The data balancing act
A growing tension between protection, sharing and transparency
There is a growing trend toward data sharing and more customer control of information held at financial services firms. At the same time, governments and regulators continue to underscore the importance of robust privacy and data protection programmes. To strike the right balance between these seemingly conflicting requirements, a strong data strategy is essential.
In the first half of 2018, two major pieces of European Union (EU) regulation come into effect: the revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). These two regulatory initiatives share two common aims: putting customers in control of their own data and keeping that data safe. Both GDPR and PSD2 are built on the principle that individuals own their personal data and should therefore be able to choose how it is used and with whom it is shared1. In addition, the United Kingdom (UK) has introduced an open banking initiative that will require large banks to make customer data available to third parties via standardised public application programming interfaces (APIs).
The relevance to firms in Asia Pacific? First, many organisations will need to comply with PSD2 and GDPR because they have operations in the EU or, with respect to the GDPR, because they hold EU citizen personal data. Second, governments and regulators Asia Pacific continue to stress the importance of compliance with data protection and privacy obligations but are also showing increasing support for customer control and data sharing initiatives.
Moving toward customer control and data sharing
The need to protect customer data is well entrenched and well understood in most of Asia Pacific, and regulators have been acting in this area for some time2. However, the newer trend is toward enhancing customer control and supporting open data, and there are notable developments across the region.
In Australia, the Productivity Commission this year recommended a new consumer right to access and use customer data, as well as a new structure and framework to facilitate data sharing3. The Australian government has also commissioned an independent review on implementing an open banking regime, which will require banks to share product and customer data with customers and third parties (with customer consent)4. Under legislation enacted in the Japanese Diet this year, financial institutions dealing with “Electronic Payment Intermediate Service Providers” will need to develop systems that support open APIs5.
In India, the Supreme Court recently delivered an historic judgment making privacy a fundamental right for India citizens and a Data Protection Act is likely to be passed by end of 2017 or early 2018. Meanwhile, the Household Finance Committee has recommended a rights-based framework, which would confer on data subjects a set of rights in relation to their personal data and impose requirements and liabilities on data controllers (e.g. financial services firms) in respect of meeting these rights6. The RBI’s Deputy Governor has also been arguing for a public credit registry to provide an extensive database of credit information that is accessible to all stakeholders7.
The Monetary Authority of Singapore (MAS), in conjunction with the Association of Banks in Singapore, have developed API standards for the financial services industry in that country. MAS has also started using APIs to make its datasets publicly available8 and has been actively encouraging banks to follow suit9. Singapore’s Minister for Communications and Information has recently talked about the value that data can generate “not only for the organisation collecting the data, but also for others far removed from the initial point of contact” and in this regard announced the publication of a guide “to provide clarity for companies about how they can share data today”, as well as plans to join the APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System to facilitate more seamless sharing of information10.
The tension between openness and privacy
Despite the potential benefits of more open data and data sharing, it does raise the risk of compromising privacy and data security. As much as regulators are supportive of giving customers more control and encouraging data sharing, they are also vigilant about organisations complying with privacy and data protection regulations, which are usually designed to restrict, not release, data. It is not only legal obligations that create this tension. There are ethical, commercial and reputational pressures to guard personal, sensitive and confidential information. How to balance these seemingly conflicting duties is not easy, and making decisions to release information is unlikely to be clear cut.
Why regulators want data sharing
So why this regulatory push to have industry share their data and to give customers more control? The exponential growth in data bought about by new digital technologies has led to the development of numerous new products and business models. Having access to more data is widely viewed as a unique source of value and the foundation for innovation. Building innovation in financial services is a priority for most regulators in the region, as it is seen as having the potential to infuse competition in industry, enhance efficiency and productivity, and provide better consumer outcomes (e.g., more options for customers, easier access, more tailored solutions, lower prices). For example, the argument goes that by requiring large incumbent banks to open up their customer data sets, FinTech start-ups will have the blocks on which to build new competitive products. There is also a growing recognition that technological advances are challenging notions underpinning existing privacy and personal data protection frameworks, in particular consent and anonymization based regimes. For example, algorithms that undo data anonymization and distributed ledger technologies that can break down centralised control of data.
How sharing benefits financial services organisations
While some in the financial services industry are concerned about losing their competitive edge if they are required to share customer data (often built up over several years), there are significant benefits too. Industry wide transparency can lead to better product pricing and risk assessment. For example comprehensive credit reporting could provide a more accurate and comprehensive understanding of an individual’s risk profile. It can also facilitate partnerships that enhance consumer experience, for example, China’s WeChat Pay has developed APIs that allow customers of China Merchants Bank to link their credit card and WeChat accounts, enabling credit accounts to be viewed via WeChat. A recent US study has also found, “surprisingly”, that an open data initiative on credit card complaints benefitted banks who had complaints against them posted online11. Further, new revenue streams could be opened up for those incumbents that set up trusted and secure platforms for data sharing.
Setting a strategy to manage the data balancing act.
Despite uncertainties, avoiding the trend toward open data is not a recommended strategy and we see organisations already voluntarily aligning themselves with the stricter requirements coming from the EU. The goal should be to set up mechanisms that will enable data sharing with confidence and without unduly compromising privacy and other data protection obligations. To do this, financial services firms need to gain and maintain an intimate understanding of their data at all stages of a dataset’s lifecycle: when collected, stored, accessed, moved, copied, released.
Privacy and open data implementation programmes should not be rolled out in silos. Instead, such programmes should be co-ordinated to take account each other’s requirements, as well as other relevant initiatives such a cyber security programmes. Privacy should be woven into all stages of the data management process, but a strategy and risk management lens should also be applied to decisions on what data can and cannot be released.
The cost of implementing a large scale data transformation programme can be very large, particularly when faced with a history of fragmented data collection and outdated legacy systems designed to prevent data release. Nonetheless, the costs of not having a solid data management programme supportive of both restriction and release could be greater. Think, for example, the costs associated with manual tracking and linkage of data sitting in incompatible systems, or responding to regulatory action over breaches.
Open data and more customer control is coming to Asia Pacific, but there will also be greater regulatory oversight of privacy and data protection. Uncertainty around future rules and, or, lack of prescriptive regulation may motivate some to adopt a “wait and see” attitude, and the tendency could be to favour the status quo. However firms will be better advised to develop a data strategy now, to garner a good understanding of how the trends discussed in this note may impact their organisation and to play an active role in informing and shaping evolving regulation and legislation.
2. For a more detailed discussion of privacy and data requirements in Asia Pacific see Building trust across cultures Privacy and data protection across the Asia-Pacific region https://www2.deloitte.com/au/en/pages/risk/articles/building-trust-across-cultures.html. See also Cyber Regulation in Asia Pacific – How financial institutions can craft a clear strategy in a diverse region https://www2.deloitte.com/au/en/pages/financial-services/articles/cyber-regulation-asia-pacific.html
9. http://www.channelnewsasia.com/news/singapore/mas-takes-step-towards-open-api-architecture-to-bolster-fintech--8125092; http://www.mas.gov.sg/Singapore-Financial-Centre/Smart-Financial-Centre/Application-Programming-Interfaces.aspx