vlerick policy paper series/media/5e...2 protecting customer privacy in the financial sector vlerick...

33
1 Vlerick Policy Paper Series No. 5 PROTECTING CUSTOMER PRIVACY IN THE FINANCIAL SECTOR Abstract: With increased digitization of the financial sector comes the issues of data protection and customer privacy. Banks collect huge amounts of data on individuals, notably from bank accounts, credit card transactions or mobile banking. On the one hand the use of big data in the financial sector is a wonderful opportunity to better respond to customer needs. The biggest hurdle on the other hand is customer privacy and data protection. How can financial institutions most efficiently deal with customer privacy when making use of digital technologies? How should they deal with the issue of privacy given the current context where rebuilding trust is a key challenge? These are the main questions addressed in this policy paper which consists in two part. The first part is a contribution of Pr. Öykü Isik providing a state-of-the-art of data-driven financial services. The second part is the report of a Vlerick regulatory workshop dedicated to the topic gathering representatives from different horizons within the financial sector including regulatory authorities, banks, insurance companies, financial associations, consulting companies, law firms. The second part of the paper provides a detailed overview of workshop presentations, discussions, and co-creation exercise.

Upload: others

Post on 07-Jul-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

1

Vlerick Policy Paper Series

No. 5

PROTECTING CUSTOMER PRIVACY

IN THE FINANCIAL SECTOR

Abstract: With increased digitization of the financial sector comes the issues of data

protection and customer privacy. Banks collect huge amounts of data on individuals,

notably from bank accounts, credit card transactions or mobile banking. On the one hand

the use of big data in the financial sector is a wonderful opportunity to better respond to

customer needs. The biggest hurdle on the other hand is customer privacy and data

protection. How can financial institutions most efficiently deal with customer privacy when

making use of digital technologies? How should they deal with the issue of privacy given

the current context where rebuilding trust is a key challenge? These are the main questions

addressed in this policy paper which consists in two part. The first part is a contribution of

Pr. Öykü Isik providing a state-of-the-art of data-driven financial services. The second part

is the report of a Vlerick regulatory workshop dedicated to the topic gathering

representatives from different horizons within the financial sector including regulatory

authorities, banks, insurance companies, financial associations, consulting companies, law

firms. The second part of the paper provides a detailed overview of workshop

presentations, discussions, and co-creation exercise.

Page 2: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

2

Protecting customer privacy

in the financial sector

Vlerick Policy Paper Series 5, March 2016

Content:

1. Data-driven Financial Services: State of the Art

by Prof. Öykü Isik

2. Workshop report

Report of the 5th Vlerick Regulatory Workshop on Customer protection

by Marion Dupire

p.3

p.18

Page 3: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

3

Data-driven Financial Services: State of the Art

Pr. Öykü Isik

[email protected]

Vlerick Business School

Information about money has become almost as important as the money itself, as Walter

Wriston, the former CEO of Citibank said in 19841. After 30 years, we can confidently say

that his predictions have come true, adding technology to the equation.

The word of the day is ‘big data,’ that is, seeking intelligence from data in order to create

business advantage. The buzz word has been keeping us busy for a while now, data even

being discussed as a “critical new form of economic currency,” which can be as potent as

money or oil. We come across something new every day; such as how big data is

transforming the healthcare industry by making it possible to tailor medicines to an

individual’s unique genetic blueprint by combining it with their lifestyle and environment

data, and then comparing it other people to predict illness and determine the best

treatment2. Or how UK Premier League soccer team Arsenal is changing sports

management by analyzing the big data collected from 8 cameras installed around its

stadium to track every player and their interactions, 10 data points per second for every

player, or 1.4 million data points per game3. All these examples, along with several recent

studies conducted by research institutions point at continued excitement and a growing

Big Data market. For instance Wikibon, a community of business technology practitioners

founded to deliver actionable information and forecasts, predicts Big Data market to attain

a 17% annual growth rate for the period up to 2026 (see Figure 1).

1 Wriston, Walter B. “The Citi of Tomorrow: Today (March 7, 1984),” The Walter B. Wriston Papers: 1918 – 2006. Tufts University Digital Library, 2007. 2 See for more details; http://www.forbes.com/sites/bernardmarr/2015/04/21/how-big-data-is-changing-healthcare/2/ 3 for more details: http://www.forbes.com/sites/bernardmarr/2015/03/25/big-data-the-winning-formula-in-sports/

Page 4: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

4

The “big data revolution” has not left the financial services (FS) industry untouched, of

course. The stories are plenty; we have heard the good4, the bad5, and the ugly6. Yet, big

data does not seem to have a revolutionary effect on the industry itself just yet; traditional

financial firms mostly persist with their traditional business models. FS industry may not

be the front runner in the adoption of or innovating with analytics or big data, yet

undoubtedly it remains to be one of the top industries which has a high potential of change

or of being disrupted by the newness big data brings. When you add the fast changing

consumer profiles & behavior, it is not surprising to see several start-ups (with no FS

experience) with unique business models emerging in the financial services industry,

aiming to meet those changing consumer expectations. These developments indicate only

one thing; more turbulence ahead.

Figure 1. Big Data Market Forecast 2011 – 2026 (Source: Wikibon)

To paint the current picture of FS industry and to understand the expectations and worries,

we started this research. By interviewing 20 experts, both from academia (4) and industry

(16), who are immersed in the FS industry yet work with big data on a daily basis, we

collected further insight as to where this trend might be leading. Most of the experienced

4 “Big Data lessons from the bank industry … and toothbrushes” http://www.inma.org/blogs/big-data-for-news-publishers/post.cfm/big-data-lessons-from-the-bank-industry-and-toothbrushes#ixzz3eoF68pvt 5 “Big Data Failures Owe More To Business Culture Than Technology”

http://readwrite.com/2015/02/09/big-data-failure-blame-corporate-culture 6 “ING Plan to Share Customer Payment Data Spurs Privacy Concerns.” http://www.bloomberg.com/news/articles/2014-03-10/ing-plan-to-share-customer-payment-data-spurs-privacy-concerns

Page 5: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

5

people we talked to started within a technical role in their respected organizations, even

though now they represent business functions.

It seems that several experimental units, sometimes within IT and sometimes in business,

were given the mandate to prove the value of big data for the organization. Even though

there are several different maturity levels, all organizations our experts represent are

currently involved in one or more big data projects.

First, the Definitions

In order to set the stage for discussion, it is important that we start with the terminology.

Especially when it comes to big data, it is easy to come across several different definitions,

all emphasizing a different aspect of the phenomenon.

Gartner defines big data as “high volume, high velocity, and/or high variety information

assets that require new forms of processing to enable enhanced decision making, insight

discovery and process optimization7." Initially introduced in 2001 by Doug Laney, now a

Gartner VP of analytics and big data, this definition led to the commonly referred ‘3V’s of

big data (volume, velocity and variety). Yet, another V, standing for ‘Veracity’ is now being

added to the definition by some organizations, to emphasize the importance of data

integrity and the ability to trust the data while taking crucial business decisions8.

The (dis)agreement on the definition

During our interviews, it was interesting to observe that the age-old discussion around

what big data really is, is still alive and well. Yet, every institution seems to differentiate

their perspective by focusing one of the V’s of big data; still being mostly the volume

aspect. According to our interviewees, big data is about volume more than anything; when

asked for clarification, most of them referred to data sets that can no longer be easily

managed or analyzed with traditional data management tools, methods and

infrastructures9. For instance, volume, as the number of lines in a database, in the form

of quantitative, structured data has already been a point of attention for some of the

institutions.

7 Laney, Douglas. "The Importance of 'Big Data': A Definition". Gartner. 21 June 2012. Accessed June 22, 2015. 8 “What is Big Data?” Villanova University. Accessed June 22, 2015. 9 Rogers, S. (2011) “Big Data is Scaling BI and Analytics,” Information Management.

September/October. Accessed June 23, 2015.

Page 6: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

6

Figure 2. Big Data defined (Adapted from IBM Smarter Business 2013)

Several times the discussion revolved around the variety element; what is new for most

of the organizations is the assortment of data potentially flowing in to the enterprise

systems. Most organizations are not limited by only structured data analysis anymore. The

world of external data actually involves more unstructured data than structured. Yet, this

requires a data processing approach that is completely different than the traditional

approaches. Thankfully, there are now tools and techniques that make it possible to

analyze unstructured data such as e-mails, social media updates, even audio files.

Interestingly, the V of velocity did not make the highlights in our interviews. After

confronting several of our experts with this, it became clear that real-time data flow, let

alone real-time analysis of it, is not deemed necessary in the sector, and also not

applicable. Yet, when it comes to fraud detection, real-time data can be very insightful.

The Capital One example of how they monitor amounts even less than a dollar and can

take action on analytics results in less than five minutes is as impressive as it gets (see

footnote 12 for more).

The only ‘V’ that matters

According to few interviewees, there is more to big data than the 3 V’s. By suggesting yet

another V, of Value, to add to the definition, the benefits that potentially can be extracted

from the big data was emphasized. This is also expressed by referring to the phenomenon

as ‘smart data’ rather than big data; highlighting the fact that a brute force strategy, that

is trying to collect and analyze all the data they can get their hands on, rarely makes

sense. What makes sense is being smart about data collection strategies and being mindful

of the analytics that follows.

Separating Reality from Hype

When confronted with the question ‘real or hype?’ our interviewees found a bit of both in

big data. There is certainly exaggeration in the excitement surrounding the topic, but how

to extract value out of the data is the real phenomenon.

Valuable Data

Data transformed into value (e.g. cost

reductions, innovation…) through actionable analytics

Page 7: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

7

Everyone agrees that media is feeding into the big data frenzy. Initially abundant with

articles promoting the promise of big data, more recently the market started talking about

do’s and don’ts of big data analytics. And that’s where the core of the big data phenomenon

gets separated from the hype. In whatever form, shape, or volume the data might be, bad

analysis of big data will bring only useless or misleading insights. Thus, in reality, most of

the discussion surrounding big data is actually about analytics. But, as many of our experts

confirm, there is still confusion about the difference between business intelligence (BI),

analytics and big data in the market. Hence, there is still a lot of terminology misuse,

contributing to the concept pollution.

As one of our subjects emphasized, big data is different than analytics in that it needs to

progress in iterations, being more suitable for agile methodologies, as the needs of the

business also moves in cycles. Data visualization can be another differentiator here; recent

research10 suggests that some companies are better able to use Big Data to their

advantage compared to others because they are using data visualization to help make

sense of the information.

Analytics as a game changer has been discussed since early 2000s, but many industries

have been catching up late. Even though it is easy to find successful applications of

analytics in the FS sector, it seems a saturation point has been reached. It looks like more

innovative applications are sought after, and big data is looked towards as the new

panacea. Financial services needs to go beyond analytics with big data, as one of our

experts commented, it is now the time for “analytics +”. This will make all the difference

for customer-obsessed11 organizations, such as the FS institutions. As all our interviewees

agree, delivering high quality and differentiated experiences for the increasingly digital

customer base, FS need to leverage big data analytics to better position themselves to not

only offer superior services, but also to become better at realizing cross-selling

opportunities.

10 https://www.sas.com/content/dam/SAS/en_us/doc/whitepaper2/sas-data-visualization-marketpulse-106176.pdf 11 http://www.information-management.com/blogs/Business-Analytics-Customer-Obsession-Experience-CX-10027172-1.html

Page 8: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

8

Is it real enough to demand a change in the business

model? Financial services has been one of the first industries to be transformed by analytics. We’ve

all heard the predictive analytics success story of Capital One12, or telematics use by Direct

Line in UK and Progressive Insurance13 in US; all nice cases about business model

innovation towards a more personalized approach, thanks to analytics. Following our

discussion above on the difference between big data and analytics, the golden question

that follows is whether the big data revolution will bring a change to the current business

models, and if so, will it be significantly different than the analytics revolution?

We are yet to see such a change in the financial services. Most of our experts disagree

that big data will bring significant business model changes in the sector. They suggest that

basis of the model will stay the same. Big data only has an impact on the way they do

business and the type of services they can offer.

Another common message that surfaced in our interviews was about the importance of big

data as the binding agent between the organizations in the financial ecosystem. The

expectation is that combining data from banks and other services companies (such as

Telco, energy, …) will lead to new services for clients FS never thought of before. They

already have the FinTech start-up under close surveillance and are brave enough to accept

that they are much better, much more data-driven then FS institutions, and they hope

that this competition will force the industry to become much more data-driven. Following

up on this, another expectation is that big data, even if it takes investment upfront, will

help especially banks get closer to the customer in a more cost-efficient way and switch

to a more efficient model than the branch-centered model they have now. Gartner also

predicts Banking and Securities to be an industry with great opportunities to exploit with

Big Data (see Figure 3).

12 See, for example, http://blog.patternbuilders.com/2011/02/17/the-power-of-analytics-credit-card-fraud/ 13 See, for example, https://en.wikipedia.org/wiki/Usage-based_insurance

Page 9: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

9

Figure 3. Big Data Opportunity Heat Map by Industry (Gartner, 2012)

What Drives Big data initiatives? The potential value big data holds is clear; all experts that participated in our study

wholeheartedly believes in the necessity of not only mining the gold within the internal

sources, but also leveraging external data sources.

But for what? What is the driving force behind these initiatives?

Operational excellence. Today one of the biggest business cases that drive analytics

initiatives is the quest for increased operational efficiency. The same quest also applies to

big data initiatives; internal data being readily available is one of the reasons why most

institutions start with an inward-looking project to test the grounds. Besides, the on-going

ripple effect of the crisis along with the economic uncertainty forces the hands of financial

institutions, looking towards innovation through enriching the existing products and

services and also new services.

Customer intimacy. This is the area where most of our experts believe the value resides.

Getting to know their customer better was maybe the single common desire our experts

shared. Even if the business value proposition is not about customer intimacy, creating

360 degree view of the customer would not only provide individualized marketing

opportunities, but it would also unearth the cross-selling opportunities.

Compliance: A chicken and an egg issue. Last but not least, a recurring theme in our

interviews was the regulatory compliance challenge. While some of our experts framed

Page 10: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

10

this as a challenge big data brings, there were others who saw this as the ultimate data

management opportunity. The challenge arises due to the legal implications and

regulations for collecting as well as sharing data, especially if it is not yours in the first

place. But this can also be a way to optimize data models and governance, helping

institutions look for opportunities where big data would benefit not only the clients, but

also the organization itself.

Means + Ways = Ends

Some of the driving forces mentioned above also come back as potential opportunities and

threats later on (which are discussed further in this document).This is not surprising

because, when done right, these driving forces could bring in the competitive advantage.

To make sure that everyone in the organization understands and supports the cause makes

it necessary to formalize the intent through an official business case. Some of our

experienced participants emphasized the criticality of this; do you know what you want to

achieve with big data? Several areas of potential contribution have been identified through

market research, an Accenture report (2014) lists areas of high impact based on its survey

findings, as shown in Figure 4 below.

The necessary elements that determine the value to be created with big data can be

structured with Peppard and Ward’s Benefits Realization Framework14, commonly depicted

as Means + Ways = Ends. The means, that is the information technology artifacts

necessary to handle big data analytics, are to be used in the ways that represent the

working practices such as the analytical processes and new team building and collaboration

patterns in the organization. All these to reach the ends, representing organizational

objectives of the big data investment.

It is interesting to realize that not everybody starts the discussion with this perspective.

There seems to be no shortage of use cases in these organizations. Almost all have at least

a couple of ideas that either contributes to operational efficiency or customer intimacy

aspects of their businesses. What seems to be a problem is the prioritization mechanism,

or rather lack of it. Even though several important elements, such as technical complexity

or business relevance, of a justification framework seem to be well thought of, economic

viability or the challenge of adoption still seem to be concepts that are difficult to estimate.

14 Peppard, J. and Ward, J. Beyond strategic IS: Towards an IS capability. Journal of Strategic Information Systems 13, 2 (2004), 167–194.

Page 11: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

11

Figure 4. What will Big Data Impact the most? (Big Success with Big Data: Executive

Summary, Accenture Report, 2014)

What can FS institutions do? Becoming a ‘technology’

company! The data that FS institutions have access to is outstanding in terms of value that could be

extracted from it. Considering external data that can be added makes it even more

interesting. But these introduce different levels of complexity, especially from a data

processing perspective. As mentioned earlier, the concept of dealing with high volumes of

data may not be entirely new in this industry under focus, yet the technologies making it

possible is now more accessible than ever. Thus, the investment in technology big data

requires is the first serious step and challenge many organizations have to face.

Does this make financial institutions technology companies? In other words, is IT a core

competency for them? There seems to be two polar views dominant on this. While some

experts believe that it is only a natural evolution and FS organizations are already

technology companies, some interviewees were quite annoyed even by the suggestion.

Yet, in the current situation it can be concluded that they already are – and this question

is more relevant than ever. This is nicely summarized in the following quote, “financial

institutions that remake themselves fastest in the model of software engineering first

companies such as Google or Facebook, including picking a forward-thinking technologist

as chief executive, will be the true benefactors of this new era in finance.”15

15 “Ultimately, banks are ‘big data’ and technology companies” by Zachary Townsend, Co-founder, Standard

Treasury, San Francisco, CA, US. October 4, 2013. Available online at http://on.ft.com/174kM1s

Page 12: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

12

No matter what, as our experts also confirmed during the interviews, IT is the easy part.

It is true that new technologies and better tools give traction to big data initiatives and

make it more pervasive for more people to use, but at the end of the day IT is only an

enabler; real issue is value generation with big data and not missing out on the prospects.

Opportunities If there is one thing that is obvious about big data in financial services, that is the

opportunities it brings forth. Our experts all agreed that FS institutions have always been

challenged with the ‘big data’ of their time, but now they have the technologies making it

possible to deal with this data in a cost-effective way, hence a million more possible ways

to exploit the data they possess.

Better Customer Experience. In unison, all our experts mentioned that big data can help

financial services institutions optimize response rate along with limiting the number of

times to harass the customer, hence improving customer experience. This is becoming

more and more important as the customer preferences are changing. The largest

demographic profile today is millennials. How they consume, what they consume is very

different, representing a shift in the landscape for financial services firms as well. For

instance, current research indicates that millennials are more risk-averse, indicating a

significant impact of credit card usage. This information can be used to develop new

business models targeting this specific group of customers, not by asking but by observing

through data analytics to uncover their unmet needs.

Collaboration seems to be a clear possibility – but with whom? While some of our

interviewees were skeptical about a near future data-centered collaboration with 3rd

parties, there were also others for whom this idea was not new at all. The ones that already

have such collaborations mentioned 3rd party data providers who share data on, e.g.,

weather forecast and geo-location. The purpose with these partnerships is to give context

Page 13: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

13

to the data that is already in possession. Among the ones who favor potential

collaborations, many mentioned the start-ups and FinTech companies as the first option

they would look into. How about with other technology parties? With third parties that are

not in FSI? Or how about potential competitors? These also represent other possibilities,

but the security and privacy risks, along with legal implications and regulations for data

sharing seem to be keeping FS institutions back.

Data Enrichment. It does not always have to be customer data – a strategy focused

around big data that is generated internally can bring great value as well. Just like

mentioned in the collaboration opportunities above, there are many ways to improve the

predictive capacity of already-owned data via pairing up with publicly available data or

social media data. Data can also be enriched through other hardware or device

connections, using the benefits of the Internet of Things (IoT) to its fullest. For example,

imagine service personalization with the use of beacons. 2015 has been predicted to be

the year that significant investment in beacons by FS will take place16. We already see a

few first-mover cases, such as how Barclay’s using this other way around and use beacon

data to collect data from customers with disabilities in order to improve their branch visit

experience17.

Smarter Decisions. Even though customer experience management is typically the first

thing that comes to mind for service organizations, opportunities for internal optimization

are also possible with big data. One potential target area might be human resources. HR

or talent analytics is all about leveraging employee data to improve operational

performance18. During our research, the importance of finding the right talent, especially

for big data related positions, have been highlighted. Similarly, the collection of data and

use of analytics to forecast future staffing needs or improving employee satisfaction, have

been given examples of internal big data analytics application.

Used internally, big data can also be used to uncover opportunities for better management

of operational cost and risk. The pressure from ever increasing demand on regulatory

compliance was certainly mentioned several times by our interviewees. Other on-going

projects include supporting the sales force team by uncovering opportunities for growth

and learning best practices from employees and sharing them with others for setting

targets.

Innovation possibilities with big data require a colorful vision for FS industry. As some of

our experts mentioned, insurance and banking products are not the most exciting things

to discuss, and they will be even less interesting in the future as these services are

considered as commodities more and more. To be able to get over this, FS institutions

should get in real touch with their customers and see the industry from their perspectives

16 http://blog.beaconstac.com/2015/03/why-banks-are-betting-big-on-beacons/ 17 http://www.mobilecommercedaily.com/barclays-taps-beacons-to-streamline-bank-visits-for-disabled-customers 18 http://www.forbes.com/sites/joshbersin/2013/10/07/big-data-in-human-resources-a-world-of-haves-and-have-nots/

Page 14: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

14

– this seems to be a viable way for FS institutions to get out of the vicious cycle they seem

to be in today.

Innovation appears to be the blind spot of the industry. It seems today, no awe-dropping

ways of harvesting value from big data is in action yet, and even the idea of innovation

with big data seems to be far away. The highly regulated nature of the industry, coupled

with the legacy and spaghetti systems that most institutions are bound to within seems to

be an innovation killer. One reason why this might be the case, as our experts also

emphasized, is that the industry cannot even think about innovation before they get their

-IT- house in order.

Threats The world is not all pink when it comes to using big data in FS industry. Most banks are

quite reluctant to do something with it yet still expect high competition due to it! Several

threats listed below may explain this conundrum.

One Big Scandal. This is all it takes to change the public opinion about personal data

collection and usage, and it does not even have to be In the FS sector to have an impact.

Data breach or data misuse news naturally create negative reactions in consumers and

also raises their suspicion and sensitivity towards sharing data. This may mean that

organizations won’t be able to use the data they have been accumulating, this would then

lead to big data investments being at risk, of course. Most of our experts were convinced

that they will not get second chances, hence need to handle not only the strategy behind,

but also the communication about big data to their clients very delicately.

Over-regulation. FSI is one of the most highly regulated industries. In recent years, the

demand for operational transparency and accessibility of years of historical data has been

increasing. Naturally, this puts pressure on data management issues and big data

infrastructure becomes a topic of high importance. Next to the hardware and software cost

necessary to handle this, the incompatibility, along with their criticality, of legacy systems

are also the reason why financial services organizations are worried about the rising

expectations from the regulatory bodies. Due to the above mentioned challenges, the

overall expectation is that this ‘over-regulation’ may block the big data efforts.

Ethics and Privacy. Our financial services experts are obsessed with ethical implications

of big data analytics, and rightfully so, as how ethics and privacy are handled has strong

impact on an organization’s reputation. The extensiveness, scale and easiness of big data

analytics significantly changes the ethical framework organizations are within; financial

institutions now have the possibility to combine the data sources they did not even have

access before, and can run and take action on analytics as fast as never before. This implies

that current legal and ethical guidelines do not apply anymore – big data analytics moves

faster than the creation of new frameworks. This may imply that FS institutions need to

create their own principles to operate in, especially on privacy. It is important to emphasize

that privacy is not only about getting consent of the consumers while collecting their data,

but it is also about transparency on how this data is being used, whether it is being shared

Page 15: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

15

with any third party organizations. It is as important to give them the control over their

own data, so that they can manage their preferences or stop participating anytime they

wish to do so. Even though it may sound logical, this is not something most of the

organizations are already doing, and definitely may not be in their best interest, according

to some of our interviewees.

New competition and unlikely partnerships may disrupt the industry, especially

through non-FSI organizations. With the advent of non-financial organizations taking minor

claims within the domain, such as payment or transfer services, it is expected that they

will disrupt the banking business and create an extra layer of burden for these institutions.

The challenge lies in the fact that, thanks to these new entrants, FS organizations are

facing the loss of data input streams. Being the slow and bureaucratic organizations they

are, this may lead to a situation where the small and agile new entrants become better at

understanding what the customers want and exploit the opportunity.

We have also started seeing partnerships, as simple as the one between a credit card

company and a petrol company, building a business model around data sharing that leads

to marketing campaigns and better customer segmentation. An interesting perspective

shared by some of our interviewees implied the necessity of service innovation for banks,

through partnerships. Because banks sell commodity products, and these commodity

products are the only way to fight the above mentioned non-FSI new competitors to bring

the costs down, as the income may not grow. The only way out is to differentiate via

services and escape further commoditization. Hence, it is absolutely critical to create ‘win-

win-win’ situations among the bank, the customer and third parties to enable possible

differentiating services.

Technology focus. All the aforementioned threat and opportunities alike, directly or

indirectly imply the necessity of a significant restructuring and/or investment in IT. For

most organizations, managing the high volumes and even the variety of data is no big

deal. But for organizations that are interested in real-time analytics, big data’s velocity

aspect can still be a technical challenge. Also faced the age-old legacy system

complications, many organizations have the tendency to give priority to IT before anything

else. This poses the challenge of over-investing, as it may create an unnecessary focus on

technology over business case. Yet, as one of our interviewees mentioned, FS

organizations should not even think of the IT aspect before regulatory issues and legacy

problems are addressed.

Another IT-related challenge is data federation, which refers to aggregating data from

disparate source to be used for analytics. From a jurisdiction and legal framework

perspective, keeping the data in a location where it actually can be used creates the

challenge. Because data sovereignty, referring to the fact that data which has been

converted and stored in digital form is subject to the laws of the country in which it is

located, may show great differences among nations.

Lack of talent. All our experts agreed that finding skilled people to use the technology

and data in the right way is a big challenge. Data scientists are still rare to come by. The

hybrid role required by big data analytics takes business, statistics and computer science

Page 16: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

16

skills all in one, and may be solved easier by training rather than recruitment. One of the

reasons behind is the fact that academia is following industry a couple of years behind;

only recently degree programs have been established in major universities addressing this

lack of data scientists. Besides finding the talent, positioning the talent is yet another

challenge that some of our interviewees mentioned; where should the data scientists be

located in the organization? Most organizations go back and forth between placing them

in lines of business and a centralized department, or any combination of the two. There

are arguments for both set-ups, and organizations are challenged with finding the best

structure that fits their approach.

Missing out in/not understanding possibilities might as well be the biggest challenge.

Even though big data is now at the peak of the hype, there are still organizations that

jump into the water before doing their homework. It takes serious strategizing for big data

initiatives to deliver business value. And business value does not automatically translate

from correlations, of all which should be taken with a grain of salt. Your data scientists

may find many correlations in your data, but they do not necessarily imply causation.

Without the right business experts who know how to interpret the results and what to look

for in the first place, big data initiative would be futile and this kind of “not doing it right”

would lead organizations to base their decisions on false conclusions. That is why a cross-

disciplinary team of data scientists and business experts is the recommended big data

team to get the best out of your initiative.

Our findings are in line with what recent industry research suggests, such as the top Big

Data challenges reported by Gartner in 2013 (see Figure 5).

Figure 5. Top Big Data Challenges. (Source: Gartner, 2013)

Page 17: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

17

Conclusion: (R)evolution? Is big data an evolution or a revolution?

Was it foreseeable where we are today? Most of our experts agreed so. It is suggested

that the evolution continues; Big Data as a dominant concept won’t last long, and rather

leave its fame to its next leap: Big Analysis19.

There is no doubt that everyone recognizes its disruptive value as well as the potential

opportunities big data brings. Everyone also seems to agree on the fact that smart use of

big data is more relevant than any other aspect of it. Yet, there is an obvious inertia in the

financial services industry when it comes to taking action. Why? How come most of these

organizations are not more advanced?

What seems to be holding them back?

Our analysis of the interviews indicates that regulations definitely play a role. But, the

challenge of legacy systems along an overly conservative take on non-traditional use of

big data seems to be the main contributing factors.

Especially for the banking industry, customers want to do business with smart institutions,

no matter what. When you show your customers that you have surprising insights about

them that even they were unaware until you reveal it, they will put you in the smart

bucket20. To get into that smart bucket, ecosystem thinking needs to become prominent

and business models need to shift from product-focus towards service-focus.

According to futurists, there are three decision spaces in the world; knowns, known

unknowns and unknown unknowns. Knowns are things that we know will happen as a

matter of fact. Known unknowns are circumstances that we know are possible, but not

sure whether they will actually take place or not. Unknown unknowns, on the other hand,

are things that are not even considered during the time of decision making. In financial

services, it is known that data-driven decision making and analytics is a must for sound

strategic management. Industry’s known unknown is a complete overhaul of the business

models, centered on big data. Following the complete digitalization of many businesses

along with the developments in FinTech and unexpected start-up entries from non-financial

services industries are all signs of many more unknown unknowns to be ‘discovered’ soon

enough.

The competition will be fierce. Financial services institutions will need all the help they can

get. So, it is time to re-evaluate your strategy around big data, embrace the disruption it

brings forth and select the right partner(s) to build your big data supply chain and collide

with competition head-on – may the most customer-obsessed organization win.

19 http://www.forbes.com/sites/michaelfertik/2015/06/15/big-data-was-the-beginning-what-comes-next/ 20 May, T. (2009) “The New Know: Innovation Powered by Analytics,” Wiley.

Page 18: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

18

Workshop report

Statements reported by Marion Dupire

[email protected]

Vlerick Business School

This section summarizes the content of the presentations and discussions of the 5th Vlerick

CFS21 regulatory workshop which took place on 19 January 2016 at Vlerick Business School

on the topic of protecting customer privacy in the financial sector.

30 experts participated to the workshop, from different horizons: regulatory authorities

(Belgian Privacy Commission), financial institutions (Ageas, AGInsurance, Belfius, BNP

Paribas Fortis, DegroofPetercam, Deutsche Bank, ING, KBC, Swift), financial association

(Febelfin), consultants (KPMG, Price Waterhouse Coopers), lawyers (Allen & Overy, DLA

Piper), FinTech platform (Eggsplore), academia (Vlerick Business School). The workshop

was organized as follows. In a first part, Prof. Öykü Isik presented a summary of her state-

of-the-art of data-driven financial services. In a second part, Patrick Van Eecke gave an

overview on how to achieve legal compliance when financial institutions make use of big

data. In a third part, Dieter Verhaeghe elaborated on the current concerns in the financial

services industry with respect to the protection of customer privacy. Presentations were

followed by a co-creation exercise where workshop participants were invited to think about

innovative ways in which financial institutions can/should:

Help the customer feel treated in a transparent manner

Inform consumers with regards to data security, privacy and current legal

frameworks

Optimize direct marketing such that customers are not harassed by multiple

communications at the same time

Account for different sensitivities and cultural perceptions on data privacy

Introduction

Freddy Van den Spiegel, Professor at Vlerick Business School

If you want to grab the attention of bankers and insurers you only need to mention two

things: big data and Fintech. Nobody knows neither what these concepts exactly mean nor

what consequences they will provoke in the future. But everybody agrees that they are

key strategic issues for the next decade.

21 Centre for Financial Services

Page 19: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

19

This CFS workshop looks at one aspect of the big data/Fintech debate which is customer

protection. Our first speaker – Öykü Isik – presents the topic from a business angle, our

second speaker – Patrick Van Eecke – looks at the legal compliance issues, our third

speaker – Dieter Verhaeghe – deals with the authority point of view, all other workshop

participants are invited to share their views during a co-creation exercise.

Data-driven financial services: state of the art

Öykü Isik (Professor at Vlerick Business School)

Banks collect huge amounts of data. It is an opportunity for them to know the customer

better, but it also comes with a lot of challenges with regards to regulation and privacy.

Öykü Isik’s working paper (presented in the first part of this policy paper) summarizes

opportunities and challenges around this topic based on interviews with 20 experts of the

financial sector dealing with big data on a daily basis. The purpose of Öykü Isik’s workshop

presentation was to highlight the most important insights from her working paper and

connect it to the issue of privacy.

What is big data?

Gartner defines big data as 3V’s: “high Volume, high Velocity, and/or high Variety

information assets that require new forms of processing to enable enhanced decision

making, insight discovery and process optimization22." Concerning the volume part,

relevant hardware is necessary to deal with the huge quantity of data but this is not an

issue anymore. IT seems to be a relatively easy part to deal with in the financial sector.

Velocity also does not appear as an important topic of attention either. In contrast, variety

emerges as a very big issue for financial institutions. Banks are used to deal with structured

data, but making use of unstructured data is a lot more challenging. It also requires new

software, capabilities and skills.

Now, we talk about 5V’s of big data, adding Veracity and Value. The concept of veracity is

more than the data quality concept, it adds the objectivity and trust: how reliable and how

objective are your data sources? This has a lot of implications for data management in

general. The ‘Value’ part implies that it is always a good idea to start with a general long-

term plan rather than going project by project with a short-term vision.

Opportunities with big data

Investment in big data analytics is steadily growing. One important aspect of it is the

distinction between correlation and causation. Over the past 10 years we observed that

the number of Facebook users increased concomitantly with the yield on 10-year

22 Laney, Douglas. "The Importance of 'Big Data': A Definition". Gartner. 21 June 2012.

Accessed June 22, 2015.

Page 20: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

20

government bonds in Greece, does that mean that Facebook was a driver of the Greek

debt crisis? Overall it is important to identify meaningful correlations that could drive your

business forward but one should not confuse correlation with causation.

The big data market is expected to grow steadily for at least the next 10 years. For financial

institutions it means innovation, in terms of business model and of customer experience.

Another opportunity emerges from the fact that a new group of customers are coming:

the millennials. These are the people who open their first bank account and who show a

very different consumer behaviour than other customer segments. They are very risk

averse, their understanding of privacy is completely different than ours: they do not

associate social media with privacy a lot. Privacy is about their house, their family life, but

not about their online profiles. This has a lot of implications on their purchasing behaviour,

for instance they use less credit cards.

Another opportunity with big data is collaboration with third party data providers,

technology companies. That leads to data enrichment. Big data means pairing up internal

data with open data from the government, with data from third party providers, with data

connected to smart devices. One good example is Barclays using the Beacon technology.

Barclays use Beacon to learn for instance when a customer with a disability enters a

branch, making it possible to see what kind of services would make it easier for this

customer to improve the branch experience. Big data is also useful for internal efficiency

improvements. Two rather ignored opportunities in the financial sector are the use of big

data for -1- HR and -2- for auditing.

The value of big data

If we look at numbers, in 2011 Facebook's total profit in 2011 was $1 billion; just a year

later Facebook was valued at $104 billion on its IPO. The difference is only the value of 1

billion user database. Eric Siegel (author of “Predictive analytics, the power to predict who

will click, buy, lie or die”) estimated the value of data for one individual at USD 1.200,

Vivian Reding (European Commissioner for Justice, Fundamental Rights and Citizenship)

estimated the net worth of data of all Europeans at EUR 315 billion.

This tells us that all big data opportunities should come with a price and one should not

jump into it without considering several challenges.

Challenges with big data

One challenge is to make sure to avoid scandals, such as JPMorgan’s credit card hacking

in 2014 or the Regin virus at Belgacom. These scandals constitute one important obstacle

in the extensive use of big data analytics. Regulation is also a big pressure. New

competition or unlikely partnerships impacting your own business is another challenge.

Lack of talent is also an issue. Overall it is easy to overinvest in technology but the

challenges are very important. It is important to experiment new things.

Finally, ethics and privacy are probably the most important hurdle to the use of big data.

Mark Zuckerberg stated in 2010 that privacy was not a social norm anymore. Privacy is

Page 21: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

21

indeed a concept that evolves over time. We know that privacy concern is the ultimate

thing that helps people decide whether they are interested in sharing their personal

information with other organizations. There are certain factors that impact our privacy

concerns including trust to the company and to online transaction, past privacy-invasion

experience, social awareness. Even more importantly social norms, emotions and

reputation rule everything. Transparency and perceived ability to control information are

also very important aspects, it is about giving control to the customer over his/her data.

Every individual inherently makes a calculus, we compare the worth to share our data

given the expected benefits and associated risks.

Academic insights

Would customers be more willing to share their information if the company had more

transparent practices? The answer is ambiguous and refers to the privacy-

personalization paradox. Empirical research shows that people who want transparency

and control over their information are not eager to actually share their data. The paradox

is that the people who want more transparency and more control over their data are less

willing to be profiled online or to receive personalized advertising.

It is therefore better to focus on customers who are less privacy-sensitive. In 1991, we

saw the first example of consumer categorization based on privacy sensitivities by Alan

Westin. He grouped consumers in three categories: the privacy fundamentalists who are

very conservative, the pragmatic who assess benefits and costs, and the unconcerned who

are more willing to share their data. The fundamentalists are about 5% of the public, the

pragmatic are about 57% of the public and the unconcerned are about 18%.

Overall we know that uncertainty plays a big role: people are very uncertain on privacy

policies. The assessment of benefits and risks is never straightforward because everything

is context-dependent. We also know that there is malleability and influence with

respect to privacy behaviours. One example is the default settings of Facebook profiles,

people tend to think that these default settings are implicit suggestions from these

organizations. But these suggestions are not necessarily in the best interest of the

consumer, most of the time they are set in the best interest of the organization itself.

People generally don’t check their default settings.

One final interesting concept is privacy-by-design developed in the 90s, referring to the

fact that privacy should not be something you worry about after you design and implement

a system, but it should be part of the system itself. Privacy-by-design has seven principles,

the most important one being ‘be proactive instead of reactive’.

Discussion with the audience

A question was raised from the audience on the privacy-by-design concept, asking whether

it has evolved a lot since its early development in the 90s. A positive answer was put

forward by Öykü Isik, based on a specific example called big data analytics sense-making

mechanism which consists in an analytics system taking into consideration the seven

Page 22: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

22

principles of privacy-by-design. However, there are not a lot of other examples that exploit

this concept.

Freddy van den Spiegel emphasized again on the fact that banks have massive amounts

of data, they know far more than Facebook. As soon as an individual has a bank account,

the bank knows everything about his/her private life: travel, political ideas, diseases… With

some good development tools you can deduct a lot of things from what the bank knows.

The technological capacity to work with these data is there but there is still a kind of

prohibition on banks to know what they know, which has always been considered as one

of the pillars of democracy.

Öykü Isik added that there are indeed Chinese walls within the banks, also referred to as

silos. However it is unclear that banks actually know what they know. The access to

information across the different silos is still a big question mark. There is also a thin line

between what the institutions are legally allowed to do versus what is acceptable to do

from an ethical, moral standpoint. This is also a more philosophical discussion.

The use of big data in the financial sector: achieving

legal compliance

Patrick Van Eecke (Partner at DLA Piper law firm, Professor at University of

Antwerp)

Big data projects are often approached in silos, either from the point of view of IT, lawyers,

business or academia. However, big data is an inter-disciplinary issue and has to be

considered with a holistic perspective from different angles. Because if you don’t play it

well, you may lose a competitive advantage, or have legal troubles, or harm your

reputation. Patrick Van Eecke’s presentation aimed at going through all legal challenges

with big data projects, based on 20 years of practical experience with big data.

The financial services sector is sitting on a big pile of data. As a result, a lot of financial

players are investing in data analytics. From a legal perspective, data is first about personal

information, personal data protection has to be taken into account. Secondly data is

also power, you can build up an empire based on data analytics, there you enter the field

of competition law: antitrust, anticompetitive behaviour. Thirdly data is global, we gather

and store data on individuals in different locations, local legislation therefore has to be

taken into consideration. Fourth data more and more becomes critical for business

activities so corporations would better protect it with cybersecurity measures. Finally

data brings value to your business, and the legal question is who owns the data, data

ownership also has to be considered.

Overall the legal hot spots are summarized in the figure below.

Page 23: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

23

Source: Van Eecke, P., DLA Piper, Big data – how to achieve legal compliance

Two years ago, there was not so many hot spots to consider when dealing with big data.

It was all focused on privacy and data protection. Now every 3 to 4 months a tile can be

added to the above figure. Corporations and authorities are getting more and more

enthusiastic about big data. It can be looked at from a privacy perspective, or from a

consumer protection view, or from a competition authority angle… All kinds of regulatory

authorities are looking at it all over the world.

In contrast, people who deal with big data very often do not work in an interdisciplinary

way. What happened to ING Netherlands is a good example of this. ING very

enthusiastically stated in a financial journal how they would analyse data on customers’

transactions and sell it to third parties. ING were then badly surprised that customers and

journalists were actually very upset about this statement. They did not expect such a bad

publicity. In this specific case it seems that the compliance team was not involved, leading

to unfortunate consequences.

Data protection legislation

Since more than 20 years in Europe we have data protection legislation, and this will stay.

A new legislation will even be adopted in the next few weeks. The European regulation is

going to replace the current rules that we have had for more than 20 years. Privacy-by-

design is literally imposed in that new regulation. Whether you like it or not, you now need

to implement privacy-by-design in your organization, it now becomes an obligation.

One concern from a data protection perspective is that corporations process data in

aggregate and argue that this is different from processing personal data. But from a legal

perspective it does not matter, connecting personal data and performing analytics on it is

personal data processing.

Another concern is the fact that corporations anonymise data. Corporations claim that by

anonymising the data it does not qualify any longer as personal data. Data protection

authorities are however concerned that in many cases it is not real anonymization in the

sense of the data protection legislation. As long as there is a possibility to decrypt

Page 24: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

24

anonymous data and identify individuals with statistical tools, it is still personal data.

Anonymization in the sense of data protection legislation needs to be tackled carefully with

a compliance team.

E-privacy

Another piece of European legislation deals with E-privacy: tracking information, use of

cookies… Barclays using Beacon is a typical example of geolocalisation technologies. One

should realise that this is also covered by the European privacy legislation. These rules

should be taken into account. Fines do happen as we have seen with the example of

Europcar fined £45000 for using GPS to track luxury cars hired out to wealthy customers.

Sector legislation

On top of horizontal legislations such as E-privacy and data protection, we have sector-

specific laws. The financial sector is heavily regulated. For example the use of credit card

information to build customer profiles may infringe the consumer credit legislation which

clearly states that -1- personal data collected by financial institutions can only be

processed for specific purposes, -2- only a few types of data can be collected, -3- it is

prohibited to use the data collected within the credit relationship for direct marketing or

prospection purposes. The legislation also imposes to delete information when it is no

longer justified.

Anti-discrimination

The Gender Act prohibits discrimination based on gender. The Racism Act prohibits

discrimination based on nationality, racial identity, skin colour, ancestry and national or

ethnic origin. The Anti-discrimination Act prohibits discrimination on the grounds of age,

sexual orientation, marital status, family background… etc. However that is exactly the

kind of information that big data projects are looking for. It is possible to use these data

but it is crucial to make sure that the framework of anti-discrimination is taken into

consideration. Authorities pay particular attention to discriminatory pricing for example.

Competition

“Big data is the new currency of the Internet” as stated by the EU Commissioner for

Competition. Big data and competition law interact with each other on three axes: -1-

abuse of dominant position, -2- vendor lock-in, -3- price fixing. On the first axis, firms

cannot use big data to gain an anti-competitive advantage. On the second axis, customers

should not feel locked with one service provider because they do not know how to transfer

all their information. The future data protection legislation, apart from privacy-by-design,

will introduce the data portability right. It is not clear how this will be put in practice but

end-users will have the right to have their datasets transferred to another service provider.

Page 25: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

25

Cloud

Most big data projects are linked to putting data in a cloud, involving many legal issues.

One word of warning is that most big data projects start with proves of concepts, which

are very often done by people not applying the company rules. For example they would

be taking an archive set of data and put it in Dropbox. Attention should be paid on this

kind of practices, making sure that company rules are being applied.

Cybersecurity

The more data you gather, the more it brings you at risk. The NIS (Network and

Information Security) directive of the European Parliament obliges Member States

to adopt a NIS strategy and to set up a NIS Authority

to designate National Computer Emergency Response Teams (CERT);

to cooperate with other Member States and the Commission to share early warnings

on risks and incidents

It also obliges public administrations and certain "market operators"

to adopt risk management practices

to report major security incidents on their core services

Data ownership

Before starting a big data project and entering into a partnership with a third party, it is

important to make clear who will own the result, who will have the right to use the data.

Discussions may arise on ownership of the source data, the aggregated data, the analytic

models built, …etc. Intellectual property rights and data protection rights are very often

used as arguments for claiming or disputing ownership of data. We see in the market that

many industry organisations (automotive, farming, pharma, …etc.) are currently drafting

their own big data codes of conduct.

Ethical issues and concluding remark

You can be fully compliant with legislation and still run a reputational risk. Ethical

discussions need to take place, making sure that the organization clarifies how its big data

strategy should be structured: how much data do we want to collect? What is our risk

profile? A balance between legal and ethical aspects has to be figured out. This type of

initiative would be very welcome in the financial services sector, providing some kind of

charter on the use of big data in financial services.

Discussion with the audience

One remark was made from the audience that, looking at all these legal aspects, it does

not seem feasible anymore to exploit big data in the financial sector because there are too

many constraints. Patrick Van Eecke explained that he did not see it as unfeasible to exploit

Page 26: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

26

big data in the financial sector. However his view is that the enthusiasm for big data has

to be tempered. “From a technical and organizational perspective the sky is the limit, and

it is frustrating to say that you can’t go to the sky because you may end up with legal or

reputational issues. But that does not mean that you can’t do anything.”

Freddy Van Den Spiegel emphasized on the fact that legal challenges will reduce the

capacity to practically implement big data projects in Europe. He asked Patrick Van Eecke

about whether he was seeing a fundamental difference of approach with the US. One major

difference mentioned by Patrick Van Eecke is that in the US they do not have the holistic

horizontal legislation on privacy and data protection, which is one of the big inhibitors in

Europe. Nevertheless, the White House recently issued a white paper on big data and

consumer protection, and they come to the same conclusion that it is not acceptable to

collect data for purpose A and re-use it for purpose B, C and D without being transparent

about it, and without asking for prior consent. Another thing is that American

organizations, as well as Asian organizations, do not have this immediate reflex to take

into account privacy protection. The products and services they provide on the market do

not consider privacy-by-design yet.

Another question was raised on the controversial aspect of big data, given that legislation

will change. Should lobby organizations from business users intervene to make sure that

regulators are not going too far on something that is so important for the business going

forward? According to Patrick Van Eecke, the data protection regulation will go into the

history of policy making as the most lobbied piece of European legislation, and it may even

have reached a stage where it has an adverse effect. The representatives of the European

Parliament have felt that it was starting to become a symbolic discussion. Having too

intense lobbying campaigns may have adverse effects.

Another point of discussion was about the feasibility of a scenario in which technology

companies and banks work together with the regulator to test the boundaries of where

they can go before launch a big data project, in a kind of lab environment. In the

experience of Patrick Van Eecke, this looks feasible. Data protection authorities indeed

appear as very interested in knowing the latest technological developments.

Protecting customer privacy: current concerns in the

financial industry

Dieter Verhaeghe (Legal Advisor Belgian Privacy Commission)

When starting a big data project, what are the main points of attention to reduce

reputational and non-compliance risks?

Page 27: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

27

Concern 1: Lack of attention for increased surveillance by financial

industry in the general interest in the light of privacy protection and not

only data protection

First of all, it is important to distinguish ‘privacy’ from data ‘protection’. Both are indeed

subject to different rules, the Belgian Privacy Commission actually being a data protection

commission. When developing a big data project, it is important to look at both types of

rules. It is often the case that only the data protection law is considered, while ignoring

specific surveillance issues that are raised in the privacy jurisprudence of the European

court of Human Rights. There are a lot of opportunities with big data which also come with

risks and threats. Big data technologies can sometimes be perceived as surveillance. It is

therefore interesting to consider the privacy perspective, in parallel to compliance with

data protection law.

In the privacy perspective, the main challenge is to convince the regulator that a big data

project properly assesses whether there are surveillance issues or not, and whether a

distinction is respected between what is in the general interest and what is in the

commercial interest. Financial institutions are between two fires. On the one hand you

have an obligation to store more data in the general interest (know your customer,

customer due diligence, extended consumer credit registration, “fraud” detection…), on

the other hand there are the proportionality and data minimisation requirements in the

privacy and data protection laws. Once you have found the right balance, it is important

to make the data processing transparent to the regulator.

Overall there is increased secret surveillance by the government and the private sector.

This is not limited to the financial sector, but more recently also to the telecom sector and

probably soon in the media sector. In the telecom sector, we have seen an annulment of

the data retention directive (aimed at the fight of serious crime) by the European Court of

Justice (ECJ) in the Digital Rights Ireland case of 8 April 2014. The European anti money

laundering laws currently oblige the financial sector to go way further than the telecom

sector in terms of data storage. The question is therefore whether the same logic will be

applied by the ECJ in the interpretation of the proportionality requirement? This is an open

question at the moment.

Concern 2: Lack of neutrality of pure Economic perspective vs.

perspective of EU legislator and data protection authorities

A lot of studies emphasize the big data opportunities. However a balance exercise needs

to be done, focusing not only on the positive aspects in addition to the privacy impact and

the risks for the data subjects. The risk is that big data projects are only based on the data

protection legitimacy grounds of “ consent” and “legitimate interest”, while ignoring the

conditions for these legitimacy grounds and/or the necessary privacy and data protection

safeguards. The traditional practice of simply accepting terms and conditions is not

acceptable to provide a valid consent. In the data protection regulation (“GDPR”) the

notion of consent becomes more severe. Changing terms and conditions indeed does not

leave room for negotiation by the client; the consent is not free when only the data

Page 28: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

28

controller decides whether the data will be processed or not. The legal notion of consent

in the data protection law implies also that the consent has to be specific; including a

consent clause in the general terms and conditions is not enough.

The risk involved in the use of big data technology by governments has been described in

the literature as the “Titanic Phenomenon” (Solove, D.). Sometimes you have a Plan A

technology, but the focus should also be on a Plan B: what if it goes wrong? The General

Data Protection Regulation (GDPR) helps in that domain. GDPR provides for new

obligations and principles such as “privacy impact assessment” and accountability. These

new elements could be seen as opportunities to prepare big data projects and ensure more

compliance. Institutions that have made their own Privacy Impact Assessment (PIA), that

have their data protection office(r), and are transparent about their processing operations,

have an advance in providing an adequate level of privacy and data protection.

Concern 3: Transparency

Often, a distinction is not made between the privacy requirement to be transparent about

privacy infringements, and the obligation to inform under the data protection laws. If the

data controller refers to an exception to inform the data subject, this does not impact the

requirement for the law to be clear and foreseeable.

The recent financial laws at European level still lack reference to the new PIA requirement

of the GDPR. Even though the European Commission has included references to the data

protection Directive 95/46/EC in its recent financial directives (AML, Payment Services),

those directives often lack substantive provisions to adequately protect privacy and

personal data as requested by the EDPS[1]. At the national level the privacy impact of

financial laws is often not investigated. For instance, since 1993, the Belgian Privacy

Commission has not received a single formal request to provide a direct formal, public

advice on the anti-money laundering law of 1993. While the financial laws remain vague,

the business often feels caught in the middle between compliance of financial laws and the

obligation to respect privacy and data protection laws. On the level of institutions, a lack

of transparency exists towards the privacy commissions and towards the general public on

high risk data operations such as big data projects, fraud risk assessments, profiling

operations, data mining, “conflict of interest” investigation of private life functions of

certain employees,…

Concern 4: User control

What institution today offers a clear and full access to clients’ profiles? Yet more and more

services are developed on profiles but most people do not know what it means. Notice and

consent don’t work well, general terms and conditions are not always read/understood.

There are very few examples of institutions being transparent towards their clients on their

profiles. In the Anglo-Saxon countries, there is a clear discussion on the requirement for

transparency of the predictive analysis linked to the use of profiles (credit scores) used by

credit reference agencies. In Europe there is still a lack of clarity related to the question of

(il)legality of the use of private risk indicators to predict consumer behaviour and/or to

Page 29: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

29

take decisions based on that method. This in the light of the interdiction in the data

protection law to work (solely) with automated individual decisions (including profiling)

that affect data subjects legally or significantly.

One example of a transparency/user control concern is for example Facebook’s

“Like” button. This button is according to a recent investigation by the Belgian data

protection commission a spy technology, that is also applied to non-clients of Facebook.

It therefore has to be used only with a clear warning of the data subjects.

Another concern in the financial sector is the fact that clients’ risk profiles are often built

based on predictive correlation rather than causation mechanism (e.g. you have been in

default in the past, so you will be in default in the future). Are clients ready to be judged

based on a correlation basis and not on a cause basis? Are institutions transparent about

this? Does our law provide a clear basis for such form of processing operations? In the US

there is a different legal environment where there is more room for correlation based

automated decision making. It is still not clear under what conditions this kind of decision

making can be made legally acceptable in Europe. Substantial legal and Cultural

differences need to be taken into consideration before any model is transposed in the EU.

Concern 5: Purpose limitation

There is a real challenge to guarantee that institutions are only working in the general

interest, when implementing European directives such as AML or PSD instead of only or

mainly in their individual commercial interest. In the future it will be required under the

accountability principle and the privacy impact assessment requirement of the GDPR that

data protection policies will provide more attention to this question. When you store data,

do you do it in a central database? Do you do it with your compliance team? This is still

not very transparent.

The Schrems case before the court of Justice shows that there is also a potential issue with

transferring personal data internationally to zones without adequate data protection such

as the US. As a result, the European commission recently made a political announcement

in the form of the EU-US privacy shield23.

Also, instead of using cloud based solutions or services that rely on data storage in zones

without adequate data protection (in the meaning of Directive 95/46/EC), more and more

data controllers now start to investigate the necessity to use storage solutions within the

EU, with adequate data protection guarantees. Nevertheless this is a difficult and going

exercise.

23 http://europa.eu/rapid/press-release_IP-16-433_en.htm

Page 30: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

30

Concern 6: Data security

In the telecom sector, there is a notification obligation of any data breach towards the

Belgian Privacy Commission and the BIPT24. In the financial sector it is currently possible

to notify data breaches to the Privacy Commission. For the moment this possibility is not

used in practice. It may be because there are no data breaches in the financial sector, or

the possibility is not known, or institutions are afraid of making such notifications.

However, this possibility for the financial sector will become an obligation in 2018, when

the GDPR will have to be applied.

Finally, an important point of attention is how much reliance is given to third party

solutions, for instance in the use of security software provided by firms established in

zones without adequate data protection. Some providers have totally different approach

tot data protection, and/or approaches that are not up to data with the latest developments

under the jurisprudence of the court of justice and/or the GDPR. They may be very good

at security but some typical European data protection issues would not be readily be seen

as an issue.

Q&As

A question was raised from the audience on whether the creation of a European Data

Protection Authority would be a nightmare, a dream or just an illusion. Dieter Verhaeghe

recalled that we already have a European Data Protection Supervisor, their scope being on

all institutions in Europe. However big data issues actually go even broader than the EU,

so there is an opportunity under the GDPR for the development of more coordinated

supervision.

Co-creation exercise During the co-creation, participants were invited to discuss in small groups on innovative

ways in which Financial Services Institutions can or should -1- help the customer feel

treated in a transparent manner, -2- inform consumers with regards to data security,

privacy and legal frameworks, -3- optimize direct marketing such that customers are not

harassed by multiple communications at the same time, -4- account for different

sensitivities and cultural perceptions on data privacy. The output of this exercise is

summarized hereafter in figure 6 and in the upcoming paragraphs.

Help the customer feel treated in a transparent manner

In the view of workshop participants, it is important to be transparent on the use of

customer data, but the language must be appropriate with few legal terms. One

24 Belgian Institute for Postal services and Telecommunications

Page 31: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

31

recommendation is not to provide detailed information in ‘cascade’ but rather provide a

summary first and give the customer the opportunity to go to details later on. More

importantly, “do what you say, say what you do as well as what you don’t do”. This will

give more trust to the client.

Trust and confidence is built by the transparency towards clients but also from the client

to the institution: to obtain a good relationship between both the client and the financial

institution, transparency should take place on both sides. Then, the financial institution

should be open on multiple levels: general data is communicated on the website and in

the annual reports on the one hand, more specific data is communicated in the one-on-

one relationship on the other hand. Nevertheless, some clients may be reluctant to go

further into the relationship with the bank if the bank emphasizes a lot on all the different

purposes for which their data is being used. Therefore it can be a good idea that the

financial institution highlights what they will NOT do with the data: if the data will not be

shared to third parties, it is worth mentioning it.

Inform consumers with regards to data security, privacy and legal

frameworks

According to the group who discussed how to better inform consumers, the first point was

again that financial institutions should be transparent on the way in which they use

customer data but they should do it with in a ‘less legal’ way, using icons for example. The

icons could signal different things such as whether you sell data to third parties, or how

far you go with the data you collect. Data legislation is too complex, it is important to make

it easier to digest with a summary or a video for example.

Secondly, privacy should be seen as a competitive advantage, it should not be a negative

thing.

Thirdly, there is sometimes a kind of pressure to accept terms and privacy conditions.

Customers have about 10 seconds to read and accept a big pile of documents. One

recommendation is to give the documents upfront to potential customers so that they have

the necessary time to go over it and to ask questions if necessary.

A fourth idea is to have a dashboard on what data is collected and how it is used. Customers

might be willing to give out certain data if they know what it is used for.

Fifth, building a risk profile is important, defining the degree of customer risk aversion so

that it is possible to know if a customer wants to share as minimum data as possible. And

on the other hand, when a customer is willing to share more information, it is good to

define what that person will obtain in return.

Optimize direct marketing such that customers are not harassed by

multiple communications at the same time

One group discussed how to optimize direct marketing. Is direct marketing really an issue

for all types of customers? And is this a marketing/communication issue or is it more a

Page 32: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

32

data management issue? According to this group, it was unclear whether giving access to

consumers to all information related to how data is used would necessary be a solution.

What was clear though is that it would have big implications in terms of organizing and

managing the data.

The discussion is not only about the content of the communication but also on the timing

and frequency. One recommendation is to give to the customer the possibility to choose

not only the content but also the timing. Also from a marketing perspective, customers

should be able to choose what marketing content they want to see but there has to be

flexibility in this process so that they do not miss other opportunities.

It can be a good idea to create a customer-led profile that different banks can view, and

offering analytics possibilities based on external soft data. Overall the target should always

be to have more relevant and less frequent communications, optimization being the main

goal.

Account for different sensitivities and cultural perceptions on data

privacy

First, the legal framework is actually a reflect of a society and a culture, as emphasized by

the group who focused on this topic. There is a big difference of sensitivity between the

US and the EU and it is important not to disconnect legal and ethical issues. Also within

Europe, there are big differences of sensitivities such as between the UK and Germany for

instance. Overall there is a growing awareness about privacy and the value of data all over

the world.

Second, one recommendation is to have differentiated opt-out policies giving choice to the

customer. Sharing a profile back to the customer is a good idea but not always feasible.

Third, data is the new call and people are becoming more aware of the fact that their data

is being used for economic purposes by digital companies. As a result, banks might benefit

from becoming a trusted partner for data matters. They could also become a trusted

intermediary between the consumer and third party suppliers. There are all kinds of

implications concerning the different scenarios which could emerge from this, for instance

related to the right to be forgotten. Nevertheless, this could be an interesting way to value

big data in the financial sector.

Page 33: Vlerick Policy Paper Series/media/5e...2 Protecting customer privacy in the financial sector Vlerick Policy Paper Series 5, March 2016 Content: 1. Data-driven Financial Services: State

33

Figure 6: Co-creation exercise output

Small-group discussions

Innovative ways in which Financial institutions can/should:

Optimize direct marketing

Giving access to consumers

Implications?

Data management and organization

NOT transparency BUT communication

control

Give control to customer

Give the choice on what info he will

have access to

“marketing” discussion provide

control

Still flexibility needs to be embedded

“Moment of interaction” is also relevant

Customer-led creation of a ‘profile’

More relevance and less frequency

Help the customer feel

treated in a transparent

manner

Language no legal terms

Cascaded info summary

to details

Say what you don’t do

Advice for both institutions

and client – TRUST and

CONFIDENCE

Be open at multiple levels

Should we be open to

everyone?

Account for different

sensitivities and cultural

perceptions on data privacy

(1) Legal framework reflects

society:

UK vs. Europe vs. rest

of the world

UK vs. Germany

European model

(2) Differentiated opt-out

policy (cookies)/Dashboard

Sharing profile (technical)

(3) Bank from trusted provider

of financial services to data

(4) Right to be forgotten

Inform consumers with

regards to data security,

privacy and legal

frameworks

Use of icons

Do you sell data to a 3rd party?

Complexity (summary/video)

See privacy as a competitive

advantage

More time upfront to read policies

Dashboard: my data, where is it

used for?

“Risk profile” for personal data

Positive: what can we do for you

when you provide data?