Written By: Mike Ross – Corporate Finance
More and more players, banks and fintechs, are interested in the commercial exploitation of bank customers’ personal data. With a new European law entering into force in May 2018, regulators are getting prepared to check whether the data uses are authorized or not.
Should data held by banks on their customers be considered personal data?
Absolutely. The definition of personal data is extremely broad: it concerns all data about a person who can be identified directly or indirectly (i.e., name, telephone number, date of birth, fingerprint). Banks, therefore, deal with large amounts of personal data; payment data, or statements of account, are thus made of personal data. Other information is stored by banks due to specific regulations such as KYC (know your customer), which obliges banks to describe the customer profile with:
- professional activities for anti-money-laundering purposes,
- financial competence or knowledge for savings purposes on risky investments,
- revenues and debts for granting loans,
- heirs for insurance products.
So fairly detailed data on the origin of a client’s revenues, identity, family, level of knowledge in finance are thus stored by banks in their systems. As medical doctors have a mass of information on the health of their patients, banks deal with a mass of personal data on their clients’ private lives.
Are regulators particularly vigilant about the use made by banks of this data?
Taking into account the mass of information retained by banks, regulators control the use of this data by banks, probably more so than for other actors. Today banks, which have historically made little use of their clients’ data, seem to be tempted to do so in order to improve the services they provide but also to find new sources of revenue—or, in the case of European banks, to meet the new European regulation Open Banking Standard.
Are banks authorised to transmit clients’ data?
Using personal data is not necessarily totally prohibited. In all countries, bankers have an obligation of confidentiality towards their clients’ data. But in many cases, what is prohibited is the use of customers’ data without them knowing it, or even having given consent. Bank secrecy exists worldwide, but transmitting clients’ data to third parties, such as merchants, is authorised, provided that clients are aware.
In other words, banks can lift this banking secrecy, under the condition of clients’ express consent. Tax regulation is one of the recent examples (for instance, FATCA – Foreign Account Tax Compliance Act). But banks are also transmitting data to their insurance and financial subsidiaries, for instance, to offer value-added services, provided clients have given, somehow, their consent.
What form should the collection of client consent take?
In many countries, the client consent must be free, specific and result from an action. Countries’ information-technology (IT) regulations are often demanding on this point. In some countries, the encryption of data is even mandatory to make sure that a certain secrecy is kept. Also, in some an agreement given under the terms and conditions of the service is not sufficient. Consent must be specific to the service provided. It must also be free, in the sense that it does not lead to another unspecified service. Consent must in many cases be the result of a positive action from the client, not a tacit one: silence never means consent.
Concretely, consent may minimally mean a checkbox, and in some countries through a specific document to be signed.
What will change for the banks and fintechs when the European regulation on data protection comes into force in May 2018?
The new European law on personal-data protection that is expected to come into force in May 2018 will precisely impose full transparency on the uses that are made of the data collected. The actors will have to state much more clearly than they do today what the source is of the information, how long they will keep it, what it is used for, and, if there is no express consent, whether they have a legitimate interest in using this data.
Higher penalties will apply to both banks and fintechs in cases of breaching the new rules:
- up to 2 percent of annual worldwide turnover within the limit of €10 million, for example, for a failure to keep a register, and
- up to 4 percent of annual worldwide turnover within the limit of €20 million for breaches of the general principles of the law.
Today, some non-bank third parties, such as account aggregators (Bankin’, Linxo), already access certain banking data. If they require clients’ account credentials and passwords, they increase the risk that this data will be stolen. It is also difficult to assess to what extent their systems are protected against hackers. Non-bank third parties and fintechs are also supposed to comply with IT regulation on personal-data protection, but do regulators have the means to control each of them?
The economic model between banks and fintechs is not yet determined. But banks may keep in the future the privileged responsibilities to store the data and to offer, or not, to its clients the option to share it with fintechs. Banks have a know-how recognized by users, who are generally reluctant to entrust their personal data to private players, with the notable exception of banks. Banks know it, and they should go on benefiting from this trust.