With the EU General Data Protection Regulation (GDPR) taking effect in the UK from May 25, 2018, it’s no surprise that the financial services sector has seen data protection driven up the agenda at banks and insurance providers. But what impact are data privacy auditing and compliance issues having on the broader financial services ecosystem?
While GDPR dominates the data privacy regulation headlines, it’s not the only acronym in town. The revised Payment Services Directive (PSD2) was passed by the Council of the European Union on November 16, 2015 giving member states two years to incorporate the directive into national regulatory regimes, to improve protection of consumers when they pay online. As such, some within the broader financial services ecosystem have seen a growing tension between GDPR and PSD2.
“Many financial institutions are embracing PSD2 and ‘open banking’ as a way of improving customer service, and to compete more effectively on price,” says Peter Ryan, a GDPR specialist with financial software vendor Temenos. “But with up to 4 per cent of global turnover or €20 million as a penalty, financial service companies are also taking a whole raft of measures which is having a knock-on effect on the way systems, processes and partnerships are delivered,” he says.
John Culkin, director of information management at Crown Records Management, agrees that the main change in data privacy regulation is from a reactive to a proactive emphasis. “While it used to be the case that businesses were required to protect data, there was not an explicit requirement for them to be overt about what they were using the data for,” Mr Culkin explains. Unless the issue was major, privacy breaches all too often went unreported as a result. “The new world requires businesses to practise privacy by design, be open and transparent with the data they have, and what it is going to be used it for,” he says.
Which is a good thing, for the consumer at least; but what about for the financial services providers themselves? That regulators have finally not only got teeth, but razor-sharp ones, has not gone unnoticed by the sector. “Businesses are now scrambling to put in processes and technology so they can care for any personal identifiable information appropriately, and be seen as taking data security seriously or risk punitive punishment,” says Iain Chidgey, vice president of international at Delphix.
This isn’t just about the banks and other financial services companies either; the broader ecosystem that encompasses third-party vendors and partners will also feel the impact of such regulation. So just how transformative and costly will the compliance process be?
With the financial services ecosystem arguably one of the most intricate networks of partners and third parties, vast amounts of data are generated and moved around
With the financial services ecosystem arguably one of the most intricate networks of partners and third parties, reliant on each other to make trades and financial deals happen almost instantaneously, vast amounts of data are generated and moved around.
“The impact of GDPR will be hugely transformational,” says Gordon Wilson, chief executive at financial software and services provider Advanced. “The pressure each financial services organisation faces is about needing to be assured that everyone in the supply chain complies with the legislation. Otherwise everyone can be liable legally and financially, as well as held accountable to the significant risk to brand reputation.”
This will, inevitably, come at a cost in both monetary and systems complexity terms. The upside, says Steven Hargreaves, UK head of capital markets with CAPCO, is that having full GDPR compliance will advance an organisation’s security posture. “Compliance will help in identifying both insider and external data breaches, and subsequent investigations, as data should be available immediately along with usage information and data flows,” he says.
Security posturing is a bonus, but the real issue for financial services organisations and their supply chain is achieving a single view of a customer across all service offerings. “Organisations will need to ensure they know where personal data is being processed in their supply chain, and that those providing services on their behalf will be able to identify breaches quickly and report them,” warns Stephen Bailey, executive principal consultant at NCC Group.
This may be easier said than done in some parts of that supply chain. Take the call centre, for example, which is more often than not an outsourced operation. Ensuring that data handled here is stored properly and made available to legitimate customers upon request sounds like a straightforward requirement. Yet Andrew Lilley, director of sales and engineering, for Europe, the Middle East and Africa, at fraud detection company Pindrop, says: “Call centres are often neglected in protecting against data breaches and so it’s fraught with risk.”
He has a very good point because in the GDPR world view, data protection must be incorporated into the core of all business procedures, products and services across all channels. Not only that, Mr Lilley concludes, but “all employees will have to be aware of their obligation to protect consumer data across channels including the phone”.
So, the principles behind GDPR are not easy to argue with as everyone wants, or wants to be seen as caring about, data privacy in this age of increasingly more data-aware consumers.
Once buffered up next to the inarguable complexity of the financial services ecosystem, the practical implementation becomes a mountainous challenge that isn’t going to be easy to climb.
All employees will have to be aware of their obligation to protect consumer data across channels including the phone
Mr Culkin nods in the direction of huge amounts of money already having been spent on the likes of the master data management concept, a single source of truth that was never quite fully implemented in real-world scenarios. Or how about another concept, that of know your customer that saw organisations invest in gathering personally identifiable information, which eventually proliferated out of control, courtesy of departments and functions morphing in unexpected ways and data ending up in organisational silos?
“GDPR will be transformative in that it puts the customers back at the centre and in control,” Mr Culkin insists, “but the downside for companies is they have to be able to find the right data, ensure it is accurate, portable or even be able to delete it, all while meeting other regulatory requirements.” The biggest challenge, however, is not a technical one as the technologies already exist in abundance. “The challenge is understanding the business and the processes within it, along with how people interact with information,” he adds.
And if that sounds like one big headache in the making, that’s because it is. But the end-game has to be compliance and that should deliver better services.
“Yes, this will be transformative, but in a good way,” says Sue MacLure, head of data at customer engagement agency PSONA. Her argument being that while we know the cost implications of getting it wrong will speak to the driver at the heart of financial services brands – bottom-line performance – we don’t know the potential brand implications of getting it wrong.
Financial services aren’t traditionally very good at knowing what getting it wrong looks like, says Ms MacLure, and having multiple vendors and partners makes it harder to control brand perception. “Especially when those relationships are not all owned centrally and will need a single version of operating processes,” she says. There will inevitably be more pressure to identify either one source of “data truth” or at least one central source of “process truth”. “Either way, in a very regulated world, it layers in a new degree of demonstrable scrutiny and extends it to the less regulated parts of the business,” Ms MacLure concludes.