Upload
vuongdiep
View
220
Download
0
Embed Size (px)
Citation preview
1
Vlerick Policy Paper Series
No. 5
PROTECTING CUSTOMER PRIVACY
IN THE FINANCIAL SECTOR
Abstract: With increased digitization of the financial sector comes the issues of data
protection and customer privacy. Banks collect huge amounts of data on individuals,
notably from bank accounts, credit card transactions or mobile banking. On the one hand
the use of big data in the financial sector is a wonderful opportunity to better respond to
customer needs. The biggest hurdle on the other hand is customer privacy and data
protection. How can financial institutions most efficiently deal with customer privacy when
making use of digital technologies? How should they deal with the issue of privacy given
the current context where rebuilding trust is a key challenge? These are the main questions
addressed in this policy paper which consists in two part. The first part is a contribution of
Pr. Öykü Isik providing a state-of-the-art of data-driven financial services. The second part
is the report of a Vlerick regulatory workshop dedicated to the topic gathering
representatives from different horizons within the financial sector including regulatory
authorities, banks, insurance companies, financial associations, consulting companies, law
firms. The second part of the paper provides a detailed overview of workshop
presentations, discussions, and co-creation exercise.
2
Protecting customer privacy
in the financial sector
Vlerick Policy Paper Series 5, March 2016
Content:
1. Data-driven Financial Services: State of the Art
by Prof. Öykü Isik
2. Workshop report
Report of the 5th Vlerick Regulatory Workshop on Customer protection
by Marion Dupire
p.3
p.18
3
Data-driven Financial Services: State of the Art
Pr. Öykü Isik
Vlerick Business School
Information about money has become almost as important as the money itself, as Walter
Wriston, the former CEO of Citibank said in 19841. After 30 years, we can confidently say
that his predictions have come true, adding technology to the equation.
The word of the day is ‘big data,’ that is, seeking intelligence from data in order to create
business advantage. The buzz word has been keeping us busy for a while now, data even
being discussed as a “critical new form of economic currency,” which can be as potent as
money or oil. We come across something new every day; such as how big data is
transforming the healthcare industry by making it possible to tailor medicines to an
individual’s unique genetic blueprint by combining it with their lifestyle and environment
data, and then comparing it other people to predict illness and determine the best
treatment2. Or how UK Premier League soccer team Arsenal is changing sports
management by analyzing the big data collected from 8 cameras installed around its
stadium to track every player and their interactions, 10 data points per second for every
player, or 1.4 million data points per game3. All these examples, along with several recent
studies conducted by research institutions point at continued excitement and a growing
Big Data market. For instance Wikibon, a community of business technology practitioners
founded to deliver actionable information and forecasts, predicts Big Data market to attain
a 17% annual growth rate for the period up to 2026 (see Figure 1).
1 Wriston, Walter B. “The Citi of Tomorrow: Today (March 7, 1984),” The Walter B. Wriston Papers: 1918 – 2006. Tufts University Digital Library, 2007. 2 See for more details; http://www.forbes.com/sites/bernardmarr/2015/04/21/how-big-data-is-changing-healthcare/2/ 3 for more details: http://www.forbes.com/sites/bernardmarr/2015/03/25/big-data-the-winning-formula-in-sports/
4
The “big data revolution” has not left the financial services (FS) industry untouched, of
course. The stories are plenty; we have heard the good4, the bad5, and the ugly6. Yet, big
data does not seem to have a revolutionary effect on the industry itself just yet; traditional
financial firms mostly persist with their traditional business models. FS industry may not
be the front runner in the adoption of or innovating with analytics or big data, yet
undoubtedly it remains to be one of the top industries which has a high potential of change
or of being disrupted by the newness big data brings. When you add the fast changing
consumer profiles & behavior, it is not surprising to see several start-ups (with no FS
experience) with unique business models emerging in the financial services industry,
aiming to meet those changing consumer expectations. These developments indicate only
one thing; more turbulence ahead.
Figure 1. Big Data Market Forecast 2011 – 2026 (Source: Wikibon)
To paint the current picture of FS industry and to understand the expectations and worries,
we started this research. By interviewing 20 experts, both from academia (4) and industry
(16), who are immersed in the FS industry yet work with big data on a daily basis, we
collected further insight as to where this trend might be leading. Most of the experienced
4 “Big Data lessons from the bank industry … and toothbrushes” http://www.inma.org/blogs/big-data-for-news-publishers/post.cfm/big-data-lessons-from-the-bank-industry-and-toothbrushes#ixzz3eoF68pvt 5 “Big Data Failures Owe More To Business Culture Than Technology”
http://readwrite.com/2015/02/09/big-data-failure-blame-corporate-culture 6 “ING Plan to Share Customer Payment Data Spurs Privacy Concerns.” http://www.bloomberg.com/news/articles/2014-03-10/ing-plan-to-share-customer-payment-data-spurs-privacy-concerns
5
people we talked to started within a technical role in their respected organizations, even
though now they represent business functions.
It seems that several experimental units, sometimes within IT and sometimes in business,
were given the mandate to prove the value of big data for the organization. Even though
there are several different maturity levels, all organizations our experts represent are
currently involved in one or more big data projects.
First, the Definitions
In order to set the stage for discussion, it is important that we start with the terminology.
Especially when it comes to big data, it is easy to come across several different definitions,
all emphasizing a different aspect of the phenomenon.
Gartner defines big data as “high volume, high velocity, and/or high variety information
assets that require new forms of processing to enable enhanced decision making, insight
discovery and process optimization7." Initially introduced in 2001 by Doug Laney, now a
Gartner VP of analytics and big data, this definition led to the commonly referred ‘3V’s of
big data (volume, velocity and variety). Yet, another V, standing for ‘Veracity’ is now being
added to the definition by some organizations, to emphasize the importance of data
integrity and the ability to trust the data while taking crucial business decisions8.
The (dis)agreement on the definition
During our interviews, it was interesting to observe that the age-old discussion around
what big data really is, is still alive and well. Yet, every institution seems to differentiate
their perspective by focusing one of the V’s of big data; still being mostly the volume
aspect. According to our interviewees, big data is about volume more than anything; when
asked for clarification, most of them referred to data sets that can no longer be easily
managed or analyzed with traditional data management tools, methods and
infrastructures9. For instance, volume, as the number of lines in a database, in the form
of quantitative, structured data has already been a point of attention for some of the
institutions.
7 Laney, Douglas. "The Importance of 'Big Data': A Definition". Gartner. 21 June 2012. Accessed June 22, 2015. 8 “What is Big Data?” Villanova University. Accessed June 22, 2015. 9 Rogers, S. (2011) “Big Data is Scaling BI and Analytics,” Information Management.
September/October. Accessed June 23, 2015.
6
Figure 2. Big Data defined (Adapted from IBM Smarter Business 2013)
Several times the discussion revolved around the variety element; what is new for most
of the organizations is the assortment of data potentially flowing in to the enterprise
systems. Most organizations are not limited by only structured data analysis anymore. The
world of external data actually involves more unstructured data than structured. Yet, this
requires a data processing approach that is completely different than the traditional
approaches. Thankfully, there are now tools and techniques that make it possible to
analyze unstructured data such as e-mails, social media updates, even audio files.
Interestingly, the V of velocity did not make the highlights in our interviews. After
confronting several of our experts with this, it became clear that real-time data flow, let
alone real-time analysis of it, is not deemed necessary in the sector, and also not
applicable. Yet, when it comes to fraud detection, real-time data can be very insightful.
The Capital One example of how they monitor amounts even less than a dollar and can
take action on analytics results in less than five minutes is as impressive as it gets (see
footnote 12 for more).
The only ‘V’ that matters
According to few interviewees, there is more to big data than the 3 V’s. By suggesting yet
another V, of Value, to add to the definition, the benefits that potentially can be extracted
from the big data was emphasized. This is also expressed by referring to the phenomenon
as ‘smart data’ rather than big data; highlighting the fact that a brute force strategy, that
is trying to collect and analyze all the data they can get their hands on, rarely makes
sense. What makes sense is being smart about data collection strategies and being mindful
of the analytics that follows.
Separating Reality from Hype
When confronted with the question ‘real or hype?’ our interviewees found a bit of both in
big data. There is certainly exaggeration in the excitement surrounding the topic, but how
to extract value out of the data is the real phenomenon.
Valuable Data
Data transformed into value (e.g. cost
reductions, innovation…) through actionable analytics
7
Everyone agrees that media is feeding into the big data frenzy. Initially abundant with
articles promoting the promise of big data, more recently the market started talking about
do’s and don’ts of big data analytics. And that’s where the core of the big data phenomenon
gets separated from the hype. In whatever form, shape, or volume the data might be, bad
analysis of big data will bring only useless or misleading insights. Thus, in reality, most of
the discussion surrounding big data is actually about analytics. But, as many of our experts
confirm, there is still confusion about the difference between business intelligence (BI),
analytics and big data in the market. Hence, there is still a lot of terminology misuse,
contributing to the concept pollution.
As one of our subjects emphasized, big data is different than analytics in that it needs to
progress in iterations, being more suitable for agile methodologies, as the needs of the
business also moves in cycles. Data visualization can be another differentiator here; recent
research10 suggests that some companies are better able to use Big Data to their
advantage compared to others because they are using data visualization to help make
sense of the information.
Analytics as a game changer has been discussed since early 2000s, but many industries
have been catching up late. Even though it is easy to find successful applications of
analytics in the FS sector, it seems a saturation point has been reached. It looks like more
innovative applications are sought after, and big data is looked towards as the new
panacea. Financial services needs to go beyond analytics with big data, as one of our
experts commented, it is now the time for “analytics +”. This will make all the difference
for customer-obsessed11 organizations, such as the FS institutions. As all our interviewees
agree, delivering high quality and differentiated experiences for the increasingly digital
customer base, FS need to leverage big data analytics to better position themselves to not
only offer superior services, but also to become better at realizing cross-selling
opportunities.
10 https://www.sas.com/content/dam/SAS/en_us/doc/whitepaper2/sas-data-visualization-marketpulse-106176.pdf 11 http://www.information-management.com/blogs/Business-Analytics-Customer-Obsession-Experience-CX-10027172-1.html
8
Is it real enough to demand a change in the business
model? Financial services has been one of the first industries to be transformed by analytics. We’ve
all heard the predictive analytics success story of Capital One12, or telematics use by Direct
Line in UK and Progressive Insurance13 in US; all nice cases about business model
innovation towards a more personalized approach, thanks to analytics. Following our
discussion above on the difference between big data and analytics, the golden question
that follows is whether the big data revolution will bring a change to the current business
models, and if so, will it be significantly different than the analytics revolution?
We are yet to see such a change in the financial services. Most of our experts disagree
that big data will bring significant business model changes in the sector. They suggest that
basis of the model will stay the same. Big data only has an impact on the way they do
business and the type of services they can offer.
Another common message that surfaced in our interviews was about the importance of big
data as the binding agent between the organizations in the financial ecosystem. The
expectation is that combining data from banks and other services companies (such as
Telco, energy, …) will lead to new services for clients FS never thought of before. They
already have the FinTech start-up under close surveillance and are brave enough to accept
that they are much better, much more data-driven then FS institutions, and they hope
that this competition will force the industry to become much more data-driven. Following
up on this, another expectation is that big data, even if it takes investment upfront, will
help especially banks get closer to the customer in a more cost-efficient way and switch
to a more efficient model than the branch-centered model they have now. Gartner also
predicts Banking and Securities to be an industry with great opportunities to exploit with
Big Data (see Figure 3).
12 See, for example, http://blog.patternbuilders.com/2011/02/17/the-power-of-analytics-credit-card-fraud/ 13 See, for example, https://en.wikipedia.org/wiki/Usage-based_insurance
9
Figure 3. Big Data Opportunity Heat Map by Industry (Gartner, 2012)
What Drives Big data initiatives? The potential value big data holds is clear; all experts that participated in our study
wholeheartedly believes in the necessity of not only mining the gold within the internal
sources, but also leveraging external data sources.
But for what? What is the driving force behind these initiatives?
Operational excellence. Today one of the biggest business cases that drive analytics
initiatives is the quest for increased operational efficiency. The same quest also applies to
big data initiatives; internal data being readily available is one of the reasons why most
institutions start with an inward-looking project to test the grounds. Besides, the on-going
ripple effect of the crisis along with the economic uncertainty forces the hands of financial
institutions, looking towards innovation through enriching the existing products and
services and also new services.
Customer intimacy. This is the area where most of our experts believe the value resides.
Getting to know their customer better was maybe the single common desire our experts
shared. Even if the business value proposition is not about customer intimacy, creating
360 degree view of the customer would not only provide individualized marketing
opportunities, but it would also unearth the cross-selling opportunities.
Compliance: A chicken and an egg issue. Last but not least, a recurring theme in our
interviews was the regulatory compliance challenge. While some of our experts framed
10
this as a challenge big data brings, there were others who saw this as the ultimate data
management opportunity. The challenge arises due to the legal implications and
regulations for collecting as well as sharing data, especially if it is not yours in the first
place. But this can also be a way to optimize data models and governance, helping
institutions look for opportunities where big data would benefit not only the clients, but
also the organization itself.
Means + Ways = Ends
Some of the driving forces mentioned above also come back as potential opportunities and
threats later on (which are discussed further in this document).This is not surprising
because, when done right, these driving forces could bring in the competitive advantage.
To make sure that everyone in the organization understands and supports the cause makes
it necessary to formalize the intent through an official business case. Some of our
experienced participants emphasized the criticality of this; do you know what you want to
achieve with big data? Several areas of potential contribution have been identified through
market research, an Accenture report (2014) lists areas of high impact based on its survey
findings, as shown in Figure 4 below.
The necessary elements that determine the value to be created with big data can be
structured with Peppard and Ward’s Benefits Realization Framework14, commonly depicted
as Means + Ways = Ends. The means, that is the information technology artifacts
necessary to handle big data analytics, are to be used in the ways that represent the
working practices such as the analytical processes and new team building and collaboration
patterns in the organization. All these to reach the ends, representing organizational
objectives of the big data investment.
It is interesting to realize that not everybody starts the discussion with this perspective.
There seems to be no shortage of use cases in these organizations. Almost all have at least
a couple of ideas that either contributes to operational efficiency or customer intimacy
aspects of their businesses. What seems to be a problem is the prioritization mechanism,
or rather lack of it. Even though several important elements, such as technical complexity
or business relevance, of a justification framework seem to be well thought of, economic
viability or the challenge of adoption still seem to be concepts that are difficult to estimate.
14 Peppard, J. and Ward, J. Beyond strategic IS: Towards an IS capability. Journal of Strategic Information Systems 13, 2 (2004), 167–194.
11
Figure 4. What will Big Data Impact the most? (Big Success with Big Data: Executive
Summary, Accenture Report, 2014)
What can FS institutions do? Becoming a ‘technology’
company! The data that FS institutions have access to is outstanding in terms of value that could be
extracted from it. Considering external data that can be added makes it even more
interesting. But these introduce different levels of complexity, especially from a data
processing perspective. As mentioned earlier, the concept of dealing with high volumes of
data may not be entirely new in this industry under focus, yet the technologies making it
possible is now more accessible than ever. Thus, the investment in technology big data
requires is the first serious step and challenge many organizations have to face.
Does this make financial institutions technology companies? In other words, is IT a core
competency for them? There seems to be two polar views dominant on this. While some
experts believe that it is only a natural evolution and FS organizations are already
technology companies, some interviewees were quite annoyed even by the suggestion.
Yet, in the current situation it can be concluded that they already are – and this question
is more relevant than ever. This is nicely summarized in the following quote, “financial
institutions that remake themselves fastest in the model of software engineering first
companies such as Google or Facebook, including picking a forward-thinking technologist
as chief executive, will be the true benefactors of this new era in finance.”15
15 “Ultimately, banks are ‘big data’ and technology companies” by Zachary Townsend, Co-founder, Standard
Treasury, San Francisco, CA, US. October 4, 2013. Available online at http://on.ft.com/174kM1s
12
No matter what, as our experts also confirmed during the interviews, IT is the easy part.
It is true that new technologies and better tools give traction to big data initiatives and
make it more pervasive for more people to use, but at the end of the day IT is only an
enabler; real issue is value generation with big data and not missing out on the prospects.
Opportunities If there is one thing that is obvious about big data in financial services, that is the
opportunities it brings forth. Our experts all agreed that FS institutions have always been
challenged with the ‘big data’ of their time, but now they have the technologies making it
possible to deal with this data in a cost-effective way, hence a million more possible ways
to exploit the data they possess.
Better Customer Experience. In unison, all our experts mentioned that big data can help
financial services institutions optimize response rate along with limiting the number of
times to harass the customer, hence improving customer experience. This is becoming
more and more important as the customer preferences are changing. The largest
demographic profile today is millennials. How they consume, what they consume is very
different, representing a shift in the landscape for financial services firms as well. For
instance, current research indicates that millennials are more risk-averse, indicating a
significant impact of credit card usage. This information can be used to develop new
business models targeting this specific group of customers, not by asking but by observing
through data analytics to uncover their unmet needs.
Collaboration seems to be a clear possibility – but with whom? While some of our
interviewees were skeptical about a near future data-centered collaboration with 3rd
parties, there were also others for whom this idea was not new at all. The ones that already
have such collaborations mentioned 3rd party data providers who share data on, e.g.,
weather forecast and geo-location. The purpose with these partnerships is to give context
13
to the data that is already in possession. Among the ones who favor potential
collaborations, many mentioned the start-ups and FinTech companies as the first option
they would look into. How about with other technology parties? With third parties that are
not in FSI? Or how about potential competitors? These also represent other possibilities,
but the security and privacy risks, along with legal implications and regulations for data
sharing seem to be keeping FS institutions back.
Data Enrichment. It does not always have to be customer data – a strategy focused
around big data that is generated internally can bring great value as well. Just like
mentioned in the collaboration opportunities above, there are many ways to improve the
predictive capacity of already-owned data via pairing up with publicly available data or
social media data. Data can also be enriched through other hardware or device
connections, using the benefits of the Internet of Things (IoT) to its fullest. For example,
imagine service personalization with the use of beacons. 2015 has been predicted to be
the year that significant investment in beacons by FS will take place16. We already see a
few first-mover cases, such as how Barclay’s using this other way around and use beacon
data to collect data from customers with disabilities in order to improve their branch visit
experience17.
Smarter Decisions. Even though customer experience management is typically the first
thing that comes to mind for service organizations, opportunities for internal optimization
are also possible with big data. One potential target area might be human resources. HR
or talent analytics is all about leveraging employee data to improve operational
performance18. During our research, the importance of finding the right talent, especially
for big data related positions, have been highlighted. Similarly, the collection of data and
use of analytics to forecast future staffing needs or improving employee satisfaction, have
been given examples of internal big data analytics application.
Used internally, big data can also be used to uncover opportunities for better management
of operational cost and risk. The pressure from ever increasing demand on regulatory
compliance was certainly mentioned several times by our interviewees. Other on-going
projects include supporting the sales force team by uncovering opportunities for growth
and learning best practices from employees and sharing them with others for setting
targets.
Innovation possibilities with big data require a colorful vision for FS industry. As some of
our experts mentioned, insurance and banking products are not the most exciting things
to discuss, and they will be even less interesting in the future as these services are
considered as commodities more and more. To be able to get over this, FS institutions
should get in real touch with their customers and see the industry from their perspectives
16 http://blog.beaconstac.com/2015/03/why-banks-are-betting-big-on-beacons/ 17 http://www.mobilecommercedaily.com/barclays-taps-beacons-to-streamline-bank-visits-for-disabled-customers 18 http://www.forbes.com/sites/joshbersin/2013/10/07/big-data-in-human-resources-a-world-of-haves-and-have-nots/
14
– this seems to be a viable way for FS institutions to get out of the vicious cycle they seem
to be in today.
Innovation appears to be the blind spot of the industry. It seems today, no awe-dropping
ways of harvesting value from big data is in action yet, and even the idea of innovation
with big data seems to be far away. The highly regulated nature of the industry, coupled
with the legacy and spaghetti systems that most institutions are bound to within seems to
be an innovation killer. One reason why this might be the case, as our experts also
emphasized, is that the industry cannot even think about innovation before they get their
-IT- house in order.
Threats The world is not all pink when it comes to using big data in FS industry. Most banks are
quite reluctant to do something with it yet still expect high competition due to it! Several
threats listed below may explain this conundrum.
One Big Scandal. This is all it takes to change the public opinion about personal data
collection and usage, and it does not even have to be In the FS sector to have an impact.
Data breach or data misuse news naturally create negative reactions in consumers and
also raises their suspicion and sensitivity towards sharing data. This may mean that
organizations won’t be able to use the data they have been accumulating, this would then
lead to big data investments being at risk, of course. Most of our experts were convinced
that they will not get second chances, hence need to handle not only the strategy behind,
but also the communication about big data to their clients very delicately.
Over-regulation. FSI is one of the most highly regulated industries. In recent years, the
demand for operational transparency and accessibility of years of historical data has been
increasing. Naturally, this puts pressure on data management issues and big data
infrastructure becomes a topic of high importance. Next to the hardware and software cost
necessary to handle this, the incompatibility, along with their criticality, of legacy systems
are also the reason why financial services organizations are worried about the rising
expectations from the regulatory bodies. Due to the above mentioned challenges, the
overall expectation is that this ‘over-regulation’ may block the big data efforts.
Ethics and Privacy. Our financial services experts are obsessed with ethical implications
of big data analytics, and rightfully so, as how ethics and privacy are handled has strong
impact on an organization’s reputation. The extensiveness, scale and easiness of big data
analytics significantly changes the ethical framework organizations are within; financial
institutions now have the possibility to combine the data sources they did not even have
access before, and can run and take action on analytics as fast as never before. This implies
that current legal and ethical guidelines do not apply anymore – big data analytics moves
faster than the creation of new frameworks. This may imply that FS institutions need to
create their own principles to operate in, especially on privacy. It is important to emphasize
that privacy is not only about getting consent of the consumers while collecting their data,
but it is also about transparency on how this data is being used, whether it is being shared
15
with any third party organizations. It is as important to give them the control over their
own data, so that they can manage their preferences or stop participating anytime they
wish to do so. Even though it may sound logical, this is not something most of the
organizations are already doing, and definitely may not be in their best interest, according
to some of our interviewees.
New competition and unlikely partnerships may disrupt the industry, especially
through non-FSI organizations. With the advent of non-financial organizations taking minor
claims within the domain, such as payment or transfer services, it is expected that they
will disrupt the banking business and create an extra layer of burden for these institutions.
The challenge lies in the fact that, thanks to these new entrants, FS organizations are
facing the loss of data input streams. Being the slow and bureaucratic organizations they
are, this may lead to a situation where the small and agile new entrants become better at
understanding what the customers want and exploit the opportunity.
We have also started seeing partnerships, as simple as the one between a credit card
company and a petrol company, building a business model around data sharing that leads
to marketing campaigns and better customer segmentation. An interesting perspective
shared by some of our interviewees implied the necessity of service innovation for banks,
through partnerships. Because banks sell commodity products, and these commodity
products are the only way to fight the above mentioned non-FSI new competitors to bring
the costs down, as the income may not grow. The only way out is to differentiate via
services and escape further commoditization. Hence, it is absolutely critical to create ‘win-
win-win’ situations among the bank, the customer and third parties to enable possible
differentiating services.
Technology focus. All the aforementioned threat and opportunities alike, directly or
indirectly imply the necessity of a significant restructuring and/or investment in IT. For
most organizations, managing the high volumes and even the variety of data is no big
deal. But for organizations that are interested in real-time analytics, big data’s velocity
aspect can still be a technical challenge. Also faced the age-old legacy system
complications, many organizations have the tendency to give priority to IT before anything
else. This poses the challenge of over-investing, as it may create an unnecessary focus on
technology over business case. Yet, as one of our interviewees mentioned, FS
organizations should not even think of the IT aspect before regulatory issues and legacy
problems are addressed.
Another IT-related challenge is data federation, which refers to aggregating data from
disparate source to be used for analytics. From a jurisdiction and legal framework
perspective, keeping the data in a location where it actually can be used creates the
challenge. Because data sovereignty, referring to the fact that data which has been
converted and stored in digital form is subject to the laws of the country in which it is
located, may show great differences among nations.
Lack of talent. All our experts agreed that finding skilled people to use the technology
and data in the right way is a big challenge. Data scientists are still rare to come by. The
hybrid role required by big data analytics takes business, statistics and computer science
16
skills all in one, and may be solved easier by training rather than recruitment. One of the
reasons behind is the fact that academia is following industry a couple of years behind;
only recently degree programs have been established in major universities addressing this
lack of data scientists. Besides finding the talent, positioning the talent is yet another
challenge that some of our interviewees mentioned; where should the data scientists be
located in the organization? Most organizations go back and forth between placing them
in lines of business and a centralized department, or any combination of the two. There
are arguments for both set-ups, and organizations are challenged with finding the best
structure that fits their approach.
Missing out in/not understanding possibilities might as well be the biggest challenge.
Even though big data is now at the peak of the hype, there are still organizations that
jump into the water before doing their homework. It takes serious strategizing for big data
initiatives to deliver business value. And business value does not automatically translate
from correlations, of all which should be taken with a grain of salt. Your data scientists
may find many correlations in your data, but they do not necessarily imply causation.
Without the right business experts who know how to interpret the results and what to look
for in the first place, big data initiative would be futile and this kind of “not doing it right”
would lead organizations to base their decisions on false conclusions. That is why a cross-
disciplinary team of data scientists and business experts is the recommended big data
team to get the best out of your initiative.
Our findings are in line with what recent industry research suggests, such as the top Big
Data challenges reported by Gartner in 2013 (see Figure 5).
Figure 5. Top Big Data Challenges. (Source: Gartner, 2013)
17
Conclusion: (R)evolution? Is big data an evolution or a revolution?
Was it foreseeable where we are today? Most of our experts agreed so. It is suggested
that the evolution continues; Big Data as a dominant concept won’t last long, and rather
leave its fame to its next leap: Big Analysis19.
There is no doubt that everyone recognizes its disruptive value as well as the potential
opportunities big data brings. Everyone also seems to agree on the fact that smart use of
big data is more relevant than any other aspect of it. Yet, there is an obvious inertia in the
financial services industry when it comes to taking action. Why? How come most of these
organizations are not more advanced?
What seems to be holding them back?
Our analysis of the interviews indicates that regulations definitely play a role. But, the
challenge of legacy systems along an overly conservative take on non-traditional use of
big data seems to be the main contributing factors.
Especially for the banking industry, customers want to do business with smart institutions,
no matter what. When you show your customers that you have surprising insights about
them that even they were unaware until you reveal it, they will put you in the smart
bucket20. To get into that smart bucket, ecosystem thinking needs to become prominent
and business models need to shift from product-focus towards service-focus.
According to futurists, there are three decision spaces in the world; knowns, known
unknowns and unknown unknowns. Knowns are things that we know will happen as a
matter of fact. Known unknowns are circumstances that we know are possible, but not
sure whether they will actually take place or not. Unknown unknowns, on the other hand,
are things that are not even considered during the time of decision making. In financial
services, it is known that data-driven decision making and analytics is a must for sound
strategic management. Industry’s known unknown is a complete overhaul of the business
models, centered on big data. Following the complete digitalization of many businesses
along with the developments in FinTech and unexpected start-up entries from non-financial
services industries are all signs of many more unknown unknowns to be ‘discovered’ soon
enough.
The competition will be fierce. Financial services institutions will need all the help they can
get. So, it is time to re-evaluate your strategy around big data, embrace the disruption it
brings forth and select the right partner(s) to build your big data supply chain and collide
with competition head-on – may the most customer-obsessed organization win.
19 http://www.forbes.com/sites/michaelfertik/2015/06/15/big-data-was-the-beginning-what-comes-next/ 20 May, T. (2009) “The New Know: Innovation Powered by Analytics,” Wiley.
18
Workshop report
Statements reported by Marion Dupire
Vlerick Business School
This section summarizes the content of the presentations and discussions of the 5th Vlerick
CFS21 regulatory workshop which took place on 19 January 2016 at Vlerick Business School
on the topic of protecting customer privacy in the financial sector.
30 experts participated to the workshop, from different horizons: regulatory authorities
(Belgian Privacy Commission), financial institutions (Ageas, AGInsurance, Belfius, BNP
Paribas Fortis, DegroofPetercam, Deutsche Bank, ING, KBC, Swift), financial association
(Febelfin), consultants (KPMG, Price Waterhouse Coopers), lawyers (Allen & Overy, DLA
Piper), FinTech platform (Eggsplore), academia (Vlerick Business School). The workshop
was organized as follows. In a first part, Prof. Öykü Isik presented a summary of her state-
of-the-art of data-driven financial services. In a second part, Patrick Van Eecke gave an
overview on how to achieve legal compliance when financial institutions make use of big
data. In a third part, Dieter Verhaeghe elaborated on the current concerns in the financial
services industry with respect to the protection of customer privacy. Presentations were
followed by a co-creation exercise where workshop participants were invited to think about
innovative ways in which financial institutions can/should:
Help the customer feel treated in a transparent manner
Inform consumers with regards to data security, privacy and current legal
frameworks
Optimize direct marketing such that customers are not harassed by multiple
communications at the same time
Account for different sensitivities and cultural perceptions on data privacy
Introduction
Freddy Van den Spiegel, Professor at Vlerick Business School
If you want to grab the attention of bankers and insurers you only need to mention two
things: big data and Fintech. Nobody knows neither what these concepts exactly mean nor
what consequences they will provoke in the future. But everybody agrees that they are
key strategic issues for the next decade.
21 Centre for Financial Services
19
This CFS workshop looks at one aspect of the big data/Fintech debate which is customer
protection. Our first speaker – Öykü Isik – presents the topic from a business angle, our
second speaker – Patrick Van Eecke – looks at the legal compliance issues, our third
speaker – Dieter Verhaeghe – deals with the authority point of view, all other workshop
participants are invited to share their views during a co-creation exercise.
Data-driven financial services: state of the art
Öykü Isik (Professor at Vlerick Business School)
Banks collect huge amounts of data. It is an opportunity for them to know the customer
better, but it also comes with a lot of challenges with regards to regulation and privacy.
Öykü Isik’s working paper (presented in the first part of this policy paper) summarizes
opportunities and challenges around this topic based on interviews with 20 experts of the
financial sector dealing with big data on a daily basis. The purpose of Öykü Isik’s workshop
presentation was to highlight the most important insights from her working paper and
connect it to the issue of privacy.
What is big data?
Gartner defines big data as 3V’s: “high Volume, high Velocity, and/or high Variety
information assets that require new forms of processing to enable enhanced decision
making, insight discovery and process optimization22." Concerning the volume part,
relevant hardware is necessary to deal with the huge quantity of data but this is not an
issue anymore. IT seems to be a relatively easy part to deal with in the financial sector.
Velocity also does not appear as an important topic of attention either. In contrast, variety
emerges as a very big issue for financial institutions. Banks are used to deal with structured
data, but making use of unstructured data is a lot more challenging. It also requires new
software, capabilities and skills.
Now, we talk about 5V’s of big data, adding Veracity and Value. The concept of veracity is
more than the data quality concept, it adds the objectivity and trust: how reliable and how
objective are your data sources? This has a lot of implications for data management in
general. The ‘Value’ part implies that it is always a good idea to start with a general long-
term plan rather than going project by project with a short-term vision.
Opportunities with big data
Investment in big data analytics is steadily growing. One important aspect of it is the
distinction between correlation and causation. Over the past 10 years we observed that
the number of Facebook users increased concomitantly with the yield on 10-year
22 Laney, Douglas. "The Importance of 'Big Data': A Definition". Gartner. 21 June 2012.
Accessed June 22, 2015.
20
government bonds in Greece, does that mean that Facebook was a driver of the Greek
debt crisis? Overall it is important to identify meaningful correlations that could drive your
business forward but one should not confuse correlation with causation.
The big data market is expected to grow steadily for at least the next 10 years. For financial
institutions it means innovation, in terms of business model and of customer experience.
Another opportunity emerges from the fact that a new group of customers are coming:
the millennials. These are the people who open their first bank account and who show a
very different consumer behaviour than other customer segments. They are very risk
averse, their understanding of privacy is completely different than ours: they do not
associate social media with privacy a lot. Privacy is about their house, their family life, but
not about their online profiles. This has a lot of implications on their purchasing behaviour,
for instance they use less credit cards.
Another opportunity with big data is collaboration with third party data providers,
technology companies. That leads to data enrichment. Big data means pairing up internal
data with open data from the government, with data from third party providers, with data
connected to smart devices. One good example is Barclays using the Beacon technology.
Barclays use Beacon to learn for instance when a customer with a disability enters a
branch, making it possible to see what kind of services would make it easier for this
customer to improve the branch experience. Big data is also useful for internal efficiency
improvements. Two rather ignored opportunities in the financial sector are the use of big
data for -1- HR and -2- for auditing.
The value of big data
If we look at numbers, in 2011 Facebook's total profit in 2011 was $1 billion; just a year
later Facebook was valued at $104 billion on its IPO. The difference is only the value of 1
billion user database. Eric Siegel (author of “Predictive analytics, the power to predict who
will click, buy, lie or die”) estimated the value of data for one individual at USD 1.200,
Vivian Reding (European Commissioner for Justice, Fundamental Rights and Citizenship)
estimated the net worth of data of all Europeans at EUR 315 billion.
This tells us that all big data opportunities should come with a price and one should not
jump into it without considering several challenges.
Challenges with big data
One challenge is to make sure to avoid scandals, such as JPMorgan’s credit card hacking
in 2014 or the Regin virus at Belgacom. These scandals constitute one important obstacle
in the extensive use of big data analytics. Regulation is also a big pressure. New
competition or unlikely partnerships impacting your own business is another challenge.
Lack of talent is also an issue. Overall it is easy to overinvest in technology but the
challenges are very important. It is important to experiment new things.
Finally, ethics and privacy are probably the most important hurdle to the use of big data.
Mark Zuckerberg stated in 2010 that privacy was not a social norm anymore. Privacy is
21
indeed a concept that evolves over time. We know that privacy concern is the ultimate
thing that helps people decide whether they are interested in sharing their personal
information with other organizations. There are certain factors that impact our privacy
concerns including trust to the company and to online transaction, past privacy-invasion
experience, social awareness. Even more importantly social norms, emotions and
reputation rule everything. Transparency and perceived ability to control information are
also very important aspects, it is about giving control to the customer over his/her data.
Every individual inherently makes a calculus, we compare the worth to share our data
given the expected benefits and associated risks.
Academic insights
Would customers be more willing to share their information if the company had more
transparent practices? The answer is ambiguous and refers to the privacy-
personalization paradox. Empirical research shows that people who want transparency
and control over their information are not eager to actually share their data. The paradox
is that the people who want more transparency and more control over their data are less
willing to be profiled online or to receive personalized advertising.
It is therefore better to focus on customers who are less privacy-sensitive. In 1991, we
saw the first example of consumer categorization based on privacy sensitivities by Alan
Westin. He grouped consumers in three categories: the privacy fundamentalists who are
very conservative, the pragmatic who assess benefits and costs, and the unconcerned who
are more willing to share their data. The fundamentalists are about 5% of the public, the
pragmatic are about 57% of the public and the unconcerned are about 18%.
Overall we know that uncertainty plays a big role: people are very uncertain on privacy
policies. The assessment of benefits and risks is never straightforward because everything
is context-dependent. We also know that there is malleability and influence with
respect to privacy behaviours. One example is the default settings of Facebook profiles,
people tend to think that these default settings are implicit suggestions from these
organizations. But these suggestions are not necessarily in the best interest of the
consumer, most of the time they are set in the best interest of the organization itself.
People generally don’t check their default settings.
One final interesting concept is privacy-by-design developed in the 90s, referring to the
fact that privacy should not be something you worry about after you design and implement
a system, but it should be part of the system itself. Privacy-by-design has seven principles,
the most important one being ‘be proactive instead of reactive’.
Discussion with the audience
A question was raised from the audience on the privacy-by-design concept, asking whether
it has evolved a lot since its early development in the 90s. A positive answer was put
forward by Öykü Isik, based on a specific example called big data analytics sense-making
mechanism which consists in an analytics system taking into consideration the seven
22
principles of privacy-by-design. However, there are not a lot of other examples that exploit
this concept.
Freddy van den Spiegel emphasized again on the fact that banks have massive amounts
of data, they know far more than Facebook. As soon as an individual has a bank account,
the bank knows everything about his/her private life: travel, political ideas, diseases… With
some good development tools you can deduct a lot of things from what the bank knows.
The technological capacity to work with these data is there but there is still a kind of
prohibition on banks to know what they know, which has always been considered as one
of the pillars of democracy.
Öykü Isik added that there are indeed Chinese walls within the banks, also referred to as
silos. However it is unclear that banks actually know what they know. The access to
information across the different silos is still a big question mark. There is also a thin line
between what the institutions are legally allowed to do versus what is acceptable to do
from an ethical, moral standpoint. This is also a more philosophical discussion.
The use of big data in the financial sector: achieving
legal compliance
Patrick Van Eecke (Partner at DLA Piper law firm, Professor at University of
Antwerp)
Big data projects are often approached in silos, either from the point of view of IT, lawyers,
business or academia. However, big data is an inter-disciplinary issue and has to be
considered with a holistic perspective from different angles. Because if you don’t play it
well, you may lose a competitive advantage, or have legal troubles, or harm your
reputation. Patrick Van Eecke’s presentation aimed at going through all legal challenges
with big data projects, based on 20 years of practical experience with big data.
The financial services sector is sitting on a big pile of data. As a result, a lot of financial
players are investing in data analytics. From a legal perspective, data is first about personal
information, personal data protection has to be taken into account. Secondly data is
also power, you can build up an empire based on data analytics, there you enter the field
of competition law: antitrust, anticompetitive behaviour. Thirdly data is global, we gather
and store data on individuals in different locations, local legislation therefore has to be
taken into consideration. Fourth data more and more becomes critical for business
activities so corporations would better protect it with cybersecurity measures. Finally
data brings value to your business, and the legal question is who owns the data, data
ownership also has to be considered.
Overall the legal hot spots are summarized in the figure below.
23
Source: Van Eecke, P., DLA Piper, Big data – how to achieve legal compliance
Two years ago, there was not so many hot spots to consider when dealing with big data.
It was all focused on privacy and data protection. Now every 3 to 4 months a tile can be
added to the above figure. Corporations and authorities are getting more and more
enthusiastic about big data. It can be looked at from a privacy perspective, or from a
consumer protection view, or from a competition authority angle… All kinds of regulatory
authorities are looking at it all over the world.
In contrast, people who deal with big data very often do not work in an interdisciplinary
way. What happened to ING Netherlands is a good example of this. ING very
enthusiastically stated in a financial journal how they would analyse data on customers’
transactions and sell it to third parties. ING were then badly surprised that customers and
journalists were actually very upset about this statement. They did not expect such a bad
publicity. In this specific case it seems that the compliance team was not involved, leading
to unfortunate consequences.
Data protection legislation
Since more than 20 years in Europe we have data protection legislation, and this will stay.
A new legislation will even be adopted in the next few weeks. The European regulation is
going to replace the current rules that we have had for more than 20 years. Privacy-by-
design is literally imposed in that new regulation. Whether you like it or not, you now need
to implement privacy-by-design in your organization, it now becomes an obligation.
One concern from a data protection perspective is that corporations process data in
aggregate and argue that this is different from processing personal data. But from a legal
perspective it does not matter, connecting personal data and performing analytics on it is
personal data processing.
Another concern is the fact that corporations anonymise data. Corporations claim that by
anonymising the data it does not qualify any longer as personal data. Data protection
authorities are however concerned that in many cases it is not real anonymization in the
sense of the data protection legislation. As long as there is a possibility to decrypt
24
anonymous data and identify individuals with statistical tools, it is still personal data.
Anonymization in the sense of data protection legislation needs to be tackled carefully with
a compliance team.
E-privacy
Another piece of European legislation deals with E-privacy: tracking information, use of
cookies… Barclays using Beacon is a typical example of geolocalisation technologies. One
should realise that this is also covered by the European privacy legislation. These rules
should be taken into account. Fines do happen as we have seen with the example of
Europcar fined £45000 for using GPS to track luxury cars hired out to wealthy customers.
Sector legislation
On top of horizontal legislations such as E-privacy and data protection, we have sector-
specific laws. The financial sector is heavily regulated. For example the use of credit card
information to build customer profiles may infringe the consumer credit legislation which
clearly states that -1- personal data collected by financial institutions can only be
processed for specific purposes, -2- only a few types of data can be collected, -3- it is
prohibited to use the data collected within the credit relationship for direct marketing or
prospection purposes. The legislation also imposes to delete information when it is no
longer justified.
Anti-discrimination
The Gender Act prohibits discrimination based on gender. The Racism Act prohibits
discrimination based on nationality, racial identity, skin colour, ancestry and national or
ethnic origin. The Anti-discrimination Act prohibits discrimination on the grounds of age,
sexual orientation, marital status, family background… etc. However that is exactly the
kind of information that big data projects are looking for. It is possible to use these data
but it is crucial to make sure that the framework of anti-discrimination is taken into
consideration. Authorities pay particular attention to discriminatory pricing for example.
Competition
“Big data is the new currency of the Internet” as stated by the EU Commissioner for
Competition. Big data and competition law interact with each other on three axes: -1-
abuse of dominant position, -2- vendor lock-in, -3- price fixing. On the first axis, firms
cannot use big data to gain an anti-competitive advantage. On the second axis, customers
should not feel locked with one service provider because they do not know how to transfer
all their information. The future data protection legislation, apart from privacy-by-design,
will introduce the data portability right. It is not clear how this will be put in practice but
end-users will have the right to have their datasets transferred to another service provider.
25
Cloud
Most big data projects are linked to putting data in a cloud, involving many legal issues.
One word of warning is that most big data projects start with proves of concepts, which
are very often done by people not applying the company rules. For example they would
be taking an archive set of data and put it in Dropbox. Attention should be paid on this
kind of practices, making sure that company rules are being applied.
Cybersecurity
The more data you gather, the more it brings you at risk. The NIS (Network and
Information Security) directive of the European Parliament obliges Member States
to adopt a NIS strategy and to set up a NIS Authority
to designate National Computer Emergency Response Teams (CERT);
to cooperate with other Member States and the Commission to share early warnings
on risks and incidents
It also obliges public administrations and certain "market operators"
to adopt risk management practices
to report major security incidents on their core services
Data ownership
Before starting a big data project and entering into a partnership with a third party, it is
important to make clear who will own the result, who will have the right to use the data.
Discussions may arise on ownership of the source data, the aggregated data, the analytic
models built, …etc. Intellectual property rights and data protection rights are very often
used as arguments for claiming or disputing ownership of data. We see in the market that
many industry organisations (automotive, farming, pharma, …etc.) are currently drafting
their own big data codes of conduct.
Ethical issues and concluding remark
You can be fully compliant with legislation and still run a reputational risk. Ethical
discussions need to take place, making sure that the organization clarifies how its big data
strategy should be structured: how much data do we want to collect? What is our risk
profile? A balance between legal and ethical aspects has to be figured out. This type of
initiative would be very welcome in the financial services sector, providing some kind of
charter on the use of big data in financial services.
Discussion with the audience
One remark was made from the audience that, looking at all these legal aspects, it does
not seem feasible anymore to exploit big data in the financial sector because there are too
many constraints. Patrick Van Eecke explained that he did not see it as unfeasible to exploit
26
big data in the financial sector. However his view is that the enthusiasm for big data has
to be tempered. “From a technical and organizational perspective the sky is the limit, and
it is frustrating to say that you can’t go to the sky because you may end up with legal or
reputational issues. But that does not mean that you can’t do anything.”
Freddy Van Den Spiegel emphasized on the fact that legal challenges will reduce the
capacity to practically implement big data projects in Europe. He asked Patrick Van Eecke
about whether he was seeing a fundamental difference of approach with the US. One major
difference mentioned by Patrick Van Eecke is that in the US they do not have the holistic
horizontal legislation on privacy and data protection, which is one of the big inhibitors in
Europe. Nevertheless, the White House recently issued a white paper on big data and
consumer protection, and they come to the same conclusion that it is not acceptable to
collect data for purpose A and re-use it for purpose B, C and D without being transparent
about it, and without asking for prior consent. Another thing is that American
organizations, as well as Asian organizations, do not have this immediate reflex to take
into account privacy protection. The products and services they provide on the market do
not consider privacy-by-design yet.
Another question was raised on the controversial aspect of big data, given that legislation
will change. Should lobby organizations from business users intervene to make sure that
regulators are not going too far on something that is so important for the business going
forward? According to Patrick Van Eecke, the data protection regulation will go into the
history of policy making as the most lobbied piece of European legislation, and it may even
have reached a stage where it has an adverse effect. The representatives of the European
Parliament have felt that it was starting to become a symbolic discussion. Having too
intense lobbying campaigns may have adverse effects.
Another point of discussion was about the feasibility of a scenario in which technology
companies and banks work together with the regulator to test the boundaries of where
they can go before launch a big data project, in a kind of lab environment. In the
experience of Patrick Van Eecke, this looks feasible. Data protection authorities indeed
appear as very interested in knowing the latest technological developments.
Protecting customer privacy: current concerns in the
financial industry
Dieter Verhaeghe (Legal Advisor Belgian Privacy Commission)
When starting a big data project, what are the main points of attention to reduce
reputational and non-compliance risks?
27
Concern 1: Lack of attention for increased surveillance by financial
industry in the general interest in the light of privacy protection and not
only data protection
First of all, it is important to distinguish ‘privacy’ from data ‘protection’. Both are indeed
subject to different rules, the Belgian Privacy Commission actually being a data protection
commission. When developing a big data project, it is important to look at both types of
rules. It is often the case that only the data protection law is considered, while ignoring
specific surveillance issues that are raised in the privacy jurisprudence of the European
court of Human Rights. There are a lot of opportunities with big data which also come with
risks and threats. Big data technologies can sometimes be perceived as surveillance. It is
therefore interesting to consider the privacy perspective, in parallel to compliance with
data protection law.
In the privacy perspective, the main challenge is to convince the regulator that a big data
project properly assesses whether there are surveillance issues or not, and whether a
distinction is respected between what is in the general interest and what is in the
commercial interest. Financial institutions are between two fires. On the one hand you
have an obligation to store more data in the general interest (know your customer,
customer due diligence, extended consumer credit registration, “fraud” detection…), on
the other hand there are the proportionality and data minimisation requirements in the
privacy and data protection laws. Once you have found the right balance, it is important
to make the data processing transparent to the regulator.
Overall there is increased secret surveillance by the government and the private sector.
This is not limited to the financial sector, but more recently also to the telecom sector and
probably soon in the media sector. In the telecom sector, we have seen an annulment of
the data retention directive (aimed at the fight of serious crime) by the European Court of
Justice (ECJ) in the Digital Rights Ireland case of 8 April 2014. The European anti money
laundering laws currently oblige the financial sector to go way further than the telecom
sector in terms of data storage. The question is therefore whether the same logic will be
applied by the ECJ in the interpretation of the proportionality requirement? This is an open
question at the moment.
Concern 2: Lack of neutrality of pure Economic perspective vs.
perspective of EU legislator and data protection authorities
A lot of studies emphasize the big data opportunities. However a balance exercise needs
to be done, focusing not only on the positive aspects in addition to the privacy impact and
the risks for the data subjects. The risk is that big data projects are only based on the data
protection legitimacy grounds of “ consent” and “legitimate interest”, while ignoring the
conditions for these legitimacy grounds and/or the necessary privacy and data protection
safeguards. The traditional practice of simply accepting terms and conditions is not
acceptable to provide a valid consent. In the data protection regulation (“GDPR”) the
notion of consent becomes more severe. Changing terms and conditions indeed does not
leave room for negotiation by the client; the consent is not free when only the data
28
controller decides whether the data will be processed or not. The legal notion of consent
in the data protection law implies also that the consent has to be specific; including a
consent clause in the general terms and conditions is not enough.
The risk involved in the use of big data technology by governments has been described in
the literature as the “Titanic Phenomenon” (Solove, D.). Sometimes you have a Plan A
technology, but the focus should also be on a Plan B: what if it goes wrong? The General
Data Protection Regulation (GDPR) helps in that domain. GDPR provides for new
obligations and principles such as “privacy impact assessment” and accountability. These
new elements could be seen as opportunities to prepare big data projects and ensure more
compliance. Institutions that have made their own Privacy Impact Assessment (PIA), that
have their data protection office(r), and are transparent about their processing operations,
have an advance in providing an adequate level of privacy and data protection.
Concern 3: Transparency
Often, a distinction is not made between the privacy requirement to be transparent about
privacy infringements, and the obligation to inform under the data protection laws. If the
data controller refers to an exception to inform the data subject, this does not impact the
requirement for the law to be clear and foreseeable.
The recent financial laws at European level still lack reference to the new PIA requirement
of the GDPR. Even though the European Commission has included references to the data
protection Directive 95/46/EC in its recent financial directives (AML, Payment Services),
those directives often lack substantive provisions to adequately protect privacy and
personal data as requested by the EDPS[1]. At the national level the privacy impact of
financial laws is often not investigated. For instance, since 1993, the Belgian Privacy
Commission has not received a single formal request to provide a direct formal, public
advice on the anti-money laundering law of 1993. While the financial laws remain vague,
the business often feels caught in the middle between compliance of financial laws and the
obligation to respect privacy and data protection laws. On the level of institutions, a lack
of transparency exists towards the privacy commissions and towards the general public on
high risk data operations such as big data projects, fraud risk assessments, profiling
operations, data mining, “conflict of interest” investigation of private life functions of
certain employees,…
Concern 4: User control
What institution today offers a clear and full access to clients’ profiles? Yet more and more
services are developed on profiles but most people do not know what it means. Notice and
consent don’t work well, general terms and conditions are not always read/understood.
There are very few examples of institutions being transparent towards their clients on their
profiles. In the Anglo-Saxon countries, there is a clear discussion on the requirement for
transparency of the predictive analysis linked to the use of profiles (credit scores) used by
credit reference agencies. In Europe there is still a lack of clarity related to the question of
(il)legality of the use of private risk indicators to predict consumer behaviour and/or to
29
take decisions based on that method. This in the light of the interdiction in the data
protection law to work (solely) with automated individual decisions (including profiling)
that affect data subjects legally or significantly.
One example of a transparency/user control concern is for example Facebook’s
“Like” button. This button is according to a recent investigation by the Belgian data
protection commission a spy technology, that is also applied to non-clients of Facebook.
It therefore has to be used only with a clear warning of the data subjects.
Another concern in the financial sector is the fact that clients’ risk profiles are often built
based on predictive correlation rather than causation mechanism (e.g. you have been in
default in the past, so you will be in default in the future). Are clients ready to be judged
based on a correlation basis and not on a cause basis? Are institutions transparent about
this? Does our law provide a clear basis for such form of processing operations? In the US
there is a different legal environment where there is more room for correlation based
automated decision making. It is still not clear under what conditions this kind of decision
making can be made legally acceptable in Europe. Substantial legal and Cultural
differences need to be taken into consideration before any model is transposed in the EU.
Concern 5: Purpose limitation
There is a real challenge to guarantee that institutions are only working in the general
interest, when implementing European directives such as AML or PSD instead of only or
mainly in their individual commercial interest. In the future it will be required under the
accountability principle and the privacy impact assessment requirement of the GDPR that
data protection policies will provide more attention to this question. When you store data,
do you do it in a central database? Do you do it with your compliance team? This is still
not very transparent.
The Schrems case before the court of Justice shows that there is also a potential issue with
transferring personal data internationally to zones without adequate data protection such
as the US. As a result, the European commission recently made a political announcement
in the form of the EU-US privacy shield23.
Also, instead of using cloud based solutions or services that rely on data storage in zones
without adequate data protection (in the meaning of Directive 95/46/EC), more and more
data controllers now start to investigate the necessity to use storage solutions within the
EU, with adequate data protection guarantees. Nevertheless this is a difficult and going
exercise.
23 http://europa.eu/rapid/press-release_IP-16-433_en.htm
30
Concern 6: Data security
In the telecom sector, there is a notification obligation of any data breach towards the
Belgian Privacy Commission and the BIPT24. In the financial sector it is currently possible
to notify data breaches to the Privacy Commission. For the moment this possibility is not
used in practice. It may be because there are no data breaches in the financial sector, or
the possibility is not known, or institutions are afraid of making such notifications.
However, this possibility for the financial sector will become an obligation in 2018, when
the GDPR will have to be applied.
Finally, an important point of attention is how much reliance is given to third party
solutions, for instance in the use of security software provided by firms established in
zones without adequate data protection. Some providers have totally different approach
tot data protection, and/or approaches that are not up to data with the latest developments
under the jurisprudence of the court of justice and/or the GDPR. They may be very good
at security but some typical European data protection issues would not be readily be seen
as an issue.
Q&As
A question was raised from the audience on whether the creation of a European Data
Protection Authority would be a nightmare, a dream or just an illusion. Dieter Verhaeghe
recalled that we already have a European Data Protection Supervisor, their scope being on
all institutions in Europe. However big data issues actually go even broader than the EU,
so there is an opportunity under the GDPR for the development of more coordinated
supervision.
Co-creation exercise During the co-creation, participants were invited to discuss in small groups on innovative
ways in which Financial Services Institutions can or should -1- help the customer feel
treated in a transparent manner, -2- inform consumers with regards to data security,
privacy and legal frameworks, -3- optimize direct marketing such that customers are not
harassed by multiple communications at the same time, -4- account for different
sensitivities and cultural perceptions on data privacy. The output of this exercise is
summarized hereafter in figure 6 and in the upcoming paragraphs.
Help the customer feel treated in a transparent manner
In the view of workshop participants, it is important to be transparent on the use of
customer data, but the language must be appropriate with few legal terms. One
24 Belgian Institute for Postal services and Telecommunications
31
recommendation is not to provide detailed information in ‘cascade’ but rather provide a
summary first and give the customer the opportunity to go to details later on. More
importantly, “do what you say, say what you do as well as what you don’t do”. This will
give more trust to the client.
Trust and confidence is built by the transparency towards clients but also from the client
to the institution: to obtain a good relationship between both the client and the financial
institution, transparency should take place on both sides. Then, the financial institution
should be open on multiple levels: general data is communicated on the website and in
the annual reports on the one hand, more specific data is communicated in the one-on-
one relationship on the other hand. Nevertheless, some clients may be reluctant to go
further into the relationship with the bank if the bank emphasizes a lot on all the different
purposes for which their data is being used. Therefore it can be a good idea that the
financial institution highlights what they will NOT do with the data: if the data will not be
shared to third parties, it is worth mentioning it.
Inform consumers with regards to data security, privacy and legal
frameworks
According to the group who discussed how to better inform consumers, the first point was
again that financial institutions should be transparent on the way in which they use
customer data but they should do it with in a ‘less legal’ way, using icons for example. The
icons could signal different things such as whether you sell data to third parties, or how
far you go with the data you collect. Data legislation is too complex, it is important to make
it easier to digest with a summary or a video for example.
Secondly, privacy should be seen as a competitive advantage, it should not be a negative
thing.
Thirdly, there is sometimes a kind of pressure to accept terms and privacy conditions.
Customers have about 10 seconds to read and accept a big pile of documents. One
recommendation is to give the documents upfront to potential customers so that they have
the necessary time to go over it and to ask questions if necessary.
A fourth idea is to have a dashboard on what data is collected and how it is used. Customers
might be willing to give out certain data if they know what it is used for.
Fifth, building a risk profile is important, defining the degree of customer risk aversion so
that it is possible to know if a customer wants to share as minimum data as possible. And
on the other hand, when a customer is willing to share more information, it is good to
define what that person will obtain in return.
Optimize direct marketing such that customers are not harassed by
multiple communications at the same time
One group discussed how to optimize direct marketing. Is direct marketing really an issue
for all types of customers? And is this a marketing/communication issue or is it more a
32
data management issue? According to this group, it was unclear whether giving access to
consumers to all information related to how data is used would necessary be a solution.
What was clear though is that it would have big implications in terms of organizing and
managing the data.
The discussion is not only about the content of the communication but also on the timing
and frequency. One recommendation is to give to the customer the possibility to choose
not only the content but also the timing. Also from a marketing perspective, customers
should be able to choose what marketing content they want to see but there has to be
flexibility in this process so that they do not miss other opportunities.
It can be a good idea to create a customer-led profile that different banks can view, and
offering analytics possibilities based on external soft data. Overall the target should always
be to have more relevant and less frequent communications, optimization being the main
goal.
Account for different sensitivities and cultural perceptions on data
privacy
First, the legal framework is actually a reflect of a society and a culture, as emphasized by
the group who focused on this topic. There is a big difference of sensitivity between the
US and the EU and it is important not to disconnect legal and ethical issues. Also within
Europe, there are big differences of sensitivities such as between the UK and Germany for
instance. Overall there is a growing awareness about privacy and the value of data all over
the world.
Second, one recommendation is to have differentiated opt-out policies giving choice to the
customer. Sharing a profile back to the customer is a good idea but not always feasible.
Third, data is the new call and people are becoming more aware of the fact that their data
is being used for economic purposes by digital companies. As a result, banks might benefit
from becoming a trusted partner for data matters. They could also become a trusted
intermediary between the consumer and third party suppliers. There are all kinds of
implications concerning the different scenarios which could emerge from this, for instance
related to the right to be forgotten. Nevertheless, this could be an interesting way to value
big data in the financial sector.
33
Figure 6: Co-creation exercise output
Small-group discussions
Innovative ways in which Financial institutions can/should:
Optimize direct marketing
Giving access to consumers
Implications?
Data management and organization
NOT transparency BUT communication
control
Give control to customer
Give the choice on what info he will
have access to
“marketing” discussion provide
control
Still flexibility needs to be embedded
“Moment of interaction” is also relevant
Customer-led creation of a ‘profile’
More relevance and less frequency
Help the customer feel
treated in a transparent
manner
Language no legal terms
Cascaded info summary
to details
Say what you don’t do
Advice for both institutions
and client – TRUST and
CONFIDENCE
Be open at multiple levels
Should we be open to
everyone?
Account for different
sensitivities and cultural
perceptions on data privacy
(1) Legal framework reflects
society:
UK vs. Europe vs. rest
of the world
UK vs. Germany
European model
(2) Differentiated opt-out
policy (cookies)/Dashboard
Sharing profile (technical)
(3) Bank from trusted provider
of financial services to data
(4) Right to be forgotten
Inform consumers with
regards to data security,
privacy and legal
frameworks
Use of icons
Do you sell data to a 3rd party?
Complexity (summary/video)
See privacy as a competitive
advantage
More time upfront to read policies
Dashboard: my data, where is it
used for?
“Risk profile” for personal data
Positive: what can we do for you
when you provide data?