From the perspective of finance employees, one of the most pertinent cases of consumer data use is related to the prevention of money laundering, terrorist financing and other illegal practices. Aside from the increase in administrative tasks put on employees as a consequence of the regulatory framework in this field, there is a tendency for pushing responsibility for criminal prevention onto individual finance employees. Threats and hostility towards finance employees and their families are all too common as a consequence, which seriously challenges a healthy working environment in the banks. Therefore, any new legislation on the use of consumer data should strive to solve this and work to establish processes where financial institutions’ role of policing criminals does not threaten the health and safety of finance employees.
The use of consumer data by financial institutions is most likely to increase over the next upcoming years. It goes hand in hand with the ongoing digitalisation of the industry and many Nordic financial institutions are now increasing their work to use and analyse consumer data. Nordea for example is now digitalising the entire chain of supply. SEB is also digitalising its business and is looking in to new innovative uses of consumer data in order to ensure competitiveness. OP-Pohjola in Finland recently announced a multi-year 2.4 billion euro investment plan into digital technologies.
The use of consumer data is also increasing in the insurance industry. Telematics technology enables data to flow from connected devices, for example a car, to the insurers who can then use the data to assess risk and pricing. Telematics-based motor insurance has been available for many years, but now it is also emerging in health and home insurance. The development is however dependent on the consumers’ willingness to share their data (Deloitte – insurance disrupted – general insurance in a connected world).
NFU agrees with EBA’s description of the potential benefits for both consumers and the sector as a whole. There are many benefits for consumers described by EBA, it is however important to be cautious regarding advice given to consumer based only on automated analysis of personal data. Consumer data can of course improve advice but it is crucial that automated advice is complemented by a human advisor in order to safeguard the needs of the consumer and the stability of the sector. Personal data collected by internal and external structures do not always give the entire picture why NFU wants to be cautious when it comes to shifting to advice only based on automated data.
Benefits for the employees in the sector can be that the consumer data will assist them in advising consumers and get a better picture of the consumers’ situation. It is important that the collected personal data and analysis made by employees complement each other in order to achieve the best results for consumers. It could also be easier to see patterns and understand the consumers’ needs with all the consumer data. New products can also be developed that suit the consumers better as well.
Digitalisation brings an increased responsibility for the protection of their clients’ data. This is especially true for the insurance sector where especially sensitive personal data and personal financial and medical information are processed and intentionally used for calculations. These data need to be highly protected and not used for any business practices that could potentially harm consumer rights or cause discrimination.
The threat to the protection of personal data could increase when a growing amount of financial services are provided online. NFU can also identify a possible greater threat to the protection of personal data in the insurance sector, due to the sensitive nature of information provided (e.g. personal financial and medical information). The protection of personal data is crucial to ensure the consumers integrity. If this is not properly protected, NFU believes that the trust in the financial sector is most likely to decrease.
NFU believes that it is important to ensure the safety of the consumers’ integrity and personal data why it is important to include the possibility of human intervention in the advice and analysis process.
It is important to raise the awareness of data protection among consumers, how their information is used what their rights are as well as the companies’ responsibilities and duties in this regard. A greater awareness of data protections issues may also cause the consumers to feel less eager to provide their personal information which should be taken into account by both policymakers and industry.
If one major financial institution was to suffer a reputational risk due to how personal data is handled, it is likely that the lack of trust will spread to other financial institutions. If personal data is misused, it can cause an erosion of trust for all the financial sectors. The other aspect of risks for financial institutions is of course if their IT systems are compromised. The requirements on the institutions to have up-to-date and secure IT systems should form the basis for how consumer data consequently can be used.
Digitalisation also brings an increased responsibility for the protection of clients’ data.
In this aspect it is important to note that a person working at the financial institution should not be held accountable if a consumer’s data is spread or hacked. An employee must never be liable for shortcomings in protection of third parties’ data by their employer.
The perspective of risk to employees’ personal data was not included in the paper by EBA. This risk is however recognised by the EESC opinion by group II:
“ 4.11. Workers in digitalised forms of work organisation produce large quantities of personal data, which contain information relating to where employees do what, when and with whom. Besides creating opportunities for highly efficient work in seamless flows of information, this also enables intrusive practices of employee surveillance that jeopardise established standards of privacy at work.
4.12. Robust provisions concerning the protection of personal employee data are needed to protect established standards of privacy at work. European legislation on data protection should set high minimum standards and must not prevent Member States from regulating further. The EU data protection regulation currently being negotiated should therefore contain an opening clause" allowing Member States to go beyond EU minimum standards.”
NFU would therefore like to draw the attention of EBA to the Joint declaration on Telework by the European social partners in the insurance sector.
The Joint Declaration reads “The employer is responsible for taking the appropriate measures, notably with regard to software, to ensure the protection of data used and processed by the teleworker for professional purposes. The employer informs the employee of all relevant legislation and company rules concerning data protection. It is the employee’s responsibility to comply with these rules.”
It is therefore important that the employees working in the finance sector gets training by their employers on all legislation concerning personal data, both concerning the consumers and themselves.
As already mentioned, the risk to employees’ personal data is a prominent issue concerning the work on the prevention of money laundering and terrorist financing. One of the most important issues from the employee perspective when it comes to AML is that of protection against threats and other hostile consequences. Over the years, there have been quite a few incidents with threats against employees involved in reporting of suspicious transactions.
A provision on protection was inserted into the previous AML directive and such a provision has been continued, slightly amended in article 38 of the present directive. Unfortunately, this has far from solved the problem, and we still hear about cases. A prominent problem in this connection is that it is too easy for suspected criminals to gain knowledge of the fact that they have been reported for their money laundering activities. In some cases, they are actually being directly informed about it right away, sometimes both the fact that they have been reported and by whom.
As EBA rightly raises, there may be an issue of competition at hand since new entrants can have more access to data than other financial institutions. It is therefore important that these emerging sectors are included at the same conditions as the existing institutions and in the social dialogue, in order to ensure a level playing field and to uphold employee and consumer protection."