Response to discussion Paper on innovative uses of consumer data by financial institutions

Go back

1. In what capacity (i.e. consumer, financial institution, technology providers, etc.) have you had experience with innovative uses of consumer data?

The French Banking Federation (FBF) is an association governed by the Law of 1901. It represents all French banks and foreign banks with operations in France in the form of subsidiaries or branch offices, whether they are European or from the rest of the world.
It was formed in 2000 from the desire to bring together all companies in the banking sector – commercial banks already enjoying membership of the French Bankers Association (AFB)(1) and coo¬perative and mutualist banks – in order to promote, with a single voice, the activity of the profession in France, Europe and internationally.
383 banks are members of the FBF: univer¬sal banks, online banks, merchant banks, private banks, local banks, etc. Credit institutions licensed as banks and the branch offices of credit institutions in the European Economic Area can, if they wish, become fully-fledged members of the FBF, which would then represent their professional institution.



French banks have experience with innovative uses of consumer data as international financial institutions which retail entities are in France and Europe.
Moreover a lot of banks are also technology providers: smartphone, payment acquisition, cash withdrawal, payment platforms, online banking and remote payment etc.

2. Based on your knowledge, what types of consumer data do financial institutions use most?

Financial institutions mostly use data on consumers such as ID details or contact details and on products detention outstanding and flows
Other data are used for the subscription and management of product like :
• Property ownership, revenues and professional details are used for credit
• Financial knowledge levels are used for financial products
• Family knowledge
• Payments data for fights against fraud,
• Stream data Internet protocol when some business partnership exist.
• Data on usage of channel – mainly electronic banking or smartphone or meeting in branches- is also developing. We use this kind of data to follow the use of our own sites. We use the browsing history for bank web-site.

3. Based on your knowledge, what sources of consumer data do financial institutions rely on most?

As far as banks are concerned they mostly rely on the following external and raw sources of consumer data:

• Data collected directly from the consumer
• Data collected indirectly with the consumer’s consent.
• Data produced by bank operating systems for risk management,
• Data from the official records e.g. national register of loan and payment incidents, and irregular cheques.

4. Based on your knowledge, for what purposes do financial institutions use consumer data most?

Banks used consumer data to comply with some regulation (complying with regulatory and prudential obligations, KYC) and some schemes rules (SEPA payments as SEPA credit transfer, direct debit and cards schemes…) which apply to them.
Without these data, banks would probably not be able to cooperate with states and international organizations with the same efficiency. For instance consumer data is essential to comply with AML rules and fight against fraud – be it internal or external. Banks also know they can rely on data to tackle terrorism (Detection & Enforcement), cybercrime and tax evasion.
The use of data allows also opening and management of core banking services (KYC).
This use of data allows to maintain and guarantee the financial security systems.
The use of consumer data is a historical practice that is intrinsically related to the business model of banks. It allows them to run their activities and comply with their various obligations.

We would like to remind that consumer data is essential to deliver core banking services such as account openings, payments instruments or credit granting. The use of consumer data widely contributes to the assessment of consumers' creditworthiness. It also contributes to lower the credit risk and thus to the resilience of the European Banking system. To sum it up, banks essentially process consumer data for internal purposes such as:

• credit granting
• Debt recovering
• Insurance services
• Risk Decision and Management: scoring, rating, monitoring
• Investment advice,
• Others services of extra banking environment as smartphone, human services…
Consumer data is also important to customize the consumer relationship and improve the quality of our financial services. It should be underlined that for banks, technology has always been an opportunity to provide new and better services and to help our financial advisor in their marketing activities.

Some specific marketing offers are also addressed to consumer segments based on their payment flows and aim at creating dedicated offers.
Banks are also likely to use consumer data for customer satisfaction and process optimization purposes. For instance, the process of consumer data can help banks to quickly authorize an exceeding overdraft. Furthermore some bank entities have developed automated financial advice tools for client’s benefits.

5. How do you picture the evolution of the use of consumer data by financial institutions in the upcoming years? How do you think this will affect the market?

More and more information will be available in the upcoming years. It is our opinion that stronger computing power, better technology and analytical methods will make data processes more efficient. The use of data will be done in real-time within customer interaction phase. Consumers will be able to access more targeted offers with personalized products and services based on their needs and behavior.
This will bring important security and level playing field issues in the context of a fierce competition between banks and newcomers – namely GAFAs and fintechs.

Data are more and more coveted by the new actors as GAFA and Fintech. The payment’s data access is already regulated by the Payment service directive (PSD 2) for the new actors (Third party provider) and by the technical standards prepared by the European Banking Authority and scheduled for Q4 2018.

In this context, the security guaranteed by these new actors is a major issue for the confidence of the clients and the resilience of the financial infrastructures and institutions. The national and European authorities are in charge of the supervision and control of these new actors and have to maintain the security and the resilience of the financial market.

In that context we would like to remind that data protection and security have always been key concerns for banks. Banks use the data that consumers provide to them in a secure way and intend to keep it that way. Confidence in banks as trusted third parties is essential for their reputation. Banks have always been respecting provisions on business confidentiality. For instance the French Monetary and Financial Code clearly rules that banks are subject to professional secrecy. In that context banks are likely to turn data security and privacy into a competitive advantage in the years to come.
We are very careful on this matter as we do not want to weaken our relationship with our consumer and damage our image. A label recognizing this specificity of high security and privacy would be welcome.
Furthermore banks are already taking into account the increasing importance of data privacy within their internal governance. It is the proof that banks do have a responsible approach on the subject. For instance many banking groups are currently establishing a doctrine on a responsible use of consumer data.
Concerning Alternative Business Models : if the alternative way of generating revenue with data may be study in a prospective way by the banks), the money at stake has not to be over-estimated compared to the size of the banking revenue. Hence, the continuous decrease of interest rate should lead bank to more and more leverage its non core banking activities.
Nevertheless it is our opinion that the same rules should apply to the same players. In the future we think that there will be more and more non-financial services providers entering the market. This is the responsibility of the national and European regulators to supervise that all actors in the market are submitted to the same regulation as financial entities for the services offered.
All actors (included TPP) have to comply with all rules which allow to have access and supply the financial services.

6. Do you consider the potential benefits described in this chapter to be complete and accurate? If not, what other benefits do you consider should be included?

The use of data can increase the service quality by given to the customers a made-to-measure services. The new offer can be available 365/24/7, secured and on all devices owned by the clients (smartphone, ipad, IoT, laptop…). By the way, banks will be in position to answer almost in real time to the customer’s needs.

Therefore, banks have to engage large investments in IT and in security area for increase the offer quality and guarantee and maintain the customer confidence. But the use of customer data could also help to improve operational efficiency of internal processes as well as in front office processes or back office processes.

The resilience and the security are an obligation for some large banks which are operator of vital importance (French military law).

This aim needs to hire new staff with accurate and suitable skills in digital issues. This recruitment of more and more specialized resources have a large impact on the payroll and its cost.

The ability of banks to dramatically reduce their costs thanks to consumer data is not proved.

7. Are you aware of any barriers that prevent financial institutions from using consumer data in a beneficial way? If so, what are these barriers?

Banking secrecy is a real and effective protection for the client’s data. However the data sharing between entities belonging to the same group should be easier whatever the type of entities (bank, insurance, investment entities…).
Banking or financial groups should be more considered as a sole entity within EU, and be allowed to exchange data and treatments internally within EU territory, under the umbrella of coordinated EU data protection authorities. This would favor the emergence of more integrated, more efficient European retail financial markets (including ad hoc legal entities for wealth management purposes), as well as ease the compliance of existing regulations such as KYC or consumer protection.
Banks have to operate in an extremely regulated environment for use of data: banking secrecy, data protection, KYC, fight against fraud. Regarding the banking secrecy, it is necessary to collect the customer express consent before providing the confidential information to a third party. It would appreciated if the conditions to obtain this consent should be easier and adapted to the digital environment under the European regulation.
Moreover, the use of data is limited by the purpose of the original collect and reported to the customer.
The financial services industry has traditionally been highly regulated with the aim of providing security and protection to the consumer and ensuring financial stability. Besides, there is no denying that the banking activity is a critical service to the general economy.
In that context we believe additional regulation for the banking industry is not needed. This is all the more true so as most of the risks mentioned in the discussion paper are already addressed in existing EU and national legislation. Any specific regulation for banks on the topic of personal data would be counterproductive. Banks do not ask for new regulations, but they request a simplification, harmonisation and stabilisation of the existing ones.
Guidelines are also expected as they would certainly improve the legal certainty regarding the use of consumer data. For instance the new GDPR adopted in April 2016 will allow data anonymisation and pseudo-anonymisation but does not offer guidance about the solutions to obtain a 100% secure process of anonymisation or pseudo-anoymisation. In this scenario entities will have to face the risk, on a case by case basis, of not being compliant according to the regulator criteria.
Financial institutions also request a strict equality of competition: same service and risk, same rules. Regulatory discrepancies between banks and other type of actors is an important barrier that prevent financial institutions from using consumer data in a beneficial way. Banks are currently subject to many regulations, which do not apply to non-banking digital financial services providers. Currently there are non-financial services providers entering the digital market that provide similar financial services despite not being subject to the same regulation as financial entities, and thus they are not playing under the same rules.

It seems necessary to have a good coordination between the EU authority which contribute to the Framework of regulations, guidelines etc.

8. Do you consider the potential risks described in this chapter to be complete and accurate? If not, what other risks do you consider should be included?

Risks to consumers
- Information asymmetries : In our point of view, we should not confuse a lack of information and a lack of awareness of the law. Information is compulsory and misuse or sale of a data without explicit acceptance of the client is forbidden by law. The consumer has also a central role on keeping its information at the best level.

Our entities are managing customer data very carefully. In order to use customer data for any additional commercial purpose, customer should sign the special terms and condition that he/she is allowing that his data can be used for different surveys analyses and commercial action. If client after is not allowing to be contacted for commercial purpose, the bank make a note often directly in its IT system and customer is not any more contacted with commercial messages. Furthermore, all data that are collected via different channels are in DW and after by using different Data Marts additionally structured and aggregated.

- Data security : There is no denying that consumers suffer detriment if consumer data stored by financial institutions is obtained fraudulently by third parties. In this latter case the players' responsibility must be clearly defined for each player in the treatment process in case of an incident. In addition, the security constraints imposed by regulators must be the same for all players who handle or collect personal and banking data.

Risks to financial institutions :
- Reputational risks : This risk is very sensitive for banks. It is taken into account in our operational risk evaluation, in our process and training.
- New entrants in the market :
The lack of level playing field between all actors is a real risk to financial institutions. Banks have to comply with very strict regulations and the new entrants may not be submitted to the same regulations, allowing an easier way of managing and profiling the clients and providing more innovative and easier services. New players are also offering new intermediation models, between customers and credit institutions, which currently are not necessarily taken into account by the regulatory framework and banking supervision which has therefore to evolve.
Given this, it is important that the same rights and the same obligations apply to all players, in all countries. Current imbalances are barriers to innovation for traditional banking institutions which are subject to the existing banking and financial regulations. They may also create situations where consumers are put at risk, as they do not have a uniform level of protection. Therefore it seems necessary to us to ensure that the regulatory framework and the supervisory systems cover new players in financial services, and are applied uniformly, for the same sector, whether the companies concerned are financial institutions or not. This is a key point in order to insure confidence and financial stability.

-Data security : The new risks created by digital technologies include risks linked to cyber-security. Financial institutions are one of the main targets in this area. Various cyber-crime awareness and protection initiatives are provided by banks through very regular investments:
• Fight against phishing and banking trojans: site detection, closing procedure, an awareness programme and controlled mail communication policy, roll-out of specific tools for customers such as IBM Trusteer tools.
• Fight against fraudulent transactions and money laundering by comparing logins and bank transactions. For this purpose, Fintech between the customer and the bank should not disguise information needed to appropriately identify fraud.
• Ongoing improvement of our payment methods and non-face-to-face banking resources: implementation of a security pass for non-face-to-face banking, dynamic CVX2 on the back of a bank card, secure access etc.

However all the initiatives carried out by a bank to raise awareness, detect and react against cyber-attacks can be affected and damaged if the new players do not respect the same obligations.
In addition the European Commission hopes to encourage competition and innovation between financial players by opening" certain systems of the banks. These initiatives should not damage the stability (and 'usability') of systems already in place.
The dissemination of consumers' personal and banking information in private or cloud-based IT systems causes increased risks of information leakage, fraud and image, particularly for financial institutions, since trust is the basis of the relationship between these institutions and their customers.
In the latter case, the players' responsibility must be clearly defined for each player in case of an incident (e.g.: fraud)."

9. Have you observed any of these risks materialising? If so, please provide examples.

A new German actor is targeting the UK market which primarily offers an information exchange platform between third parties stakeholders in the area of financial and banking products. It progressively introduces the selling of financial products after analysis of such exchanges.

Some new players especially in the UK or Germany are developing partnership relationships where only one entity has a banking licence, which probably enables them to be swift and reactive but makes part of the set-up escape the banking regulation. Some platform (initially from Germany but now in many European countries is a pure non-regulated FinTech which is backed on a bank which books its transactions. Conversely, another bank has built an API-accessible banking platform enabling pure digital companies to create customs solutions and new products: their API is then hosted itself but have been developed in a pure non-banking non-regulated environment.

These structures create clear adherence between some new banks and Fintech which seems to favor at least partially circumvention of banking régulations.

Name of organisation

Fédération bancaire française

Please select which category best describes you and/or your organisation.

[Financial institution"]"