Response to discussion Paper on innovative uses of consumer data by financial institutions
Go back
To a lesser degree, firms leverage external data sources for purposes such as credit rating information. For example, in Germany we obtain Schufa credit rating information as well micro-geographic data to improve marketing effectiveness.
DB does not rely on innovative data sources such as social media for creditworthiness assessments due to concerns about its ability to add significant value to the assessment and improve outcomes. It is also not yet widely accepted by regulators as a trusted source. It may be used in the future where other more reliable data sources have already been exhausted.
- Aiding the decision-making process around creditworthiness assessments.
- Providing customised offers to consumers subscribed to particular products and services.
- Providing customised offers to consumers from selected external partners (third party marketing). Currently only aggregated consumer data is used for this purpose, rather than individual profiles.
- Offering customised financial products to consumers with the help of scoring systems / algorithms based on consumer data.
- Providing financial management tools to consumers such as financial planning services.
- To target marketing at the right individuals.
- As an engagement tool to encourage customers to think about potential financial products suitable to their needs.
For a broader perspective on the value of data for the economy and for banks and the implications for data protection and data security, DB Research has published papers on “data protection and data security” and on “big data”.
DB’s products and services have evolved as a result of using consumer data. This includes:
- An online financial planning tool combined with smart functions to suggest products or services to the client based on his historic financial patterns. The functionality will also be able to provide a forward-looking projection of a customer’s account balance based on his historic account patterns.
- A multi-bank aggregation service, which integrates external bank accounts and other financial products into a single online view which can be received across all devices and channels. The service also offers - upon client request - comprehensive analysis and advisory tailored to the customer’s overall financial situation across all banks and financial service providers. For example, this enables us to highlight to a consumer when he might be paying more than the average for services such as gas and electricity based on an analysis of payment patterns of customers with a similar demographic / based in a similar location.
Future developments may include:
- Digital identity (eID) - customers currently own a variety of accounts and identities with many services and can only enter contracts in a limited fashion or following a complicated identification process. The digital identity unites a customers’ data in one secure place, bringing substantial convenience benefits as well as data protection advantages. Not only can the customer use the digital identity to identify himself with third parties and use services instantly, but he is also able to enter binding contracts and make transactions at any time in the online and offline world. Data protection is strong because users are able to exercise selective disclosure and data storage take place with a trustworthy partner in a safe and familiar environment.
The European Commission is exploring ways to further the interoperability of digital identities to make services marketable across Europe including banking services. Thus, a market is forming with an opportunity for banks to play a pivotal role going forward.
- Provision of ‘eSafe’ services which would offer confidential, secure electronic safekeeping for personal private documents. As long as banks continue to be viewed as a secure location for storing and retaining data and documents, this then creates additional products for consumers and potentially additional revenue for banks.
- Using data derived from customer usage of the internet to better understand online behavior and to target online marketing better as a result.
Asymmetries could exist for banks with regards to regulation for financial institutions. The Payment Services Directive 2 (PSD 2) requires banks to open up their infrastructure towards Third Party Providers (TPPs), but does not require TPPs to so so vis a vis banks. This creates an unlevel playing field and potential market distortions and unintended consequences as a result.
TPPs should also be subject to the same cyber-security and data protection rules as incumbent banks to ensure that every node in the system is protected from a financial crime perspective. In addition to ensuring a level playing field this will also increase confidence and remove some barriers to the use of data.
Some court decisions at national level also create barriers – for example in Germany there is a prohibition on the use of the “subject” line of consumers’ bank transfers for consumer behaviour analysis. This information would be useful to aid in targeted marketing if able to be used.
Risk #2 refers to the risk that consumers become “locked in” by their current provider because their data is not accessible to other financial institutions. The EU General Data Protection Regulation (GDPR) will address this, as it includes a data portability requirement which means that data subjects have the right to receive the data which they have provided to a data controller.
When considering the potential risks more broadly, the EBA should take into account the range of existing legislation which already applies to the use of consumer data by financial institutions. The GDPR in particular implements a very strict regime, which includes documentation requirements and transparency obligations towards data subjects as to how and why their data is being handled; and mitigates many of the risks which are identified by the EBA.
The key requirements include that personal data must be:
- Processed lawfully, fairly and in a transparent manner to the data subject
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than necessary for the purpose for which the personal data are processed
- Stored in a way that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Given that the GDPR is a new piece of legislation which is not due to be implemented for another 2 years, there would be value in awaiting its implementation before further regulatory action is taken.
Further guidance detailing how the GDPR applies to the financial services sector may be helpful in future following the general implementation which is currently taking place at national level.
As highlighted under Risk #11, we do not foresee financial institutions becoming overly dependent on consumer data as a revenue stream in the short to medium term. Existing EU rules on data protection, competition, unfair contract terms and unfair commercial practices are already strong enough to avoid the unfair bundling of products, e.g. the idea of tying a bank account / payment service to another non-financial-service digital service (such as advertising or virtual credits).
As a financial services provider ourselves, we always obtain the customer’s explicit consent for any additional service provided using their data as well as providing full disclosure as to how their data is used.
1. In what capacity (i.e. consumer, financial institution, technology providers, etc.) have you had experience with innovative uses of consumer data?
We have had experience as a full service financial services provider. As an authorised credit institution under CRD and investment firm under MIFID we make use of consumer data in a number of innovative ways.2. Based on your knowledge, what types of consumer data do financial institutions use most?
Financial institutions make most use of basic consumer account data including ID details, contact details, education and professional details, socio demographics and activity information such as payments data, product usage, and data collected from customer advisory activities.3. Based on your knowledge, what sources of consumer data do financial institutions rely on most?
Financial institutions predominately rely on internal data sources – both that which is provided directly by consumers when entering into a contractual relationship and data obtained indirectly, such as payments data.To a lesser degree, firms leverage external data sources for purposes such as credit rating information. For example, in Germany we obtain Schufa credit rating information as well micro-geographic data to improve marketing effectiveness.
DB does not rely on innovative data sources such as social media for creditworthiness assessments due to concerns about its ability to add significant value to the assessment and improve outcomes. It is also not yet widely accepted by regulators as a trusted source. It may be used in the future where other more reliable data sources have already been exhausted.
4. Based on your knowledge, for what purposes do financial institutions use consumer data most?
There are a range of purposes that financial institutions use data for:- Aiding the decision-making process around creditworthiness assessments.
- Providing customised offers to consumers subscribed to particular products and services.
- Providing customised offers to consumers from selected external partners (third party marketing). Currently only aggregated consumer data is used for this purpose, rather than individual profiles.
- Offering customised financial products to consumers with the help of scoring systems / algorithms based on consumer data.
- Providing financial management tools to consumers such as financial planning services.
- To target marketing at the right individuals.
- As an engagement tool to encourage customers to think about potential financial products suitable to their needs.
5. How do you picture the evolution of the use of consumer data by financial institutions in the upcoming years? How do you think this will affect the market?
In general, we expect there to be increased cooperation with external partners and further integration of external data sources due to the growing relevance of social media, financial technology firms and other large technology companies. We also expect that financial-services providers will increasingly leverage consumer data to offer greater customisation of products and new data-based services due to the rapid improvement of algorithms and methodologies used to analyse consumer data. We also expect that more data usage in future should come with explicit customer consent following a transparent dialogue with customers.For a broader perspective on the value of data for the economy and for banks and the implications for data protection and data security, DB Research has published papers on “data protection and data security” and on “big data”.
DB’s products and services have evolved as a result of using consumer data. This includes:
- An online financial planning tool combined with smart functions to suggest products or services to the client based on his historic financial patterns. The functionality will also be able to provide a forward-looking projection of a customer’s account balance based on his historic account patterns.
- A multi-bank aggregation service, which integrates external bank accounts and other financial products into a single online view which can be received across all devices and channels. The service also offers - upon client request - comprehensive analysis and advisory tailored to the customer’s overall financial situation across all banks and financial service providers. For example, this enables us to highlight to a consumer when he might be paying more than the average for services such as gas and electricity based on an analysis of payment patterns of customers with a similar demographic / based in a similar location.
Future developments may include:
- Digital identity (eID) - customers currently own a variety of accounts and identities with many services and can only enter contracts in a limited fashion or following a complicated identification process. The digital identity unites a customers’ data in one secure place, bringing substantial convenience benefits as well as data protection advantages. Not only can the customer use the digital identity to identify himself with third parties and use services instantly, but he is also able to enter binding contracts and make transactions at any time in the online and offline world. Data protection is strong because users are able to exercise selective disclosure and data storage take place with a trustworthy partner in a safe and familiar environment.
The European Commission is exploring ways to further the interoperability of digital identities to make services marketable across Europe including banking services. Thus, a market is forming with an opportunity for banks to play a pivotal role going forward.
- Provision of ‘eSafe’ services which would offer confidential, secure electronic safekeeping for personal private documents. As long as banks continue to be viewed as a secure location for storing and retaining data and documents, this then creates additional products for consumers and potentially additional revenue for banks.
- Using data derived from customer usage of the internet to better understand online behavior and to target online marketing better as a result.
6. Do you consider the potential benefits described in this chapter to be complete and accurate? If not, what other benefits do you consider should be included?
We feel there are some other benefits which could be included such as the increased efficiency and speed of decision making which results from better use of consumer data. At present, getting approval on a mortgage application, for example, can take some time, but there is no reason why this could not take place much faster in the future. This could also increase the accessibility of financial services to certain individuals who might otherwise have been denied a product. Conversely this could also become a risk if products are denied to individuals who might otherwise get them.7. Are you aware of any barriers that prevent financial institutions from using consumer data in a beneficial way? If so, what are these barriers?
There should be a level playing field for all market participants, in particular with regard to consumer data protection rules.Asymmetries could exist for banks with regards to regulation for financial institutions. The Payment Services Directive 2 (PSD 2) requires banks to open up their infrastructure towards Third Party Providers (TPPs), but does not require TPPs to so so vis a vis banks. This creates an unlevel playing field and potential market distortions and unintended consequences as a result.
TPPs should also be subject to the same cyber-security and data protection rules as incumbent banks to ensure that every node in the system is protected from a financial crime perspective. In addition to ensuring a level playing field this will also increase confidence and remove some barriers to the use of data.
Some court decisions at national level also create barriers – for example in Germany there is a prohibition on the use of the “subject” line of consumers’ bank transfers for consumer behaviour analysis. This information would be useful to aid in targeted marketing if able to be used.
8. Do you consider the potential risks described in this chapter to be complete and accurate? If not, what other risks do you consider should be included?
We do not agree that all the risks described are accurate.Risk #2 refers to the risk that consumers become “locked in” by their current provider because their data is not accessible to other financial institutions. The EU General Data Protection Regulation (GDPR) will address this, as it includes a data portability requirement which means that data subjects have the right to receive the data which they have provided to a data controller.
When considering the potential risks more broadly, the EBA should take into account the range of existing legislation which already applies to the use of consumer data by financial institutions. The GDPR in particular implements a very strict regime, which includes documentation requirements and transparency obligations towards data subjects as to how and why their data is being handled; and mitigates many of the risks which are identified by the EBA.
The key requirements include that personal data must be:
- Processed lawfully, fairly and in a transparent manner to the data subject
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than necessary for the purpose for which the personal data are processed
- Stored in a way that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Given that the GDPR is a new piece of legislation which is not due to be implemented for another 2 years, there would be value in awaiting its implementation before further regulatory action is taken.
Further guidance detailing how the GDPR applies to the financial services sector may be helpful in future following the general implementation which is currently taking place at national level.
As highlighted under Risk #11, we do not foresee financial institutions becoming overly dependent on consumer data as a revenue stream in the short to medium term. Existing EU rules on data protection, competition, unfair contract terms and unfair commercial practices are already strong enough to avoid the unfair bundling of products, e.g. the idea of tying a bank account / payment service to another non-financial-service digital service (such as advertising or virtual credits).
As a financial services provider ourselves, we always obtain the customer’s explicit consent for any additional service provided using their data as well as providing full disclosure as to how their data is used.