European Banking Federation (EBF)

The European Banking Federation is the voice of the European banking sector, uniting 32 national banking associations in Europe that together represent some 4,500 banks - large and small, wholesale and retail, local and international - employing about 2.5 million people which have experience with innovative uses of consumer data in their daily activities. The EBF members represent banks that make available loans to the European economy in excess of €20 trillion and that securely handle more than 300 million payment transactions per day.
The response to the discussion paper is therefore provided in the capacity of a financial institution which aims notably at developing innovative products and the best products and services for its customers.

Key points:
 The use of data is growing exponentially, in terms of use, variety, volume and velocity. Data analytics is creating increasingly new opportunities both for consumers, who can benefit from more innovative and tailored products and services adapted to their needs, and for companies able to develop new innovative businesses.
 Consumer data has been at the heart of the banking business model for a long time and it affects every level of banking activity. The large majority of data used, processed and collected by banks aims at improving the customer experience and satisfying customer needs, complying with legal and regulatory requirements and risk management (e.g preventing fraud and money-laundering) as well as contributing to the business performance of banks.
 Confidence in banks as trusted parties is essential for their reputation, a fact which adds to the efforts and investments put into maintaining and improving setups ensuring the safety of customer data. The future performance of the financial industry will very much depend on the ability of financial institutions to use customer data, the interaction of that data with banks’ products and services, and most importantly, the ability of banks to maintain the existing level of consumer trust.
 Policy-makers should adopt a holistic approach and ensure that EU regulation is adjusted to the digital reality for financial services as well. The focus needs to be on regulating the activities rather than the institutions that offer them. This is not a call for new regulations but rather for adjusting, simplifying, removing obstacles and inconsistencies and modernising the EU regulatory framework.
 The recently adopted General Data Protection regulation (GDPR) is one of the most advanced regulatory frameworks in the world regarding personal data protection, with high standard safeguards for consumers and their data. It applies to any company that controls or processes personal data of natural persons who are in the EU. In the EBF’s views, there is no need for the EBA to take any further measures specific to the financial sector, especially bearing in mind the wide-ranging application of the GDPR. Privacy and data protection issues should be ruled by sector-neutral regulations. However, in its regulatory capacity, the European Banking Authority (EBA) should ensure through engagement with data Protection Authorities and the Article 29 Working Party, that measures to protect consumer’s data should be taken for any party that offers financial services and that is involved in accessing, storing, treating and managing consumers’ data, regardless of whether it is a traditional banking business or not (and therefore not normally falling within the EBA’s remit)
 The importance of having an appropriate competitive environment with a level playing field among all the different players which would ensure wide-ranging high standards and, in turn, enhance consumer trust, should be a key reason for ensuring that not only banks have to comply with high standards to be able to use personal data. Moreover, if such an environment is not ensured then banks will not be able to compete on an equal footing in the new digital era where data is the driver of business (e.g. ensuring high standards of data quality while at the same time being pushed for data portability at a price that does not reflect the true value of the data stored at banks can lead to a competitive disadvantage and a negative impact on the banking industry and their customers).
The type of consumer data that financial institutions most commonly use are:

 Identity and demographic data (e.g. ID, age nationality, address, education, professional details);
 Credit history (e.g. history of credit use);
 Transactional data (e.g payment account movement (credit and debits));
 Payment obligations (e.g. to evaluate the debt service ratio and the remaining net income);
 Behavioural performance data (e.g. credit incidents, debt falling due, potential debt)
 Perception of the financial institution’s service level (e.g. customer expectations and satisfaction/complaints);
It is also important to note that financial institutions use the data listed, in the context of risk management, fraud management, customer service, reporting to supervisors, marketing,…). Please see in particular the requirements imposed by the Article 13 of the 4th Anti-Money Laundering Directive (AMLD) (2015/849) on customer due diligence which refers in particular to the obligation to collect information about the customer to prevent money laundering, such as conducting ongoing monitoring of the business relationship including “identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source”; “scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date”.
As a general comment we would like to underline the following elements:
- In reference to paragraph 16 referring to “social network information (including data on a person’s social connections and information provided in status updates)” we would like to stress that at this stage it is not the core business of banks to use such data. In principle, banks do not use data from social networks due to the legal uncertainty around the possible use of this kind of data. Some banks are, however, investigating the potential use of data which are made publicly available by consumers as they could represent a complementary source for banks. Indeed not all data sources have the same level of reliability, so banks consistently perform validation processes to ensure its accuracy and may for example decide in the future to cross-verify the information using public data sources.
- We would also like to raise EBA’s attention to the fact that in addition to the three categorisations of data identified by the EBA (structured, semi-structured or unstructured which includes raw data), additional data is used by banks.
- There are indeed areas in which financial regulators require banks to perform specific accuracy tests which not fully rely on the data that customers or the market participants provide. Rather, banks also rely on high quality data that corresponds to “managed/treated data”, data which has undergone a thorough process and analysis conducted by banks (such as verification, cybersecurity etc.) in order to be used. This kind of data is not necessarily identifiable to individuals. It leads to an enhancement of raw data and to the creation of new data as part of the intellectual property of banks. These processes create an additional layer of value from the raw data.
In this sense, it would be advisable to differentiate between raw data (provided directly by the customer) and managed/treated data.
The European Banking Authority (EBA) raises a range of innovative data uses, including big data analytics and collection of data from social media. However, in reality the large majority of data processed by banks are used for conventional purposes such as processing transactions on customer instructions, regulatory compliance (e.g. Know Your Customer (KYC) and Fair Treatment of customers requirement in certain countries, Markets in Financial Instruments Directive (MiFID), prevention of fraud (e.g. using mobile localisation), money laundering/terrorist financing and other financial crime, and credit worthiness assessment requirements) as well as the data used for marketing purposes.
As already mentioned in question 2, we would like to stress that at this stage it is not the core business of banks to use social network information. In principle, banks do not use data from social networks, due to legal uncertainty around the possible use of this kind of data. Some banks are, however, investigating the potential use of data which are made publicly available by consumers as they could represent a complementary source for banks.
The main sources of consumer data that financial institutions rely on are both internal and external data:
 Data directly given by the customer based on:
- the consumer’s informed consent (when required and which include customer feedback and data collected via satisfaction surveys in order to improve the customer relationship)
- legitimate interests (legal requirements, AML requirements etc.)
 Data produced by bank operating systems
 As a complementary tool, external data such as public and/or private managed specialised databases (e.g. from the incident credit records/ National Database on Household Credit Repayment Incidents/ credit bureaus to conduct the creditworthiness assessment), information originated from the client’s financial turnover, transaction patterns and preferred products/services statistical data, publicly available data, credit rating agencies, Politically Exposed Persons (PEPs) lists, governmental statistics offices, etc.).
It is important to note that consumer data has been at the heart of the banking business model for a long time and affects every level of banking activity such as corporate/investment banking, retail banking, credit management and analysis/Mortgage, transfer operations, payments, cash management, risk management and compliance, cybersecurity as well as IT departments etc.
They are collected in particular to:

a) Improve the customer experience and satisfy customer needs :

The data collected (based on customer’s consent when required) facilitate the understanding of customers’ needs, the quality of products and services provided to them and contribute to the development of personalised offers in real time; Consumers will, for instance, be able to benefit from more flexible offers for loan rates or a simplified and faster approval of their loan’s request due to a better assessment of the risk profile. Some marketing offers which are also addressed to consumer segments based on their payment flows aim at creating targeted offers (e.g. reward or loyalty programs, bonus points given on a credit card that can be used to purchase products in several partner stores).

The assessment, evaluation and interrogation of transaction information and the detailed analysis of this can provide a more detailed insight into customer behaviour identifying specific needs, issues and areas a customer may require assistance on. This can support a more targeted marketing campaign or simply advance a customer relationship with the bank.

b) Comply with legal and regulatory requirements and risk management:

 The collection of personal data and its analysis is moreover necessary for profiling for risk management, creditworthiness assessment purposes and financial crime prevention for example for fine-tuning the parameters used in fraud monitoring systems to improve their ability to detect and prevent related fraud, as requested by financial services requirements. These procedures are widely recognised as being the most effective and fair (if not the only possible) way of assimilating data in order to make responsible financial decisions.
Actually their use derives from legal requirements in various EU and national laws such as the new Anti-Money Laundering (AMLD) 1 which imposes a customer due diligence and Know Your Customers requirements and is considered as a legitimate interest according to the new General Data Protection Regulation, Markets in Financial Instruments Directive (MiFID)2 , the Consumer Credit Directive (CDD)3 and the newly adopted Mortgage Credit Directive (MCD)4 . The use of consumer data therefore also contributes to lower the credit risk and thus to the resilience of the European banking system.

It is also important to note that the recent European Commission’s proposal amending the 4th AML Directive, published on 5 July 2016, might impose on banks additional requirements regarding the collection of data to address terrorist financing risks linked to high-risk third countries. Enhanced measures will lead to extra checks and monitoring of those transactions by banks and obliged entities in order to prevent, detect and disrupt suspicious transactions involving “high risk third countries”. A Communication and a proposal amending the Directive on administrative Cooperation in the field of taxation were also published to tackle tax evasion and tax avoidance in the EU. According to the Commission, tax authorities should have access to national anti-money laundering information, particularly beneficial ownership and due diligence information and new, accounts should be subject to due diligence controls.
Those recent initiatives strengthen the requirements imposed on banks to collect consumer data.

c) Contribute to the business performance of banks, banking techniques and create new business opportunities.
Consumer data is used in the context of customer satisfaction surveys which allow banks to improve the services they provide to their customers, for process optimisations purposes as well as for the development of new innovative tools such as automated financial advice. The innovative use of consumer data represents an advantage that allows banks to run their business more efficiently and at a lower cost, develop a faster decision-making process and improve their customer segmentation activity. It also enables banks to reduce inappropriate marketing expenditure, avoid the development of unnecessary product and services offerings, and focus more effectively on their capacity to innovate for the benefit of their customers.
Profiling to support the development of ‘tailor-made’ products or services for customers is therefore a crucial tool for financial institutions. It is also used for risk assessments for preventing fraud and money-laundering which, in this case, is mandatory.
Thus, profiling is based on different legitimate purposes: preventing criminal actions, building consumers’ trust in the digital economy as well as developing e-commerce;
There is also an increasing interest in the provision of new non-financial products based on the knowledge derived from bank’s activities that could help the customers make better decisions, by allowing customers to strike the right balance for them between access to innovative products tailored to their needs, and complete protection of their privacy.

Footnotes:
1
Article 13(1)(a) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC provides that Customer due diligence measures shall comprise: identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source.

2
Article 13(5) of Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC provides that (…) An investment firm shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for information processing systems.

3
Article 8 of Directive 2008/48/EC of the European Parliament and of the Council of 23 April on credit agreements for consumers and repealing Council Directive 87/102/EEC provides that Member States shall ensure that, before the conclusion of the credit agreement, the creditor assesses the consumer's creditworthiness on the basis of sufficient information, where appropriate obtained from the consumer and, where necessary, on the basis of a consultation of the relevant database.

4
Article 18 of Directive 2014/17/EU on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 concerning the obligation to assess the creditworthiness of the consumer provides:
1. Member States shall ensure that, before concluding a credit agreement, the creditor makes a thorough assessment of the consumer’s creditworthiness. That assessment shall take appropriate account of factors relevant to verifying the prospect of the consumer to meet his obligations under the credit agreement.
2. Member States shall ensure that the procedures and information on which the assessment is based are established, documented and maintained.
[…] 5. Member States shall ensure that:
(a) the creditor only makes the credit available to the consumer where the result of the creditworthiness assessment indicates that the obligations resulting from the credit agreement are likely to be met in the manner required under that agreement;
(b )in accordance with Article 10 of Directive 95/46/EC, the creditor informs the consumer in advance that a database is to be consulted;
(c) where the credit application is rejected the creditor informs the consumer without delay of the rejection and, where applicable, that the decision is based on automated processing of data. Where the rejection is based on the result of the database consultation, the creditor shall inform the consumer of the result of such consultation and of the particulars of the database consulted.
6. Member States shall ensure that the consumer’s creditworthiness is re-assessed on the basis of updated information before any significant increase in the total amount of credit is granted after the conclusion of the credit agreement unless such additional credit was envisaged and included in the original creditworthiness assessment.
7. This Article shall be without prejudice to Directive 95/46/EC.
The use of data is growing exponentially, in terms of use, variety, volume and velocity. Data is at the centre of this digital revolution and consequently data analytics is creating increasingly new opportunities both for consumers, who can benefit from more innovative and tailored products and services adapted to their needs, and for companies able to develop new innovative businesses.
Given the changes in society and the use of social media, the new generations of customers might arrive with fresh expectations. They might expect banks to take into account the data, already at their disposal, when offering services (in the respect of data protection legislation). Some customers would even be willing to accept the sharing of data and be inclined to forego privacy either in exchange for more tailor-made products and services or benefits such as lower insurance premiums or purchase discounts, or, for instant access to them. Importantly, consumers expect banks to be able to deal with financial data in a highly confidential and trustworthy manner.
The future performance of the financial industry will very much depend on the ability of financial institutions to use their customers’ data and the interaction of that data with bank’s products and services, and, more importantly, to maintain the existing level of customer trust. Data analytics, generally, contribute positively to maintaining trust, transparency and security.
a) Better service for consumers:
In the coming years, more and more useful data analytics-methods will be developed and used to interpret a vast amount of data.


This will further improve the product and service offering of financial institutions to their consumer and business clients (e.g. real time offers, more innovative and tailored-services, faster credit assessment) and providing a full picture of consumers’ needs via different channels (e.g. customers can access the latest information, whatever the channel chosen, and with a single click a customer can access all the accounts he/she holds in a bank.). The focus will be even more on customer relationship management (CRM) and personal finance management in order to help the consumer manage their finance on a daily basis. It might also help in the long term to increase the benefits of banking services and facilitate financial inclusion.
b) Increased business performance and innovative solutions:
With the use of consumer data banks will be able to improve their business performance and develop more innovative solutions which includes a faster decision-making process and improve their customer segmentation activity.
c) Increased fraud detection and prevention:
As for authentication and fraud monitoring processes we believe that customer behaviour analysis will become more important and therefore customer data will play a key role to fight against cybercrime and terrorism financing.
d) Increased transparency in the use of consumer data by certain institutions:
In the field of payment services in particular, more transparency should be provided to customers (solicited and unsolicited) on the different use(s) of consumer data by the Third Parties Providers (TPPs), without affecting the bank’s capacity to detect frauds and being proactive. It could help for example to make clear to which external parties customers themselves have allowed to share their [Payment Services Directive (PSD 2)] data. In the EBF’s views supervised TPPs must be publicly identified through certificates issued by a Qualified Trust Services entity in order for consumers and retailers to be certain they are dealing with authorised TPPs (see EBF submission on the EBA discussion paper dated 8th February 2016). (Please see also response to question 8, R6).
e) Use of innovative and non-traditional banking tools:
Some banks might also experiment with location-based services (LBS) in an attempt to personalise customer products and services and tighten security for example for mobile transactions. Several banks have launched a mobile-Point-of-Sale solution, known as mPoS, which allows businesses and self-employed professionals to accept card payments using a smartphone. Other banks have built online communities of merchants using a PoS terminal which allows cardholders to access offers and promotions using geolocation technology.
f) Interdisciplinary data usage:
Today, some banks may still be working with partly decentralised or fragmented systems via departmental silos. This does not allow banks to share and benefit of internal data across the organisation contrary to other companies. Banks will therefore fully adapt their infrastructure and IT systems according to the expectations of data-driven customers. It will also result in a more efficient data storage and data processing.
g) Further consideration to data protection and security:
Data protection and security have always been key concerns for banks, who use the data that consumers provide to them in a secure way and who intend to keep it that way. Confidence in banks as trusted parties is essential for their reputation and adds to the efforts and investments put into maintaining and improving setups ensuring the safety of customer data. Banks have always been respective of provisions on business confidentiality. For instance, numerous European Banking laws clearly state that banks are subject to professional secrecy. In that context banks are likely to turn data security and protection into a competitive advantage in the years to come.
h) Increasing partnerships with Fintech companies and other industries to respond to customer’s needs:
As part of a general approach to the banking transformation, banks engage more and more in Fintech partnerships, and finance innovative starts-ups. Banks have already developed Fintech accelerating platforms, Fintech labs to focus their activities even more on customer experience and to help them to deal with the new generation of customers. FinTechs have a role to play in speeding up the industry and they can be used to improve the business model. FinTechs can create many opportunities for banks such as helping them to improve their business model, cut costs and build activities which are complementary to banking activities conducted in-house.
In addition, banks might partner with other industries, such as the manufacturing industry and the health industry, in order to develop new products and services.

i) A level playing field as a key driver

The importance of having an appropriate competitive environment with a level playing field among all the different players which would ensure wide-ranging high standards and, in turn, enhance consumer trust, should be a key reason for ensuring that not only banks have to comply with high standards to be able to use personal data. Moreover, if such an environment is not ensured then banks will not be able to compete on an equal footing in the new digital era where data is the driver of business.
For example, if the financial sector is obliged to invest in ensuring high data quality and at the same time is pushed to allow for massive data portability at a price that does not reflect the true value of the data stored at banks, this can lead to an uncompetitive advantage and a negative impact on the banking industry. (see also our response question 7 paragraph 1 on the barriers and question 8 paragraphs R8 and R9 on the risks).
Both consumers and financial institutions benefit from improved use of customer data and the list provided appears complete, but additional points should be mentioned:
 Regarding the points mentioned in B1: Consumers benefit from financial institutions’ improved cost-effectiveness it is important to clarify that the use of data will imply a better and more granular pricing for clients as the improvement of the variables considered will facilitate it, but it is important to clarify that it will not necessarily imply that the cost will always be lower. It will be more personalised and accurate to personal circumstances.
 Regarding B3 on “consumers pay less as result of more accurate creditworthiness assessment” the main benefit is an improved credit lending decision which could help ensure that customers do not take on debt they cannot afford while also leading to an increase in access to credit, for customers who are less financially included (non-salaried workforce, limited credit history …); Indeed, due to the collection of additional data, customers who have been rejected by financial institutions with existing risk scoring methods due to limited credit history information, might benefit from a better access to credit (it is however important to stress that this does not preclude financial institutions from denying access to credit to those who do not meet the required criteria ). It will thus bring further certainty for consumers on the possibility of being given a loan and for financial institutions to conduct a more precise creditworthiness assessment. The following title could therefore be added “Better service levels on credit approval processes (reduced uncertainty)”.
 Regarding the reduction of costs for financial institutions in general, it is crucial to note that the personalisation of services will require a lot of investment in order to evaluate innovations, new processes and new ways to share, manage, use and protect data, maintain algorithms etc. This is notably the case for automation financial services.
Cybersecurity costs are also going to increase significantly and will be key to manage a very significant risk for the financial system and consumers. Financial service providers will therefore be less likely to reduce their costs but more likely to change its distribution. Although some costs will be reduced or even disappear, others can increase with data management, storage, protection, innovation, technical tools, remuneration of very specialized profiles, etc.
 In addition to the detection of fraud (B12 financial institutions are able to detect fraud at early stage), through the analysis of consumer data, banks will be able to comply more easily with the Anti-Money Laundering Directive and detect suspicious transactions or to comply with risk management requirements in general..
 Improved service quality across channels should be added
 Better balance between customer’s expectations and the bank’s offers driven by micro-segmentation should be an element to be added. More sophisticated use of consumer data and sharing this data between the banks’ different channels will facilitate and further improve the consumers’ omnichannel banking experience.
 Another benefit for financial institutions is that extending the use of consumer data can also help to improve operational efficiency of banks ‘processes whether in front office processes or back office processes.
 The current regulatory framework is not properly adapted to the deployment of digital financial services and needs further adjustments to be fit for the digital reality.
Currently, the regulatory framework does not allow banks to take full advantage of technological innovations, hindering the digital transformation of the industry and obstructing the launch of innovative products and services.
The financial services industry has traditionally been highly regulated with the aim of providing security and protection to the consumer and ensuring financial stability. Those regulatory requirements have been established by authorities in charge of prudential issues, data protection, data security, competition and financial stability. We observe that some recent or on-going EU legislations do not yet properly or fully address the developments made possible by digitalisation, leading to certain contradictions or inconsistencies which could hinder the Digital Single Market from becoming a reality.
This is notably the case for example concerning the Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR).
- We note for example, that a (too) strict interpretation of the GDPR could considerably limit (i.e. due to quite restrictive legal possibilities for profiling) the ways financial institutions use data-analytics to prevent fraud. We hope – and expect – that the national competent authorities responsible for GDPR-supervision will strike the right balance in this matter. Regulation frequently takes a negative view of profiling. However, as outlined above, profiling can also provide significant benefits to customers. Profiling should not be societally perceived as necessarily negative.
In addition, international companies with a wide footprint have to deal with different data protection laws, as these are not homogenous in all the territories they operate. Specifically, unjustified data location restrictions should be tackled. This situation is especially important when addressing issues related to cross-border data flows, which increase the complexity of managing data and make it more difficult to have a whole picture view at the group level. Another example of inconsistencies can be seen in the case of EU regulators compelling cloud technology to be compliant with local outsourcing regulations (outsourcing regulations have not been harmonised) which by definition goes against the idea of the cloud (which is meant to be cross-border). Such regulations can contradict the core objective principles of the cloud or lead to further inconsistencies. Competent financial/data protection authorities should find the right balance in this matter.
Today, GDPR does not guarantee technical interoperability in the portability of data, nor direct communication between data controller, unless it is “technically feasible” (which is a concept yet to be clarified). The latest PSD2 (Payment Services Directive) will grant standardized access to payments accounts to third-party providers acting on behalf of a client. A possibility of a reciprocal access to personal data held in other digital platforms in a direct, standardized and automated format, if consented by the data subject, should be assessed for banks. It would allow them to build better products and services for their customers, based on more accurate information about their needs and preferences.
- We also observes that in certain cases national regulators have restricted the use of particular data sets on the basis that it would be an infringement of the rights of an individual. For example a current Irish position prohibits the examination of specific transactional information and requires that this type of information is reviewed on an aggregated basis, for example the total amount of credit and debits to an account rather than the assessment of the specific transactions themselves. This position is restrictive in fully understanding customers and their needs.
Even if the GDPR might provide further harmonization among national legislations, currently some national supervisory authorities impose different requirements according to the countries.
 Digital transformation should be understood as a whole, seeking the right balance between the drivers of change and the impact on the existing business model.
Financial regulators are challenged to provide a regulatory framework that balances the promotion of new digital value propositions while ensuring appropriate consumer and investor protection. To avoid serious market distortions and to find the proper balance between benefits and risks, it is imperative to take into account the fact that business models may dramatically shift to totally new forms of interlinking platforms, interacting layers and valued added services. With this in mind, policymakers should adopt a holistic approach and ensure that EU regulation is adjusted to the digital reality for financial services as well. The focus needs to be on regulating activities rather than institutions that offer them. This is not a call for new regulations but rather for adjusting, simplifying, removing obstacles and inconsistencies and modernising the EU regulatory framework. The current banking regulatory environment does not reflect the fast moving digital phenomenon. New access methods fostering a real cross-border and cross-sector economy (e-ID, e-signature, e-invoicing, online platforms etc.) may change the way business operates across different markets. This complete shift of paradigm requires a renewed approach in order to efficiently balance benefits, risks and avoid market distortions. Banking legislation needs to be adapted to the digital market reality.

 The principle of “same services/risks, same rules” should apply to all companies regardless of the sector or location.
A regulatory discrepancy between banks and other type of actors is an important barrier that prevents financial institutions from using consumer data in a beneficial way. Banks are currently subject to many regulations, which do not apply to non-banking digital financial services providers. There are, currently, non-financial services providers entering the digital market that provide similar financial services despite not being subject to the same regulation as financial entities, and thus they are not playing under the same rules, this is particularly true for PSD 2.
 Exchange of data between companies within, the same group: Financial institutions often need to process personal data within the group of which they are members in order to achieve aims, such as offering a broader variety of products to the clients, or, efficiently tackling fraud.
The GDPR recognises in recital 48 that “controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.”
Thus, it should be ensured that in the application of the GDPR, the processing and transferring of data amongst the entities in the same group is considered as lawful and does not require the data subject’s consent each time the data is transferred within a group. The process for transferring personal data under BCRs should be simplified. Even if the GDPR contains provisions enabling the approval of Binding Corporate Rules for this purpose, at present these take at least 18 months to approve and this time frame will likely expand under the GDPR due to increased demand and the complexities of the One Stop Shop and Consistency Mechanism.
Europe has the opportunity to create the right conditions for its citizens and companies to lead the digital transformation. A more holistic and consistent approach aiming at a more orderly transformation is needed to guarantee full benefits to customers, ensuring a level playing field but avoiding unnecessary and risky disruptions of markets, financial instability and the creation of detrimental digital monopolies. This will inspire trust from consumers, which is essential for a successful digital economy. This trust is - of course – important and should not be jeopardized. At the same time, we believe it should not lead to a significant competitive disadvantage regarding the use of innovative data analytics for banks against any new players in retail financial services. Currently large organizations often face internal barriers to the legitimate and beneficial use of consumer data, such as the lack of a data-driven culture. Public authorities and EU institutions/agencies should therefore raise awareness about the benefits of data-analytics.
Risks to consumers
 R1: Consumer experience detriment if they are unaware of the way financial institutions make use of their personal data: In reference, to paragraph 62 mentioning that “consumers may not always be properly informed of the usage of their persona data” and regarding paragraph 63 mentioning that “consumers may not understand the information that is provided to them regarding the use of their data”, it is important to stress that providing information to the customer on the usage of their data is mandatory and already imposed by the Section IV (information to be given to the data subject), Article 10 (Information in cases of collection of data from the data subject) of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data5 . In addition the recent General Data Protection Regulation (GDPR) is intended to address those risks. In particular via requirements to provide much more detailed information about data processing to customers under Article 13 (and Article 14) in order to ensure that data processing is fair and transparent. The principle of transparency requires notably that any information and communication relating to the processing of those personal data to the data subject should be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Recital 39, Article 12). Furthermore, under article 6 on “lawfulness of processing” and Article 7, the nature and conditions for consent are expanded and strengthened, it should notably be given “unambiguously”. Article 6 also tightly limits the re-use of data for incompatible purposes after it has been collected.
Moreover, it is important to highlight that the majority of financial entities are making relevant efforts towards the simplification of the messages included in their contracts and the clarification of the language used in their drafting.
 Regarding paragraph 64 which mentions that “[…] consumers may not always have an in-depth knowledge about the legal framework applicable to the usage of their personal and financial data […]”(especially relevant in cross border transactions), We believe the GDPR which aims at providing a full harmonization should solve this issue. More transparency should, however, be provided to customers (solicited and unsolicited) by the TPPs on the different use(s) of consumer data. It is indeed important to make clear to which external parties customers themselves have allowed to share their PSD 2 data. In the EBF’s views supervised TPPs must be publicly identified through certificates issued by a Qualified Trust Services entity in order for consumers and retailers to be certain they are dealing with authorised TPPs (see EBF submission on the EBA discussion paper dated 8th February 2016). (Please see also response to question 5 and question 8, R6).

 Regarding paragraph 66 concerning the potential customer “detriment in the form of breaches to [their] privacy, the GDPR includes a specific provision in article 34 on “the communication of the personal data breach to the data subject”. As stated in Recital 86 and 87 “The controller should indeed communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.”

 As a general comment, it is also important to keep in mind that in certain cases this issue goes further than data protection issue and could be also linked to the fact that financial institutions are bound by professional secrecy which if breached could lead to criminal charges against financial institutions. In addition the risks described cannot be considered as specific to the financial sector.
R2: Consumers are “locked-in” by their current provider because their data is not assessable to other financial institutions
At paragraph 67 it is mentioned that “If financial institutions do not allow for the portability of consumer data, consumers may be hindered from choosing a different provider for the provision of financial services”. It is important to note that article 20 of the new GDPR sets out the conditions for the “right to data portability” and already aims at addressing those risks. The data subject has the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data was originally provided where the processing is based on consent or is carried out by automated means.
R3: Consumers experience detriment if financial institutions misuse their personal data
 It is important to note that the risks of misuse of data, as presented is directly addressed by GDPR provisions around disclosure of information to customers, rules around reuse of data and incompatible processing.
Article 5 of the GDPR notably sets out the conditions of the principles relating to the processing of personal data which include ‘lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, ‘storage limitation’ and ‘integrity and confidentiality’. It applies irrespective of the sector concerned.
 In addition, the EBA discussion paper shows some apparent misconceptions about data use by financial institutions. For example, paragraphs 69 and 70 refer to collecting more data than needed for regulatory purposes and then (mis)using it for other purposes, or else selling data on to third parties. In the banking context this would not happen due to regulatory requirements imposed to banks and the new GDPR and the need to maintain customer trust.
As stated above, the GDPR is intended to address such risks. In particular via requirements to provide much more detailed information about data processing to customers under Article 13 (and Article 14) to ensure that data processing is transparent. Furthermore, under Article 6 on “lawfulness of processing” and Article 7, the nature and conditions for consent are expanded and strengthened.
Concerning more specifically paragraph 69 which states that “also financial institutions may interpret legal requirements for data collection, for anti-money laundering purposes for instance, such that they collect more data than is legally required and then re-use it for other purposes”, it is important to recall that Article 6 paragraph 4 also tightly limits the re-use of data for incompatible purposes after it has been collected. The AML legislation provides just a basic, mandatory set of information that the banks are obliged to collect, other information could be legally processed according to the risk based approach that regulates the deepness and the intensity of the investigation on the customer. The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. Article 6 prevent any potential risks of processing for incompatible purposes.
 In reference to paragraph 71 which refers to the misuse of consumer data also as a result of detrimental marketing approaches by financial institutions, in the form of spamming of electronic or conventional mail. It is important to stress, that:
- Banks rarely send emails to customers, as this creates security risks. Instead, banks prefer to communicate online with customers via secure portals.
- Banking entities are very conscious of managing customer data very carefully. In order to use customer data for any additional commercial purpose, the customer would normally be requested to specifically agree to allow their data being used for surveys, analyses and commercial action. In case the customer does not want to be contacted for commercial purpose, the bank directly informs its IT system to ensure that the customer will not be contacted in the future for commercial purposes.

R4: Consumers experience detriment as a result of wrong decisions by financial institutions on the basis of wrong information
 Limited data is available as to the scope and incidence of this risk. It remains to be seen whether in reality there are a lot of situations where financial institutions have an interest in taking “wrong decisions” or using “wrong information”.
 It should be considered that under the GDPR, strict rules apply to so-called profiling offering increased protection against “wrong decision making based on the use of customer data”.
Profiling is the automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
 The GDPR provides that customers:
- should be informed of the existence of automated decision-making, including profiling
- are entitled to receive, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
- have the right to object against profiling
- are entitled to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
 As explained in our response to question 3, the EBA raises a range of innovative data uses, including big data analytics and collection of data from social media. However, in reality, the large majority of processing is for conventional purposes – processing transactions on customer instructions, regulatory compliance (eg: KYC and Fair Treatment of customers requirement in certain countries), prevention of fraud (eg: using mobile localisation), money laundering/terrorist financing and other financial crime, and credit worthiness assessment requirements. Similarly, the large majority of data processing by banks involves managed/treated data, data collected from a small number of reliable sources (credit rating agencies, regulatory sources like PEPs lists, etc)or from customers directly. Concerning data from social media it is not the core business of banks to use such data. In principle, banks do not use data from social networks, due to the legal uncertainty around the possible use of this kind of data. Some banks are, however, investigating the potential use of data which are made publicly available by consumers as they could represent a complementary source for banks.
 With reference to paragraph 72, we would like to stress that some legislations (Article 18 of Directive 2014/17/EU on credit agreements for consumers relating to residential immovable property (Mortgage Credit Directive or ‘MCD’) and article 8 of the Directive 2008/48/EC on credit agreements for consumers (Consumer Credit Directive or ‘CDD’) require that, before concluding a credit agreement, the creditor makes a thorough assessment of the consumer’s creditworthiness, taking appropriate account of factors relevant for verifying the prospect of the consumer meeting his/her obligations under the credit agreement. Article 20(1) MCD provides that the assessment of creditworthiness shall be carried out on the basis of information about the consumer’s income and expenses and other financial and economic circumstances which are necessary, sufficient and proportionate. That information can be obtained from various sources including from the consumer. The creditor should appropriately verify such information before granting the credit. In that respect consumers should provide information in order to facilitate the creditworthiness assessment, since failure to do so is likely to result in refusal of the credit they seek to obtain unless the information can be obtained from elsewhere.
This means that before concluding any credit agreement, the creditor should make a thorough assessment of the consumer's creditworthiness based on different criteria in order to verify the ability of the consumer to meet his/her obligations under the credit agreement.
It is important to stress that when a customer is denied credit in a bank, this is always the result of an objective credit decision-making procedure, where only the relevant circumstances are taken into account. Especially following the financial crisis, risk assessment remains a vital condition necessary to provide financial services such as credit.
 In addition, in June 2015, the EBA published guidelines on credit worthiness assessments to establish requirements on the verification of the consumer’s income; documentation and retention of information; identification and prevention of misrepresented information; assessment of the consumer’s ability to meet his/her obligations under the credit agreement; allowance for the consumer’s committed and other non-discretionary expenditures; and allowance for potential future negative scenarios.
We believe those guidelines could mitigate risks of unfair treatment expressed in paragraph 72.

 Regarding paragraph 73 and the risk of discriminating criteria based on sensitive consumer data, such as those related to health, we believe the example provided relates more to the insurance sector and is therefore outside of the mandate of the EBA.

R5: Consumers have restricted or no access to financial products or services because they do not allow for their information to be used by financial institutions
Regarding more specifically paragraph 76 it is important to recall that acquiring some products and services demands specific consumer information that in many instances is mandatory by law. Financial institutions must comply with those obligations (e.g KYC requirements, credit worthiness assessment etc.). Information may also be needed to properly assess risks when offering products and services.


R6: Consumers suffer detriment if consumer data stored by financial institutions is obtained fraudulently by third parties
 The risk that consumers suffer detriment if consumer data stored by financial institutions is fraudulently obtained by third parties is indeed a real one.
The Payment Services Directive 2 (PSD 2) stipulates that 'Account Servicing PSPs' (banks) shall make it possible for payment initiation services (PIS) and account information services (AIS) to rely on the authentication procedures provided by banks. It means that these Third Payment Providers’ (TPPs) will have access to clients’ payment accounts and customer data information via the banks’ infrastructure.
The challenge is to ensure security and privacy for AS PSPs and consumers. The structure behind the functioning of PIS/ AIS potentially calls into question the AS PSP’s measures to maintain the current security level of online banking, and might put at risk existing AML - and fraud prevention measures already in place. The appropriate technical standards for authentication methods and the customer’s data which TPPs are allowed to retrieve (via the Regulatory Technical Standards (RTS) are to be defined by EBA as mandated in PSD2. We hope that the EBA RTS will clarify that,under no circumstances, should consumers be allowed to hand-over their own personal credentials as provided by their AS PSP to any TPP. We believe security should not be sacrificed at the expense of competition and innovation.
Theoretically, PSD2 seems to ensure prudent consumer protection (also in terms of privacy/ data protection). But in practice, we believe it may (possibly) turn out to be more complex. For example: Does an average consumer know exactly what PIS and AIS are and how they work when he/she enters his personal security credentials (which he/she received from their bank for internet- and mobile banking) via the TPP’s website or app? And is a consumer aware of whether this actually is a proper (licensed) PISP or (registered) AISP? We expect an increase in the abusive use of personal data by fake ‘TPPs’ that abuse the personal security credentials of consumers, which they obtained via phishing. In addition we have always taught consumers to keep their security credentials safe and not to share them with others. With the TTP model consumers will have to share their credentials although they will not be able to single out fraudulent parties. If this kind of fraud would reach such high levels that it escalates societally, it will have a negative effect on public confidence in the electronic retail payments system. This will have major impact on society and increases the costs of the retail payments system.
In this latter case the players' responsibility must be clearly defined in the treatment process in case of an incident. In addition, the security constraints imposed by regulators must be the same for all services regardless for the institution or its location. Additionally, supervised TPPs must be publicly identified through certificates issued by a Qualified Trust Services entity in order for consumers and retailers to be certain they are dealing with authorised TPPs (see EBF submission on the EBA discussion paper dated 8th February 2016).
It is also important to note that banks already have prudential requirements in place concerning operational risk that measure and allocate capital to cybersecurity. Account information services providers under the PSD2 should - in order to ensure that they can compensate customers in case of any data leakage- have capital requirements to cover cybersecurity risks, no matter the size of the company providing this service.

 Regarding the statement mentioning that “this risk is more likely to occur when financial institutions have weak IT-security measures in place”, it is important to note that financial institutions are one of the primary targets for cyberattacks. As a result, the industry is committing considerable amounts of money towards protective measures for customers and to maintaining trust.
After a wave of increasingly sophisticated cyberattacks in 2014, targeting all types of organisations, the banking sector is facing attackers which are streamlining and upgrading their techniques rapidly while the sector is trying to fight back at the same speed. These repeated attacks can affect customers’ finance and their confidence, and can have severe economic and reputational consequences on the organisation. According to the 2015 Internet Security Threat Report (Symantec)6 , 60% of all targeted attacks last year affected small and medium-sized organisations (SMEs). This creates even greater risks as the majority of SMEs have neither the human nor technological capacity to protect themselves adequately.
Banks in Europe and worldwide are taking these threats seriously. Banks invest heavily in IT systems aiming at the highest possible security levels, but cybercriminals exploit any vulnerability – including on the clients’ side to penetrate the system. In addition dedicated regional and global groups have been created, to share information about security threats, for instance, the EU-Financial Services Information Sharing and Analysis Center (EU FS ISAC), and FS-ISAC (global), to share information on security threats. Importantly, awareness campaigns for employees are organised as numerous detrimental activities begin with an email arriving in a bank employee’s inbox with a malicious code.
In addition, it is important to recall that within the new Directive on Network Information Services (NIS), banks are considered as critical infrastructure which implies that they will have security and reporting obligations.
Risks to financial institutions

R7: Financial institutions are exposed to reputational risk if they make questionable use of consumer data
 Regarding paragraph 79 and the statement that “even if the consumer has authorised for the data to be used and/or if the data is publicly available, this kind of decision may be seen by the consumer as questionable and subject to repudiation” we would like to recall that customers trust banks with their data. Banks are indeed the type of company that are the most trusted to securely manage customer’s data according to recent studies7 . However, even if the traditional role of lending, deposits or distribution of currency will continue to be part of bank business model, it is by no means sufficient for banks to remain competitive. The role of banks should not be limited to just providing traditional banking services and providing only secure infrastructure for other players nor consequently leaving it only to others to address the changing customer demands. We observe that consumers’ expectations toward financial institutions are completely different compared to non-financial players which have built their business model on data. Banks should be allowed to go further and anticipate customer expectations and/or provide a broader value proposition to customers while keeping trust, security and customer experience at the center of their strategy. To this aim further awareness should be brought to the benefit of big data analytics.
 In addition to the reputational risk faced by financial institutions as described in paragraph 78, it is important to refer to the reputational risks they could face in case of non-compliance with legal requirements, for example anti-money laundering requirements subject to important fines or a failure to their IT system due to cyber-attacks. (It is notably linked to the statement developed in the paragraph 86 of this document on ‘Risks to the integrity of the financial sector’).

R8: Financial institutions that are not in a position to process consumer data cannot compete with new entrants in the market that specialise in using consumer data
 The lack of level playing field between all actors is a real risk to financial institutions. Banks have to comply with very strict regulations and are held to higher standards on conduct, capital and general operations as well as risk management, in comparison with non-financial institutions which also provide financial services.
These new entrants may thus not be submitted to the same regulations, allowing for an easier way of managing and profiling their clients and providing more innovative and easier services. In cases where few/no non-financial institutions comply with an adequate level of protection, innovative use of customer data by financial institutions will force banks to invest in performing new/innovative functions in-house. This selection constraint will have a negative impact on competition. It is particularly true for joint economic activities (please see also response to R9).
New players are also offering new intermediation models, between customers and credit institutions, which currently are not necessarily taken into account by the regulatory framework and banking supervision which therefore have to evolve. They may also create situations where consumers are put at risk, as they do not have a uniform level of protection.
The banking sector supports a competitive and innovative EU Digital Single Market which safeguards existing consumer protection, trust and security. To do so, the right competitive environment should be set and allow an open and fair competition among the market players. Given this, it is important that the same rights and the same obligations apply to the same services, in all EU countries.
Having those elements in mind, we consider that paragraph 81 stating that financial institutions may not use the data collected for commercial purposes due to the lack of “IT tools and/or the technological expertise to process data; or if they are not willing to change their business model into one that takes advantage of the potential of consumer data” is not accurate. It is indeed mainly linked to the higher standards financial institutions have to comply with.
In addition, we consider that paragraph 83 should be reformulated as follows […] “financial institutions which are submitted to stricter regulatory requirements and/or higher standards may be unable to compete on the same level.”
R9: Financial institutions are exposed to legal risks if their IT systems are compromised
 The new risks created by digital technologies include risks linked to cyber-security. Financial institutions are one of the main targets in this area. However, we do not share the idea that there is a risk of IT system deficiencies, as financial entities have the obligation of maintaining safe systems according to technological applicable standards. Moreover, various cyber-crime awareness and protection initiatives are provided by banks through very regular investments:
- Fight against phishing and banking trojans: site detection, closing procedure, an awareness programme and controlled mail communication policy, roll-out of specific tools for customers such as IBM Trusteer tools.
- Fight against fraudulent transactions and money laundering by comparing logins and bank transactions. For this purpose, FinTechs operating between the customer and the bank should not disguise information needed to appropriately identify fraud.
- Ongoing improvement of our payment methods and non-face-to-face banking resources: implementation of a security pass for non-face-to-face banking, dynamic CVX2 on the back of a bank card, secure access etc.
However all the initiatives carried out by a bank to raise awareness, detect and react against cyber-attacks can be affected and damaged if new players do not respect the same obligations.
In addition the European Commission hopes to encourage competition and innovation between financial players by opening" certain systems of the banks. These initiatives should not damage the stability (and 'usability') of systems already in place.
 Another security risk involves major transformation in the banking and more specifically the payment services sector, with the creation of many different (new) financial services which, in turn, leads to increased complexity of fraud monitoring processes. The dissemination of consumers' personal and banking information in private or cloud-based IT systems causes increased risks of information leakage, fraud and image, particularly for financial institutions, since trust is the basis of the relationship between these institutions and their customers.
In the latter case, the players' responsibility must be clearly defined for each player in case of an incident (e.g.: fraud) in particular where there is an interaction with different stakeholders
Also mutual consistency between nationally implemented EU-legislation and a consistent interpretation and similar supervision of EU-legislation by Member States' competent authorities should be ensured. Finally we recommend broadly informing consumers of what they should keep in mind – and check - when they want to use the services as provided by PISPs and AISPs.
 As a general remark, we believe that the risks described in this chapter are essentially the same where the consumer shares his/her data with non-banks (FinTechs, etc.).
In the EBF’s views, there is no need for the EBA to take any further measures specific to the financial sector, especially having in mind that the new GDPR reinforces personal data protection in the EU and has a wide-ranging application. Privacy and data protection issues should be ruled by sector-neutral regulations. The GDPR is one of the most advanced regulatory frameworks in the world regarding personal data protection, with high standard safeguards for consumers and their data, empowering the data subject.
It applies to any company that controls or processes personal data from natural persons who are in the EU. However, the EBA should monitor that similar measures to protect consumer’s data should be taken for any party that offers financial services and is involved in accessing, storing, treating and managing consumer’s data, regardless of whether it is a traditional banking or not (and therefore even it does not normally fall within the EBA’s remit). It is also important to recall that according to the action plan of the Article 29 Working Party, several guidelines are expected to be published on certain aspects of the GDPR and might provide further clarifications if need be.Where the EBA has concerns about data protection issues in the financial services sector, it should raise these with data protection authorities in the first instance.
In addition, we do believe that additional regulations imposed only on the banking industry in breach of the level playing field principles vis-à-vis new entrants such as GAFAs (which would only tackle the most profitable part of the business) can be a threat to the profitability of banks and, beyond, to their capacity to endure crisis.
R10: Integrity of the financial sector is undermined if trust in financial institutions decreases because of lack of data security
We believe this is an incorrect assessment as data used by financial institutions have to comply with strict security requirements in order to achieve enough robustness in their custody activity/obligation.
Please see also comments made to R7 paragraph 78.
R11: Integrity of the financial sector is undermined if financial institutions become overly dependent on the use of consumer data as a source of revenue
Please see also comments made to R7 paragraph 78.
In order for customer experience to meet customer demand, banks continually launch, high quality digital communication, user-friendly financial products and services that simplify the consumers’ trade and transaction management experience. They lead the change through innovative solutions but successfully preserve their core values: trust, integrity, privacy and security to offer the best of the digital age to consumers.
We therefore do not support the wording used in paragraph 87 and would suggest the following one.



The following amendment could be proposed:
87. Financial institutions may change the way they conduct their business by basing it on consumer data. If it is excessive, this may result in an exposure to any future tightening of legislative or regulatory requirements applicable to the use of data. It may also happen that consumers might be more reluctant to engage with financial institutions having such a profile.

Footnotes:
5
Section IV (information to be given to the data subject), Article 10 (Information in cases of collection of data from the data subject) of the Directive
Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the possible cons
Regarding the risk described in paragraph 83: “(…). Moreover, financial institutions may decide to restrict themselves in their use of consumer data, so as to try to meet the high expectations society may have towards them, and thus avoid reputational risk.”, we note that this happened in some Member States, such as for instance in the Netherlands. During the last few years some Dutch banks as well as a payment processor, partly owned by Dutch banks, experienced societal criticism in media and politics regarding their plans to use aggregated consumer retail payments data in an innovative way.
Both the payment processor and the bank would have fully complied with all relevant European and national data protection legislation with their planned initiatives. However, their plans did not seem to match with the views of society and politicians on the possibilities of (innovative) use of aggregated consumer retail payments data by credit institutions. They both decided not to proceed with their plans.
As we have indicated earlier, traditional suppliers of retail financial services (such as banks) face increasing competition from new providers (such as Big Tech companies and FinTechs). Consumers expect banks to deal with financial data in a highly confidential and trustworthy manner. This trust is an important asset for banks. However, we believe that it should not lead to a significant competitive disadvantage regarding the innovative use of data analytics for banks against these new players in retail financial services.
In addition, we are concerned about the consequences for privacy and data protection arising from massive data sharing with players that do not ensure the same level of protection of customers’ data. For example in the context of an open contest with IT community, even if they used anonymized data, there have been cases where the identity of some of the customers could have been established by matching the data sets provided with other open data available on other platforms.

Any initiative requesting massive sharing of financial data that until now has been safely stored at the banks should be carefully assessed against this kind of situation which have actually resulted in damage to consumers’ privacy. Where such data sharing initiatives are being considered, they should be discussed carefully with Data Protection Authorities and the Article 29 Working Party.
As a general remark, we have observed that, when customers grant third parties access to their payment account, they are often not aware of the fact or of the scale of information unlocked by their consent. More transparency should be established here, e.g. by developing a standard clause for obtaining the customer’s consent on a transparent and informed basis.
We believe that the risks described above exist since IT systems have been used for processing customer data. They are not specific to innovative uses of consumer data in the financial sector. As underlined, in the EBF’s response to the previous question, we believe that there is no need to have specific measures from the EBA in this field. Instead, thorough monitoring of the developments should be conducted concerning the use of consumer data including the use by non-financial institutions offering financial services.
Yes
[Trade association"]"
n.papp@ebf.eu
Noémie Papp, Policy adviser retail and coordinator digital issues
0032 2 508 37 69
Yes