Digital intelligence: Data privacy in and out of the bank

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Our takeaways on the top digital developments influencing financial services

Trust underscores an open banking approach

Great responsibilities come with the collection of personal data. Federal laws mandate that banks protect the privacy and security of consumer financial data, and these laws extend to the sharing, access, and use of this data. Because of this well-established framework, banks have a tremendous opportunity to advance the use of open models across financial services in a risk-controlled fashion. Considering that for the last several years banks have been criticized as slow to respond to the expansion of technology into financial services, banks can now use their inherent trust and safety as a springboard to accelerate innovation and digitization efforts.

Banks have clear aspirations to expand by leveraging their digital footprints. In just the last three months, several leading global banks have announced the addition of basic bank services or expansion to new geographic markets solely through digital offerings. One bank announced a free personal financial management tool in exchange for third-party financial data. Another bank, in its shareholder letter, discussed the creation of an application programming interface (API) store to enable outside developers to access the bank’s core technology services. Key to these services is a standards-based and secure (access, authorization) gateway to expose banking functionality and data to expand the reach of the bank and facilitate innovation.

These more open approaches to banking have gained recent attention. This is due to regulatory directives in the UK and the EU, which mandate that banks share customer data, and in the US, where non-binding guidance essentially challenges the industry to take the lead. Providing consumer choice and transparency into how data and credentials are used is a prerequisite for any open model, and banks have an inherent trust advantage in these areas. Imagine a single payment dashboard within an online banking account where a user could view what media subscriptions, ride-hailing services, or e-commerce platforms have access to their payment credentials. Users could easily control which services have access or revoke these payment credentials—perhaps a simple way for banks to provide consumer control and increase relevance in an environment where this bank-consumer relationship is arguably fading.

These simple services are just a first step with a more partner-based market approach a likely next step. An open approach in offering public APIs to partners will allow banks to established data privacy frameworks to share data and mitigate security concerns. In truth, data sharing is already occurring—it is just happening through means that can be insecure and unscalable (sharing of credentials, screen scraping). An open approach with an API gateway can allow banks to regain control and mitigate data privacy and security concerns. APIs essentially divide the sharing of data into manageable pieces and should allow banks to begin to monetize the effort by exposing internal services, introducing new products, or expanding into new markets. Support of standard APIs such as the Open Financial Exchange (OFX) or the durable data API (DDA) is also forming, and the current debate surrounding data privacy could even serve as a rallying point for industry coordination to credentialize certain “industry approved” API standards.

The adoption of open models in banking is a natural component for a consumer-oriented innovation strategy.This, however, does not come without challenges. Beyond security and data privacy, banks need to consider compliance requirements, partner needs, culture differences, and technology architecture. Data privacy and the sharing of consumer data is now in the forefront, but this is just a starting point and should encourage banks to seize the opportunity to leverage their inherent trust and take the next step to discuss the upside that open models can bring. Even if starting small by carefully curating various third-party services to begin to share data, banks can begin to leverage these open-frameworks to set a foundation for trusted innovation.

View more

All financial institutions should reassess their consumer data policies

The heightened awareness is a catalyst to revisit data usage, privacy, and sharing policies. Even if financial institutions are not ready to move forward with an open banking framework, there is a clear urgency to assess whether data protection policies are serving their intended purposes. Financial institutions already share customer data with third parties—this is happening willingly through bilateral agreements, or unwillingly through screen scraping—but they may not have full visibility to what data has been shared, why it has been shared, and which third-parties it has been shared with. Many organizations will need to comply with GDPR (May 2018), and organizations including FINRA1 and SIFMA2have issued recent bulletins (based partly on the CFPB’s guidance in October 20173) to highlight the concerns and guidelines around data sharing and aggregation.

Have data privacy processes kept up with the developments in data sharing? At a minimum, most financial institutions should test existing assumptions surrounding their data privacy policies. For the many organizations aiming to comply with GDPR, a data inventory and mapping exercise is a likely starting point. This process should be continually tested for effectiveness—particularly as data aggregators proliferate. Other standard processes, such as batch file transfers, could also be a source of concern as organizations may not have recently assessed the automated scripts, or may not be aware of what data is being sent.

All financial institutions should assess whether their current data inventory process extends to data shared with third parties. This sharing of data to external parties is the next step for the information governance process in moving beyond just eDiscovery or reducing the footprint for cybersecurity reasons, to now understanding where data is once it leaves the organization and aligning this with proper risk controls. Financial institutions, while arguably a more advanced industry with controls, may lack an effective inventory framework to know what data has been shared with which third-parties, or do not have visibility to who sent the data, why, and how. Many data mapping exercises will focus on data creation and how the data internally traverses the organization, but may lack visibility to whether data is then shared externally, under what consent, and whether the shared data is in fact appropriate.

Companies that aim to comply with GDPR, which applies not just to EU-based companies but also companies that store or handle data from EU consumers, have prepared to manage much of these data privacy concerns. However, many of these process may not be adequate or properly assessed. An April 2018 study by NetApp suggests two-thirds of global companies may not meet GDPR deadlines.4 Further, as the market evolves with new bilateral data sharing agreements, data aggregators, and partnerships, effective visibility and control for data leaving the organization may present a major gap.


“Know Before You Share: Be Mindful of Data Aggregation Risks,” FINRA, March 2018

“SIFMA Data Aggregation Principles,” SIFMA, April 2018

“Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation,” CFPB, October 2017

“NetApp GDPR Survey, Gauging global awareness of business concerns,” NetApp, April 2018

View more

Policy considerations: BigTech will seek to regain trust with self-regulation

Scrutiny of BigTech in general has also stimulated discussion of potential policy change. Several proposals have been floated, from comprehensive data privacy legislation, information governance requirements, to industry-led self-regulation. The market—and, to a large extent, legitimate consumer concerns over personal data privacy—will continue to determine the boundaries of acceptable and unacceptable behavior, with the federal government intervening in clear cases of unfair, deceptive, or anti-competitive practices.

All eyes on California? Policy discussions on data privacy confront three factors: the value of data-driven decisions versus privacy and security, the public good versus the speed of innovation, and the primacy of global versus local policy. Despite the possibility for new policy, past efforts to establish privacy standards, such as the Consumer Privacy Bill of Rights, have been unsuccessful. A consumer response will likely be tested with the California Consumer Privacy Act, which is on the ballot for the 2018 elections in November. This bill includes, amongst other initiatives, the right for consumers to limit or stop how businesses sell or share their personal information. Consumer concern over data privacy has historically been short-lived where consumers have shown an indifferent desire to assert more control over personal data (admittedly, the ability to control personal data has not always been straightforward). Combined with the rapid deregulation in the US, it is unlikely that any hasty new data privacy regulations are imminent. However, the adoption of the California Consumer Privacy Act could be a precedent for consumer expectations considering the relative size of California's economy and voter base coupled with the presence of BigTech.

Beyond the immediate term, policy discussions will likely focus on requirements that are straightforward and encourage the industry to self-regulate. Technology companies appear to acknowledge a need to regain trust and, whether through policy or industry-led efforts, requirements around data portability, access transparency, and control and consent (opt-in and rights of revocation) are a starting point. These areas would impose requirements that align with aspects of GDPR and PSD2 and are, to a degree, already in place in select industries such as financial services. The future impact of self-regulatory principles will likely depend on the level of restrictions that organizations impose on themselves. If these principles lack the protections that consumers are expecting, even a lack of official legislation may drive firms to increase internal regulatory scrutiny if the media continues to highlight potential negative impacts to consumers, with the government interceding on instances of anti-consumer or anti-competitive behavior.

View more

Contact us

Julien Courbe

Financial Services Leader, PwC US

Scott Evoy

Financial Services Advisory Digital Leader, PwC US

Follow us