MiFID II, PSD2 and GDPR all focus on data – either opening up access or strengthening its protection. Without the right data solution, financial service providers risk coming unstuck, writes Karen Watson of Consentric by MyLife Digital.
Trust is at the heart of the financial services industry. Without trust, it would go bust. We trust it with our assets and we trust it with our data. And when that trust takes a knock, so do the share prices of the companies involved.
Recently, millions of South Africans were told by Liberty Life that its IT systems had been compromised. The market reaction was to immediately wipe 4.7 per cent off the share price – or R1.68bn from its market value of R34bn.
But it’s not just hacking that gets people worried. The misuse of personal data has become front-page news. Cambridge Analytica’s role in the 2016 US presidential elections comes immediately to mind.
The financial services industry is awash with personal data that must be kept safe, and there is plenty of regulation to protect it. MiFID aims to protect customers through increased transparency; PSD2 opens up data to permitted third parties in a bid to increase fair competition (open banking); GDPR protects personal data from misuse. Some initiatives, like MiFID II and PSD2, are specific to the financial services industry, while others such as GDPR are applicable to all.
“Data protection is a common theme for the regulator,” says Simon Morris, partner in the financial services and products practice at London law firm CMS. “And there are three key principles. Confidentiality – personal data is given willingly but over highly risky media such as emails, over the phone or by text, so it must be kept safe over these channels. Secondly, it is important to require firms to only use and process that data fairly. Thirdly, we require very robust and resilient IT protection against phishing and hacking. Covering all three is a real challenge.”
With each new piece of regulation comes what Morris calls “repapering” – the collection of more data and its storage. This is often done in silos to stop data from being used by others. Ben Robinson, head of strategy at core banking IT specialist Temenos, believes that when it comes to consent, data silos are a particular problem.
“Each time a bank collects data it has to record consent for its use. It’s difficult to get the correct consent and often the data is replicated, perhaps with different consents in different silos. They need a dynamic consent database,” says Robinson. “Open banking promises so much, but silos kill its fluidity and makes compliance harder.”
Morris echoes this, saying: “The problem is repapering each time for a new piece of regulation. And getting the right consents. A company that can offer a credible solution to all or even part of all this will be offering a general good.”
He cautions that lots of financial services companies are still getting consent wrong. “They are not getting consents or relying on opt-outs. That’s simply not good enough very often. Or they do not get the correct consents,” he says.
This should worry customers and shareholders alike. “We know regulators do regular reviews. If a company is hacked or doesn’t have the right consents, the regulator will turn on you,” he warns.
The fines for non-compliance are potentially huge – breaches of GDPR are up to €20m or 4 per cent of global annual turnover. And reputational damage, as we have seen, can cost billions in lost market value.
“We trust banks – it’s to their advantage and it’s a bigger issue for them than for anyone else. They need to maintain and not squander our trust. It’s the biggest single thing they must safeguard after our assets,” says Robinson.
With patchy or faulty compliance and the associated risks in plain sight, the financial services industry needs to get its house in order. Technology has the answer – a dynamic solution directly connecting customers with their personal data to provide permissions for certain uses, together with robust security. Regulators will broach no excuses if banks are found wanting. Customers might be even less understanding.
Karen Watson of Consentric by MyLife Digital.