Retail Banking

Retail Banking

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

The impact of the EU General Data Protection Regulation on the financial services industry in relation to customer consent

In the early 1990s, data breaches and identity theft were not mainstream problems; smart phones didn’t exist, nor did social media, and banking was still almost exclusively carried out ‘face to face’. In fact, most people were on first name terms with their local bank managers. People weren’t expected to have endless memory capacity for passwords and data theft, hackers and cybercriminals were not a risk which people could fathom, let alone consider.

Data protection and privacy has increasingly become a topic of global significance, with high profile incidents, both in the corporate world, as well as politically. As such, there is increasing need for regulation of data and a unified data protection policy. In response, the EU introduced a new piece of legislation, now only less than two years until implementation, which it hopes will fundamentally change the way that companies capture, manage and store information.

The General Data Protection Regulation (GDPR), an EU regulation (not Directive) comes into force across the EU on the 25th May 2018, giving citizens control of their personal data. In essence, all institutions which collect, process or share an individual’s personal data will need to gain ‘freely given, specific, informed and unambiguous’ consent by the customer themselves. More so, due to the fact that data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU, but to also extend EU data protection law to any organisation holding information on EU citizens, even if that organisation is based outside the EU.

A recent report launched by Capgemini’s Digital Transformation Institute (DTI) uncovers the current state of cyber security in the financial services industry and the importance to ensure adequate security measures are implemented by businesses.

What does this mean for businesses, more specifically banks and other financial institutions?

Companies are collecting more data about consumers than ever before. Data related to our consumption, lifestyle and even browsing habits are, practically, constantly tracked and analysed. This data is then used to target our individual wants and needs, and less cynically, to help inform better product design and service offerings. As the internet’s reach expands e.g. smartphone usage or the use of Apple Pay, PayPal and other online payment capabilities, information will be even more readily available and have greater value. This brings about an interesting trade-off between the amount of personal data we are willing to share with a company and the associated quality and convenience of service we can expect to receive in return.

On a conflicting note, there are also concerns around information being stolen or handled in a negligent way, which could (potentially) be extremely distressing for consumers. GDPR puts the onus squarely on organisations that hold personal and sensitive data to be fully responsible for obtaining permission to utilise the data and ensure it is adequately protected.

Given this, the potential impact on banks and other financial institutions has raised concern across the industry, particularly in relation to the expenses financial institutions will incur to implement this regulation and the associated fines if compliance is not imposed.

What does this mean for banks?

  • Banks will have to consider how to integrate the data protection requirements within existing system design and testing, with many banks already managing multiple in-flight regulatory programs e.g. BCBS239, MIFID, Ring-Fencing, etc.
  • Ensuring robust 1st and 2nd line of defence (Risk) processes related to breaches of data confidentiality and reporting these to regulators, even where breaches are made accidentally. Organisations will have to revisit their end-user controls and internal reporting, again, taking in-flight programmes above into account
  • Organisations need to have an ‘interest’ in all data collected, which means that banks will have to have to demonstrate the justification for all data collected on customers
  • Implementation will also have global implications as it will not only relate to data of EU citizens captured in the EU, by organisations based in the EU, but also their global operations and the related ‘data footprint’

What does this mean to us as a consumer?

Although this regulation will be hard hitting for organisations, the benefits to the consumer are clear. Referred to by companies as “D-Day for security,” the regulation provides personal data a high standard of protection, allowing customers the right to complain and obtain redress if data is misused anywhere within the EU. In addition, it is an opportunity for stronger relationships (or greater tension!) to be forged between consumers and businesses as “social contracts” are created to articulate the use of data.

In summary, banks need to begin to prepare by putting policies in place and well practiced procedures to meet the required standards. Furthermore, they need to ensure a framework is established to monitor, review and asses the data processing procedures with all necessary safeguards. It is important that privacy is embraced by banks as implementing privacy by design will not only demonstrate compliance but could also lead to competitive advantage.

About the author

Natasha Rana
Natasha Rana
Natasha Rana is a Consultant in the Business Model Transformation team at Capgemini Consulting. Natasha has consulting experience across Banking and Insurance, with a particular interest in projects that are driven by business and regulatory change. Prior to joining Capgemini, Natasha worked in the media & marketing space.

Leave a comment

Your email address will not be published. Required fields are marked *.