The German Banking Industry Committee (GBIC) welcomes the EBA’s initiative to stimulate debate on the use of consumer data. We are in favour of a flexible use of consumer data, especially given its potential to improve consumer and investor protection and promote financial stability.
A flexible use of consumer data will enable a better assessment of the risks associated with banks’ lending business and with customers’ investments. This will help to enhance consumer and investor protection, will have a constructive impact on banks’ overall risk management and thus a positive influence on financial stability.
These positive effects of using customer data can only be achieved, however, if certain privileges are accorded to banks. An example is the right legally enshrined in German data protection law for banks to transmit data to credit bureaus when entering into loan or guarantee agreements, for instance. This right must be retained when the European General Data Protection Regulation is implemented. Consideration should also be given to making it easier for banks to use customer data in other situations to enable them, for example, to better evaluate the suitability of certain products to meet a customer’s needs. Banks can only meet the expectations of policymakers, businesses and society if they have the instruments they need to be able to use customer data to a far greater extent than at present.
GBIC is the joint committee operated by the central associations of the German banking industry. In this capacity, we represent approximately 1,700 financial institutions in Germany which have experience of innovative uses of consumer data.
Banks normally collect the data needed to meet their contractual and legal obligations directly from customers. This information may be provided by the customer orally or in writing, or in the form of a private document (e.g. a payslip) or an official document (e.g. an ID card as proof of identity). Data obtained as a result of contractual relationships are also used within legally permitted limits.
If it is considered sensible or necessary, personal data may also be collected indirectly, i.e. from official sources (e.g. land or commercial registers), from publicly accessible sources (e.g. public records) or from firms specialising in the provision of information (e.g. credit bureaus). The use of external sources (such as credit bureaus) is necessary when evaluating a potential borrower’s creditworthiness, for example, or assessing an individual’s need for a basic bank account under the German Payments Account Act or for a so-called “P-account” under Section 850k of the Code of Civil Procedure (a special account for over-indebted persons that protects a minimum income against attachment). The use of external sources may be considered useful when preparing a targeted marketing campaign to attract new clients, for instance.
The type of data which banks use and the sources from which the data are obtained ultimately depend on the purpose of processing the data.
See answers to question 2.
Banks use consumer data for a wide range of purposes. These include
- fulfilling obligations arising from pre-contractual and contractual relationships with a customer (e.g. creditworthiness assessment, execution of payment instructions or securities orders, investment advisory services),
- fulfilling legal and regulatory requirements, e.g. anti-money laundering rules,
- detecting and preventing fraud, and
- marketing and sales purposes.
In terms of quantity, most of the consumer data banks process today are used for the purpose of fulfilling pre-contractual and contractual obligations associated with customer relationships.
Future developments depend on a number of factors and are therefore difficult to predict with any degree of certainty. In the view of the German banking industry, various scenarios are conceivable.
1) Banks and other payment services providers will use existing customer data – among other things on the basis of the new European Payment Services Directive (PSD2) – to develop new services with the aim of generating added value for customers.
2) Digital platforms and ecosystems will enter the market and compete with banks by integrating third-party financial services into their own offerings, thus providing additional benefits to customers. In the process, consumer data will be used which have not been collected and cannot be accessed by financial institutions.
3) Banks will opt to refrain from using consumer data in innovative ways.
4) Banks will use any of such data to meet a general need in an increasingly digitised world, even though make it highly transparent to customers. However, it has to be absolutely confidence in the security and protection of personal data.
These scenarios are not mutually exclusive, but are more likely to reflect different strategies of different market participants. How these strategies will together affect the financial services market is not foreseeable as things stand.
This makes it all the more important that banks remain able to respond appropriately to market conditions and customer needs and are not singled out for special regulation when it comes to the use of consumer data. We are assuming, in this context, that “financial institution”, within the meaning of the EBA’s discussion paper, also covers providers of the new payment services under the PSD2. When the General Data Protection Regulation takes effect in May 2018, a standardised framework for the use of personal data will apply to all processers of data throughout the EU. We warmly welcome the associated political objective of establishing a level playing field for providers of all kinds.
To avoid distorting competition, it is essential to protect the databases of financial institutions. These have been built up over decades, are the product of considerable investment and enjoy copyright protection. The databases are owned by the banks and should not be further opened up to third parties on the grounds of an alleged need for data portability (see also our reply to question 8).
Conversely, and in the interests of fair competition, consideration should be given to the idea of permitting financial institutions – subject to the approval of the customer – to use customer data held by leading platform providers along the lines of the arrangements for new payment services under the PSD2.
Yes, all in all, the benefits are described appropriately. To be competitive, financial institutions must be able to use personal data more efficiently with the objective, inter alia, of
- improving customer services and product quality through data analysis,
- optimising creditworthiness assessments,
- improving targeted marketing, and
- reducing costs for customers.
On top of that, the use of personal data offers an opportunity to reintroduce a personal, individual note to banks’ dealings with their customers to compensate for the increasing standardisation of products and processes in recent years.
We also believe greater use of consumer data has the clear potential to improve consumer and investor protection and promote financial stability. A broader base of data will enable a customer’s personal situation, such as his/her risk appetite or temporary financial difficulties, to be better and more promptly identified. The customer can then be contacted and an appropriate course of action recommended. This could enable consumer and investor protection to be designed more effectively than current instruments allow. Better knowledge of customers also has positive effects on a bank’s risk management and thus on financial stability in general.
Existing data protection law and the future General Data Protection Regulation set tight restrictions on the “innovative” use of customer data. These legal restrictions naturally cannot be overturned by the EBA. It would nevertheless be helpful to the European banking industry if the EBA concluded that greater use of customer data by financial institutions could both benefit banks’ business operations and improve customer relationships. An opinion of the EBA along these lines could be used by banks as a basis for determining what kind of data processing would be deemed permissible in the context of a balancing of data protection interests.
One obstacle for banks is the regulatory ban on correlating customer data from one business unit with data from another in order to gain possible new insight. The objective of the prescribed Chinese walls is to avoid potential conflicts of interest. There are no such rules in place for competitors outside the banking sector. This means digital ecosystems retain an “information edge” which translates into a competitive disadvantage for banks.
It is important, moreover, that banking supervisors do not create new, special and restrictive requirements concerning the use of customer data by financial institutions. There must be a level playing field in the use of customer data by fintechs, banks and other market participants.
The information asymmetry between providers and consumers regarding the use of personal data is a general phenomenon and does not apply to financial institutions alone. In other sectors, too, suppliers face the challenge of how to inform customers about the use of their data in a way which is brief, straightforward and readily understandable yet at the same time sufficiently precise.
In addition, financial institutions are subject to obligations at least as strict as those for other providers when it comes to consumers’ rights to information about the data stored about them especially to the new information duties of the new data protection regulation. The same goes for information about automated decisions (e.g. on a loan application). Regulatory and legal requirements impose further qualitative requirements on banks’ credit quality assessments and scoring systems. Take, for instance, the requirements in place since March 2016 for checking creditworthiness under the European Mortgage Credit Directive. We see no need whatsoever for more industry-specific rules.
We do not agree with the argument that consumers are “locked in” to a provider simply by the fact that data collected in the course of an existing contractual relationship cannot be accessed by other providers and that the portability of data consequently needs to be ensured. Information and experience gathered during a contractual relationship by no means constitute a public good. This is as true in the financial industry as it is in all other commercial sectors. In the area of lending, moreover, the credit bureau systems operating in Germany and in many other countries counter negative lock-in effects. The introduction of the account information services under the PSD2 will make erode lock-in effects even further.
The risk of consumer data being misused, either by banks themselves or by unauthorised third parties in the event of a data breach, must be considered extremely low given the high compliance requirements and security standards banks need to satisfy. Owing to the sensitive nature of their data, banks have been active for many years in building a defence against cyberattacks. Mindful of the rising trend in cybercrime in recent years, protecting their IT systems is a top priority for banks.
We would nevertheless like to reiterate a point we have repeatedly raised with European lawmakers and the EBA in the context of the PSD2. Opening up account interfaces to third-party service providers must not be allowed to give rise to additional risks for consumers and banks. There is a danger of such risks undermining confidence in the entire system.
We have observed that, when customers grant third parties access to their account, they are often not aware of the fact or of the scale of information unlocked by their consent. More transparency should be established here, e.g. by developing a standard clause for obtaining the customer’s consent on a transparent and informed basis.