Why Banks Need to Prepare for Data Regulation
- March 13, 2019
Data privacy and security have been front and center for the last several years, but 2018 was a tipping point for consumers. Following the Facebook and Cambridge Analytica debacle and well over one billion compromised accounts, consumers are now demanding power over their data and the businesses that control it.
To combat the growing unease, the European Union implemented the General Data Protection Regulation (GDPR), which gives people control over their personal data. While the law is focused on the EU, it also addresses the exporting of personal data — including from the United States.
Similar to most companies in the U.S., banks and other financial institutions are taking a “wait and see” approach in regards to potential legislation that would impact data mining, sharing and operations. However, for banks that want to create a competitive advantage, now is the time to act.
If this was Game of Thrones, “Regulation Is Coming” would likely be the motto to strike fear in bank leaders as does “Winter Is Coming” in the seven kingdoms.
Last year, the California Consumer Privacy Act (CCPA) was signed into law and is currently the strictest consumer data protection law in the U.S. This law, which has been widely criticized by pro-business groups, does not give consumers complete ownership of their data like GDPR, but it does allow individuals to sue a company if their personal information is released as a result of a data breach.
In response, companies like Amazon, Apple, Google and others are now pushing for federal digital privacy legislation in 2019. They are leading the charge by business nationwide, but if GDPR and CCPA are any indication, legislation is coming, and it will favor consumers — who often appear to be the only victims in data privacy issues.
So why is regulation inevitable? Primarily because consumers are more educated than ever about data privacy, and they are starting to expect to be made more aware about how their data is being used by the companies with which they do business.
In a study released last year, NTT DATA found that only 8% of consumers strongly agree they trust businesses to keep their personal information secure. In addition, 79% of consumers reported they would stop doing business with a company that misuses their data — so the stakes are high.
Meanwhile, 93% of executives indicated their company has experienced a breach in the past three years. And even more relevant for banks — only 8% of executives said their company is effective at preparing for upcoming regulations. This must change…and quickly.
Ultimately, consumers are asking why banks and other companies need their information at all. “If I don’t give it to you, you won’t lose it.”
The issue for banks
As consumers and regulation move banks from data protection to data privacy as a mandatory minimum, banks have a significant challenge ahead. Not only are financial institutions one of the most targeted industries for cybercriminals, but naturally, banks often *need* personal information in order to provide valued services, such as opening a credit card, taking out a mortgage or securing a small business loan.
As regulation is introduced and implemented, banks will need to demonstrate value to *earn* consumer information. If a bank can explain why they need the requested data, as well as what they will do with the information, consumers will be more willing to comply.
Future regulation is likely to explain a consumer’s rights and require banks to identify how the data sharing could negatively impact them. This will likely lead to consumers having the ability to say “you can only use this information for the mortgage and nothing else.”
Of course, this will create a large operational impact on banks. Even if they are able to service a mortgage, they will not be able to share the data for credit card applications and other bank services. In addition, they might not be able to share any data with affiliates, which means they won’t collect revenue from the local home goods store who wants to send a flyer to the new homeowner. This will create an initial loss of revenue for banks. They may not even be able to share data with credit bureaus, which has the potential to disrupt how consumer credit is assessed.
Time will tell what future regulation in the U.S. will look like, but banks must begin to prepare — not only to avoid enforcement penalties — but also to gain a competitive advantage that will help make up for potential lost revenue streams.
A competitive advantage
Once new legislation is passed, the results will undoubtedly cost banks millions of dollars to change their operations, platforms, marketing strategies and outreach. This will be a significant operational cost that leadership must prepare for, but more importantly, banks will need to replace revenue streams that are no longer viable given the inevitable data privacy restrictions.
However, banks would be wise to view pending legislation as an opportunity rather than a hurdle. Proactive preparation will not only publicly indicate to consumers you are respecting their privacy, but it will establish you has a leader in the area, which will be valuable over the long-term as other companies and competitors fall victim to continued attacks and improper data management.
The minimum banks can do to prepare now is at the very least take an assessment of your current policies and processes, including relationships with external vendors. In order to make a change, banks themselves need to have a better understanding on how their data is collected, managed and shared. This is a basic vulnerability test that will be useful as you being to prepare for operational change.
The true industry leaders will develop their strategy and make the necessary plans to execute prior to regulation, but unfortunately, most banks will make the bare minimum changes to meet whatever standards are passed. Do this at your own peril.
As an example, the Department of Labor’s fiduciary rule, which legally bound financial professionals who work with retirement plans or provide advice to meet the standards of a fiduciary, was set to be phased in by Jan. 1, 2018. However, the U.S. 5th Circuit Court of Appeals effectively killed the measure, but this did not stop some companies from leveraging their preparation for their own gain.
Several companies had already made the necessary investments and executive commitment to meeting the fiduciary rule before it was implemented, which they turned into a marketing campaign to provide consumers with total transparency.
Remember, “Regulation Is Coming,” and banks must act now to protect their data, their consumers, their market position and their reputation. Blockchain and its immutable ledger may make this all moot one day, but for banks, it's best to learn more about how to improve your data privacy or contact one of our data privacy experts today to learn how to prepare for winter.