huge inconvenience and has a cost for the consumer, not to mention the fact that the consumer may run out of money and his holiday or business trip may be put at risk. It can lead to major consumer detriment. Therefore, we believe that fraud prevention should in any case involve human intervention on behalf of the financial institution. Whenever the financial institution considers blocking a payment instrument upon suspicion of a fraudulent transaction:
• It should immediately contact the consumer to check whether the transaction had been authorised or not;
• The responsibility on reaching the customer should lie on financial institution;
• The procedure for unblocking the payment instrument should be available 24/7 and easy to reach from anywhere around the world;
• The procedure for unblocking the payment instrument should be based on advanced identification and security check, which should be easy to fulfil on the one hand from abroad but enough to ensure authenticity on the other.
UK member Which? recently launched a Safeguard us from scams campaign. The campaign calls on the UK government to put more pressure on companies to protect their customers from the increasingly sophisticated tactics of fraudsters, and not leave the onus solely on consumers to protect themselves. An overwhelming majority of people (85%) think companies must take an equal or greater responsibility in protecting us from online scams.
Which? found that 62% of consumers say they have been targeted by online fraudsters in the past 12 months, with the most common types of scam and fraud being:
• Phishing emails - emails purporting to be from a bank or payment service
• Phishing messages that seek money for services/help, e.g. a friend stuck abroad and
• Bogus computer support.
The prevalence of scammers are as financial institutions shows the need for this issue to be tackled in this sector as well as other areas. We believe companies need to do far more to safeguard consumers from scams and should bear the cost where their weaknesses have left customers’ money vulnerable.
Our German member vzbv indicated that insecure procedures to use data may weaken security precautions by behavioural-based fraud prevention if fraudsters get access to this data. E.g. options to pay by using the online-banking PIN-code may invite consumers to use this credential more openly. Scams may then cause consumers to enter this highly sensitive code to a fraudulent website. While no payments may be enacted by a PIN code only the data provided on the account will become repeatedly accessible and may be stored and abused later to mimic for instance typical payment behavior by that user with a lost or stolen payment instrument. Apart from the breach of privacy this may cause further security leaks and cases of identity theft by allowing fraudsters to open up new accounts on behalf of the rightful account holder: A number of services still send tiny payments with a code to check whether a new customer has actually access to a certain payment account and may thus be authenticated by it.
R1 (11-12-13): We fully agree with the risks described above.
Financial and non-financial service providers must respect EU data protection law, in particular the rules on ‘purpose limitation’ (data must not be used for purposes which are incompatible with the original purpose that justified the initial data collection) and ‘data minimisation’ (service providers should not ask for more data than is necessary for the provision of the service). Consumers also need to be well informed and receive transparent information on how their data is used and processed.
If a financial institution is using data or intends to use data that has not been provided directly by the consumer or that does not come from its direct relationship with the consumer, this needs to be made clear to the consumer and, there needs to be balance between the legitimate interest of the financial institution to use external sources of data and the impact on the consumer rights and freedoms.
R 1 (14) - As automatic credit scoring is not a new development, there is evidence of related consumer detriment. See our comment on B3.
R 2 (16) - The new EU data protection law provides the consumer with the right to receive his personal data from his financial service provider, as well as to request the provider to transmit the data directly to another provider, where technically feasible . This will allow the consumer to e.g. receive customized current account offers from other banks, based on his real situation, spending/saving patterns and future needs, and compare products across the market. As already mentioned above, solutions similar to Midata in the UK can benefit consumers and competition, as they may facilitate product comparability and switching.
R3 -17-20) - The above risks are accurately described by EBA, though the risk of misuse of data is not new and not necessarily related to innovative uses of consumer data by financial institutions.
Consumer trust in financial service providers is crucial, and is difficult to restore once broken. As already stated above, service providers must respect EU data protection law.
As regards the EU anti-money laundering rules, BEUC is in favour of harmonising the provisions of the Anti-Money Laundering Directive (AMLD) to achieve its coherent application across Member States and better protect consumer personal data and privacy. The available evidence suggests that some financial service providers collect information from consumers for commercial purposes, using the AMLD requirements as an argument . We hope this issue will be addressed by policymakers as a follow-up to the Green Paper on retail financial services.
R 4 ( 21)- We fully concur with the above descriptions. With regard to the use of consumer data in the area of credit, see our comments on B3.
R 4 (22) - The growing use of personal data and big data also carries the risk of unjustified discrimination and exclusion of consumers. The greater the number of data elements used in data analytics, the greater the probability of irrelevant data, wrong interpretation and adverse effect on the consumer.
As already stressed earlier, only objective and valid data, should be used by financial institutions in their activity. Then still remains the question of the quality of algorithms and competences of data analysts who control them. Nowadays data analyst jobs are extremely abundant, and companies in different sectors actively implement algorithms for automated data processing. These are subjective elements in the equation, i.e. if an algorithm is wrongly configured, it could lead to the discrimination of certain consumer groups .
Personal data and big data must be used ethically. In that respect, the General Data Protection Regulation (GDPR) forbids processing of particularly sensitive personal data, unless certain strict conditions are met. The prohibition applies to, inter alia, personal data revealing racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health .
Insurance products are out of scope of this consultation, yet the extensive use of personal and big data in that sector raises a number of fundamental issues which question the very nature of the current insurance model based on risk pooling. Hence, a separate consultation on insurances is more than necessary.
Overall, more intensive use of personal data and big data by financial institutions in their risk assessment models aims to maximize their profits and minimize risks. The industry aims at ‘zero risk taking’, while the entire risk is being shifted to consumers. As a result vulnerable consumers may become financially and socially excluded as considered too risky by financial institutions. This is one of the key challenges for the coming years that need to be anticipated and prevented by competent authorities.
R 5 (23-25) The above-described risk of exclusion/discrimination of privacy-minded consumers appears to be imminent. For example, recently an insurance executive said that in the next five to ten years it could be impossible to get life insurance without a wearable device . Such a scenario could also happen with respect to other financial services, like credit: the consumer could be required by the lender to allow access to his social media accounts before the decision to grant the loan is taken.
Digitalisation and increased use of personal and big data may also penalize offline consumers, e.g. those who do not have a broadband internet connection, those who lack the access or the knowledge to navigate easily on line, elderly people, and some people with disabilities (visually impaired).
Policymakers should track such dangerous developments and prevent them.
There is evidence that fear of scams is starting to affect consumer behaviour, as half of people (48%) say they do not use certain online products, services or apps for fear of being targeted by scammers.
R6 ( 26) With digitalization, the Internet of Things and a data-driven economy more personal information is being collected by powerful computers, meaning data centers containing large volumes of data are being targeted by fraudsters.
Cyber-security is a growing concern. In the last few years, there were several high profile cases of hacking and data theft including the Target case where millions of consumers’ credit card details were stolen. Earlier this year, the US Financial Consumer Protection Bureau (CFPB) alleged that a payment processor made public statements regarding the efficacy of its data security system and failed to fulfill those promises . In 2014, eBay asked users to change their passwords after hackers stole encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth . Following a very recent hack into Linkedin’s system, about 100 million accounts might have been affected .
Cyber-security is a horizontal topic and has a much wider scope than financial services. In the area of financial services, some initiatives have been undertaken to improve the security of payment services at the EU level. In 2013, the SecuRe Pay Forum’s Recommendations for payment service providers aimed to address issues relating to the PSPs internal governance, risk identification and assessment, monitoring and reporting, risk control and mitigation issues as well as traceability . Payment service providers put in place solutions like end-to-end-encryption and tokenization in order to reduce the risk of data theft and payment fraud .
Consumers have growing concerns about being exposed to scams and the harm they could cause. Worryingly, the UK Government’s Cyber Security Breaches 2016 Survey found that over six in 10 large firms detected a cybersecurity breach or attack in the past year, but only 5% of firms invest in ongoing monitoring of breaches on their systems. And when individuals have fallen victim, Which? found that banks were inconsistent when dealing with fraud. The Financial Ombudsman Service stated that in many cases banks have based their decisions ‘on a hunch’, without conducting a full investigation and potentially leaving victims out of pocket and feeling like suspects for crimes they didn’t commit.
R 10 (35) - Companies need to do far more to safeguard consumers from scams and should bear the cost where their weaknesses have left customers’ money vulnerable. Scams have the power to undermine public confidence to engage with genuine companies – how do we know what’s real and what’s not? Both consumers and business will suffer as a result.
In addition, a consumer’s right to not being subject to a decision based solely on automated processing of personal data must be respected .