Response to discussion Paper on innovative uses of consumer data by financial institutions
Go back
• Transactional data: data required to ensure that a payment can go through authentication; authorisation and the clearing/settlement systems needed to process they payment (e.g. credit card transaction records). The structure of these will depend upon both the business model and transaction processing environment (e.g. off-line vs. online);
• Client management data: Data the payment institution collects/holds on its customers, and used to manage accounts and relationships (e.g. name; address; banking details);
• External data: Data from external sources about customers used to validate client data (e.g. credit risk; verification of addresses/ownership).
Transactional data constitutes the bulk of data used by most PIs and is critical to all PIs operation. Besides allowing for the transfer of funds, this data is used for other purposes such as fraud prevention via predictive models based in a customer’s normal patterns of spending (e.g. merchant category codes (MCC), average transaction value (ATV), geographical location (particularly unusual overseas spending) in the case of cards).
As stated above, PIs may use transactional data above and beyond this to differentiate the performance of their payment products and to create adjacent products leveraging this data in some cases.
Beyond this as more players enter the payments space with PSD 2 and SEPA enhancements such as instant payments, we can expect a wider range of commercial application of this data. Add to this improvement in big data anonymization and enhanced security products such as tokenisation and we can expect a very different market. As EPIF represents a wide variety of business models we are not in a position to make more specific comments of how the market will be impacted.
In considering the application of a risk-based approach to issues (e.g. two-factor authentication), it is critical that PIs and merchants have the data needed to make these assessments at a transaction level.
• Data Protection Legislation: the complexity of the General Data Protection Regulation is likely to incur a fragmented regulatory approach across the EU and increase complexity of compliance processes.
• Duty of Confidentiality
• A Fragmented EU legal framework: a number of different legislations apply to PIs – PSD2, GDPR, NISD, etc. – and their interactions are not clear when it comes to data protection and processing. It is unclear at times what definition applies, or which legal base to use. This has the potential to create inconsistencies cross-border but also within countries.
• Suspicious Activity Reports (SARs)
• Financial Services Regulatory Regime: this provides PIs with a complex web of compliance requirements, which hinder the innovative use of data.
• Statutory Gateways
1. In what capacity (i.e. consumer, financial institution, technology providers, etc.) have you had experience with innovative uses of consumer data?
EPIF is a trade association whose membership is made up of PIs who have extensive experience with various innovative uses of consumer data.2. Based on your knowledge, what types of consumer data do financial institutions use most?
EPIF membership represents a wide range of business models that have a large range of data requirements and access depending upon the model. For example, a Payment Initiator using credit transfers will have relatively few data requirements as compared to an international credit card acquirer operating across many sectors and subject to payment scheme rules. In the payment sector, the three general types of data are:• Transactional data: data required to ensure that a payment can go through authentication; authorisation and the clearing/settlement systems needed to process they payment (e.g. credit card transaction records). The structure of these will depend upon both the business model and transaction processing environment (e.g. off-line vs. online);
• Client management data: Data the payment institution collects/holds on its customers, and used to manage accounts and relationships (e.g. name; address; banking details);
• External data: Data from external sources about customers used to validate client data (e.g. credit risk; verification of addresses/ownership).
Transactional data constitutes the bulk of data used by most PIs and is critical to all PIs operation. Besides allowing for the transfer of funds, this data is used for other purposes such as fraud prevention via predictive models based in a customer’s normal patterns of spending (e.g. merchant category codes (MCC), average transaction value (ATV), geographical location (particularly unusual overseas spending) in the case of cards).
3. Based on your knowledge, what sources of consumer data do financial institutions rely on most?
Transactional data is expected to continue to be core to PIs. With changes in technology and increased numbers of payment methods, the level of information associated with a transaction can be expected to increase. This said, the visibility of data to some stakeholders may also diminish with deployment of anonymizing technologies such as tokenization.4. Based on your knowledge, for what purposes do financial institutions use consumer data most?
Although data requirements vary greatly due a PIs business model and strategy, all PIs use consumer data for compliance purposes (e.g. KYC; AML etc.) and, where applicable, fraud management.As stated above, PIs may use transactional data above and beyond this to differentiate the performance of their payment products and to create adjacent products leveraging this data in some cases.
5. How do you picture the evolution of the use of consumer data by financial institutions in the upcoming years? How do you think this will affect the market?
A key aspect of the current Digital Single Market (DSM) initiative is the concept of “freedom of data” within the union as essential to meeting this initiatives’ objective. Again, in the payment space this will have broad impacts to all of those involved in the network. At a minimum, it can be anticipated that the key compliance and operational activities undertaken by PIs will be enhanced with better and faster access to transactional data to improve network security and acceptance performance.Beyond this as more players enter the payments space with PSD 2 and SEPA enhancements such as instant payments, we can expect a wider range of commercial application of this data. Add to this improvement in big data anonymization and enhanced security products such as tokenisation and we can expect a very different market. As EPIF represents a wide variety of business models we are not in a position to make more specific comments of how the market will be impacted.
6. Do you consider the potential benefits described in this chapter to be complete and accurate? If not, what other benefits do you consider should be included?
EPIF feels that looking at payments from a consumer and financial institution point of view does not include the network nature of payments in considering benefits. One of the key benefits of having access to transactional data near real-time for all parties is that PIs and merchants are better able to assess risk in a way that simultaneously reduces the risk (e.g. fraud losses; cyber security) while at the same time increases acceptance rates by PI’s merchants which benefits all parties.In considering the application of a risk-based approach to issues (e.g. two-factor authentication), it is critical that PIs and merchants have the data needed to make these assessments at a transaction level.
7. Are you aware of any barriers that prevent financial institutions from using consumer data in a beneficial way? If so, what are these barriers?
A number of barriers exist that prevent financial institutions from using consumer data in a beneficial way: these include the lack of harmonisation of rules in the EU, but also the need to produce more future-proof legislation and the overall complexity of compliance processes. Below some examples:• Data Protection Legislation: the complexity of the General Data Protection Regulation is likely to incur a fragmented regulatory approach across the EU and increase complexity of compliance processes.
• Duty of Confidentiality
• A Fragmented EU legal framework: a number of different legislations apply to PIs – PSD2, GDPR, NISD, etc. – and their interactions are not clear when it comes to data protection and processing. It is unclear at times what definition applies, or which legal base to use. This has the potential to create inconsistencies cross-border but also within countries.
• Suspicious Activity Reports (SARs)
• Financial Services Regulatory Regime: this provides PIs with a complex web of compliance requirements, which hinder the innovative use of data.
• Statutory Gateways