GDPR: how banks can maximise the opportunity
GDPR is all about gaining the public’s trust – something banks, in general, still have, but is something that is not enjoyed by some leading social media companies.
By leveraging this disparity, investing in digital technology and in safe data management, banks will not only survive the coming years, but thrive, writes Peter Ryan.
It’s been almost eight months since the new regulations on how companies collect, store and use personal data became law – the general data protection regulation or GDPR. It is one of a triumvirate of new regulations that could open up new revenue streams for banks in the name of open banking.
Together with the new Payment Services Directive (PSD2), which opens up regulated third-party access to customer data, and the Payment Access Directive (PAD), which makes it easier to compare bank charges, the new regulations are designed to make banking more competitive and allow providers to offer modern, value-added services to their customers while keeping their data safe.
To quantify the opportunity, one study by PwC (https://www.pwc.co.uk/press-room/press-releases/open-banking-market.html) estimates that open banking could generate more than £7.2bn by 2022 for banks, fintechs, credit scoring agencies and the tech giants. So what do banks have to do ensure they don’t get left behind?
The size of the prize means new entrants are keen to try their luck at taking market share. But banks have a huge advantage over them as established and trusted players in terms of looking after our assets, including our personal data, which they have in abundance.
This is critical because data will be the key to successful open banking. By analysing it, banks will be able to increase existing and create new revenue streams by more easily cross-selling and upselling, and by offering new services with third-party partners such as account aggregation via fintechs and timely and appropriate discounts or offers with retailers.
Done well, it promises to bring back a level of service that bank customers still value and want but that all but disappeared from the industry years ago due to the high cost of providing it. At its heart, open banking is about engendering trust, leveraging personal data and providing great service.
The first thing banks need to do to succeed is to recognise the opportunity and leverage their advantage. To date, too many have seen open banking regulation as a cost – even a threat. GDPR in particular has been viewed as an unnecessary burden thanks to the very fact that the sector has one of the best track records when it comes to keeping customer data safe. This is perfectly illustrated by a recent survey by Accenture that found that the 70 per cent of respondents don’t like the idea of using social media channels, for example, to access or communicate with their bank (https://www.accenture.com/gb-en/company-news-release-trust-banks-customer-risk).
Next is to realise that while banks can make open banking work on an old legacy system, the task will be far easier and more efficient with a digital core platform.
The old legacy systems still operated by so many banks run a multitude of databases, each a data silo. The real opportunity in open banking is for banks to be able to access and analyse all of a customer’s data so that it can anticipate and accompany that customer on more of their financial journeys.
At the same time, banks need to be able to store customer consents for data use in a central, easily accessed format. That way, when requests for data are made – perhaps by third-party banks as part of an enhanced service such as account aggregation -they can be easily and cheaply fulfilled. Both are far easier with a digital core.
Customers are also becoming increasingly aware of their data protection rights such as data portability where personal data must be presented in a machine-readable format with fines for organisation that fail to do so. A legacy system will have problems finding all the right data and delivering it quickly and efficiently in the right format. But that’s not the only downside: failure or delay will also likely damage a bank’s reputation and there’s the potential to lose business when customers become frustrated at a slow or inefficient service.
Next, banks will need to adopt a data-protection-by-design approach to security and train staff to be data aware. This means building processes that only access and display the data required to perform each task. For example, does a failed payment screen need to identify the customer or just display the account number? This will require thinking about processes and data management to ensure personal data is never accessed unnecessarily. It’s a case of compliance helping to build and reinforce trust.
Similarly, banks will have to work with their third-party partners, those with which they share customer data, to ensure the latter have the right customer consents and that the data is secure. This is where APIs come in.
APIs allow banks to share data and check any GDPR requirement about consent. When it comes to working with merchants, again, an API can share the data securely and check it is shared compliantly.
So banks with a digital core using APIs will be able to take full advantage of the new open banking regulations. And what is more, they will be in pole position to fight off the competition. They will have the technology, the valuable customer data and the public trust to use and share that data – something other providers might lack. This is important because companies that understand how to use data to their advantage – the platform companies like Amazon, Google and Facebook – are likely to pose the biggest threat to banks in the world of open banking. But if the platform companies aren’t yet trusted, banks have a huge advantage – for now.
Peter Ryan is product manager for open banking compliance at Temenos