data privacy


Data privacy: A new service opportunity for financial institutions


Have you ever felt uncomfortable with how much your financial services provider knows about you?

June 12, 2019

A blog post by Jim Eckenrode, managing director of the Deloitte Center for Financial Services

I recently had the opportunity to hear a panel discussion among a group of bankers that dealt with the use of data and analytics to improve customer service and experiences. What stuck with me was a comment that a panelist made about how their bank was constantly reviewing these initiatives to ensure that they weren’t crossing a line into inappropriate use of customer information. That banker referred to it as the “creepy line”— a conundrum that is becoming more and more relevant with the explosion of new sources and uses of customer data by financial institutions and others. And while this perspective is certainly understandable, it conveys a sense of powerlessness on the part of financial services institutions to rationally, openly, and proactively deal with what should be an opportunity to engage with clients, rather than offend or alienate them.

Reimagining customer privacy for the digital age

Read the report

Thinking differently about privacy

Our research team here at the Deloitte Center for Financial Services has just released a report entitled, “Reimagining customer privacy for the digital age: Going beyond compliance in financial services.” The subtitle reflects my colleagues’ opinion that firms need to think differently about the impact of new privacy regulations on their business.

In the report, we considered the various aspects of personal data—not just the standard name/address/phone number, but also images, behavior, location, biology, and others—and explored how new technologies might encroach on privacy by making use of these forms of personal data. It’s a nifty way to look at it.

We also reviewed the privacy policies of many major financial institutions and found that most have not updated their rules to account for these new technologies and how they might be used in a privacy context. The team is now exploring consumer attitudes about privacy, the use of their data, and the perceived value they might receive from firms’ use of those data. We might even be able to identify the “creepy line,” which I expect will vary based on an array of different demographic identifiers and use cases. All of this makes the exercise of protecting privacy a tricky one for financial institutions to manage.

Privacy as a luxury?

Our authors also reference a view expressed at this year’s World Economic Forum meeting in Davos that, at some point in the future, privacy might become a luxury. Regulators have perhaps come to the same conclusion, enacting new privacy rules that, it is hoped, will make privacy more of a commodity good than a luxury item. Of course, the EU’s General Data Protection Rules (GDPR) are the foremost example of this more contemporary view of privacy. GDPR codifies the consumer’s “right to be forgotten” by holders of their personal data. This is a good next step, met more recently in the US at the state level by similar rules in California, Vermont, and Delaware (as pointed out in the report).

Our report concludes with a series of recommendations that firms should consider following as they seek to modernize their approach to customer privacy. These include such concepts as:

  • Broadening their scope to consider potential new data sources and ways those data might be used
  • Reviewing current standards and practices
  • Being good stewards of customer data that both resides on systems of record and that is accessed from third parties
  • Using data science techniques to better secure data
  • Being open and transparent about sources, uses, and benefits

Financial institutions as privacy safeguards

I see all of this as a backdrop for a broader movement toward customer ownership and control of their own data in all its forms. The “right to be forgotten” provides a sense of this, in that customers should be granted the right to opt out of continued storage or use of their data, perhaps after the original purpose for the access has been met. Even more than this, I believe customers should have control of who accesses what part of their data file and for what purpose. And when I say, “data file,” I mean identity. I mentioned this briefly in one of my recent blog posts where I talked about how one’s identity is “an asset to be managed and safeguarded.” In an increasingly digital age, individuals and firms alike need to be more proactive and take charge of ownership of this most personal of assets.

My contention is, who better to safeguard and control identity than one’s primary financial institution? Banks and others have developed programs, policies, and technologies (e.g., dual control access to vaults and fiduciary rules) to protect client assets for literally hundreds of years. And as the financial services business has become predominantly electronic, new programs and policies have arisen to meet the expectation of asset protection and control. As an example, not long ago Wells Fargo developed a digital service to safeguard customers’ electronic files in a kind of virtual safe deposit box.1 More recently, a group of Canadian banks came together to sponsor an initiative using blockchain technology to allow customers to securely verify and control their identities to access services from a variety of financial services, government, and utility providers.Financial services leaders should seriously consider moving beyond the justifiable concern about crossing the “creepy line” and beyond compliance (as our authors contend) and move to offer clients the value-added service of protecting and authorizing access to this most personal of assets.

Who better to safeguard and control identity than one’s primary financial institution?

What do you think?

Are financial institutions ready to take on this next generation of asset control and monitoring?
Is this a service your firm would be interested in exploring?

Join the conversation on Twitter: @DeloitteFinSvcs.


Michael Ellison, “Wells Fargo’s vSafe: The Virtual Safety Deposit Box,” Bank Systems & Technology, March 31, 2008

Doug Alexander, “Blockchain Adopted by Canadian Banks to Verify Client Identities,” Bloomberg, May 1, 2019



QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?