Austrian Federal Economic Chamber, Division Bank and Insurance

GENERAL COMMENTS

With the rise of big data technology and advances in statistical methods, data have become an important tool that influences strategic decisions. Assessing risks and setting the right prices are key success factors in the competitive retail banking market. Accompanied by these ongoing changes the data quality and availability has risen exponentially. Driven by the fulfillment of regulatory requirements risk management has been a high-priority focus area for most banks.

- We appreciate a more lenient and harmonised approach for financial institutions regarding EU data protection and customer privacy, as in many cases, legal obligations for financial institutions go far beyond of what is expected from a general private enterprise.
- The discussion paper is generally quite accurate and complete. But technologies, innovations and markets develop at a very fast pace so the discussion has to follow.
- As highlighted under point 25 of the paper, financial services providers have to fulfil different standards than non-financial institutions. This creates a difficulty for financial institutions to compete with Fintechs.
- Financial institutions will have to improve the efficient use of consumer data, as data volumes and new sources of data will grow exponentially to be competitive with fintechs. Supervisors should ensure a level playing field.
- It is becoming very challenging for financial institutions to track and identify all legal requirements on the mandatory deletion of data and to implement such processes in the ever increasing complexity of the core banking systems.
- With the implementation of the PSD2 legislation, the risk of having third party provider’s (TPP) hiding the consumer transaction, is limiting the ability of a bank to correctly interpret customers’ need and the ability to support businesses.
- By using advanced predictive analytics based on additional data points (e.g. variables such as demographic, financial, employment, and behavioral data), banks can significantly enhance their credit scoring mechanisms.

As stated in paragraph 7 of the Discussion Paper on innovative uses of consumer data by financial institutions, it is correct that financial institutions have begun to use customer data in innovative ways and combine internal and external sources of data for the benefit of information gathering and of provisions of banking services. It must be noted, that such actions are partially based only towards providing the customer with a better overall customer experience. Many of these necessary steps are taken due to the ever increasing regulatory landscape, (e.g. anti-money laundering, fraud or financial sanctions).

Most experience with innovative uses of consumer data is related to personalized offers (next best offer) and marketing/advertising. Mostly information is used, which is generated when customers open an account. It looks like big technology providers are the most advanced in this area due to advanced technology and lower regulations for data processing.
Financial institutions use most direct personal data provided on voluntary basis and indirect data derived/extracted from history created by customer interaction (payment data, browsing data). External data are collected from reliable sources (national statistic offices and land registries) and from data aggregators for data enrichment to improve the 360 customer view.

While in general, static customer data, such as name, birthdate, contact information/address are still the most widely used types of customer information (besides any transaction related data), financial institutions have also many other forms of data available. The “Know Your Customer principle” for example requires that a financial institution collects sufficient data from its customer, including very detailed information about source of funds, intended transactions and the business model. Fraud prevention/AML also makes it necessary to screen customer information against specific internal and external lists. While in some instances data may be collected that is not legally required, the current legal environment and the heightened regulatory requirements makes it less likely that this event occurs.

In general the types of customer data depend on the purpose they are used for, as well as on the specification of the national market.
Financial institutions are using most own structured data collected from interaction with customers (data from the contractual relationship with the customer and account opening) and third party registries. They are starting to use marketing data or aggregated data from third parties for data enrichment.

Data sourced from external services providers have become increasingly important for financial institutions. Financial institutions mainly focus on publicly available and reliable information, such as government sources and other official verified sources. However, due to the ever challenging regulatory expectations, private sources have become increasingly important to verify and qualify previously gathered information received from customers/third parties. Certain external providers for example offer information on group structures and beneficial ownership of legal persons which are essential for banks to fulfill their KYC obligations.
The key usage is customer onboarding and monitoring, regulatory reporting, risk evaluation, creditworthiness assessment, product definition and personalized offers. At the current state, it is very likely that customer data is used mainly to fulfill regulatory requirements.

Consumer data is also used by financial institutions to fulfill the contractual relationship with the customer by having an insight into buying habits and their preferences. With such profound knowledge financial institutions can better target their products and services, develop their risk management policies and take process automation decisions. In addition, ID data and payment patterns are used to fulfill legal requirements (e.g. Anti Money Laundering, terrorist financing measures, freezing of accounts). The limits of the use of data will be defined by regulatory provisions.
Financial institutions will collect and store broader data sets. Data volumes and the number of sources of data (Internet of things, sensor data, social data, data partnerships) grow exponentially. Data analytics will become an important battle ground for business.
To be competitive, financial institutions will have to and be allowed to improve the efficient use of consumer data, as data volumes and new sources of data will grow exponentially. The aim is to improve customer services and product quality through data analysis, optimise credit process and anticipate consumer needs and provide customers with suitable offers at the right time via the right channel (personalised and automated services and products).

In this context it is necessary to protect the databases of credit institutions, which are built up over time with considerable investments and which enjoy the copyright protection. These databases are owned by the banks and should therefore not be opened to third parties.

Consumer data will be used in real time way and support all distribution channels. Own direct and indirect data will be further enriched by external collected and provided by specialized third parties data providers and data aggregators. Decisions will be taken real time, be more precise and personalized.

Institutions will have in their portfolio specific short term and personalized products (reflecting lifestyle, life events, and preferences). Better decisions will increase the competition in pricing due to lower risk contingency and higher market speed. The majority of interactions will be executed through digital channels where advanced analytics will play a key role. The focus on the innovative usage of customer data will extent the entrance of FinTechs that will disrupt current business models.

As it is very likely that the amount of customer data which financial institutions will be required to collect in the future will increase, it is becoming very challenging for financial institutions to track and identify all legal requirements on the mandatory deletion of data and to implement such processes in the ever increasing complexity of the core banking systems. We would therefore, appreciate a more lenient and harmonised approach for financial institutions in regard to EU data protection and customer privacy, as in many cases, legal obligations for financial institutions go far beyond of what is expected from a general private enterprise.

Of course, misuse of data remains a main issue, as well as external intrusions on banking systems. Such data leaks will continue to pose a challenge regarding the ever increasing costs for data security as well as a significant reputational risk for financial institutions.

Existing scoring methodologies assess credit worthiness based solely on a customer’s financial history. However, in order to ensure a more comprehensive assessment, credit scores should also include additional variables such as demographic, financial, employment, and behavioral data. By using advanced predictive analytics based on these additional data points, banks can significantly enhance their credit scoring mechanisms. FinTechs such as Kreditech or Zest Finance have proven that it is significantly better to use a wider range of data, such as social media, than to focus on a narrow, often based on correlations or literature assumptions, dataset. These innovators are basing their models on the simple assumption that historic behavior may be one leading indicator for future trustworthiness, but they weight the current behavior much higher within their scoring methodology.

Besides the high priority attention on risk management banks have not been focused on the overall improvement of customer experience. In particular the two areas of customer retention and market share growth can be strongly supported by internal consumer data.
From ‘next best offer’ to cross-selling and up-selling, the insights gained from big data analytics allow marketing professionals to make more accurate decisions. Big data analytics allow banks to target specific micro customer segments by combining various data points such as past buying behavior, demographics, sentiment analysis from social media along with CRM data. This helps improve customer engagement, experience and loyalty, ultimately leading to increased sales and profitability.

On the other side banks can increase their market share using transaction and propensity models to determine which customers have a credit card or mortgage that could benefit from refinancing at a competitor. This additional information can then be used when the customer contacts the bank through one of the various channels such as online, call center or branch channels. Furthermore the target picture for banks should be that the various in- and outbound channels can also communicate with each other (e.g. a customer who starts an application online but does not complete it gets a follow-up offer via mail).
The described potential benefits can be considered as comprehensive and accurate. We would just suggest to add the possibility to have real-time offers that are geo specific and time specific. Yet, regarding B15 sharing consumer data/documentation information with third parties, as it involves an extra consent from the consumer the banks are not allowed to practice in this way.
In general it should be highlighted that the use of consumer data can lead to massive benefits for customers, such as optimisation of offers and improved product quality.
The existing national data protection law and the EU General Data Protection Regulation (GDPR, applicable from 25 May 2018) set limits to the use of customer data. These limits can not be overruled by any requirements developed by EBA. But EBA could support the European banking industry by evaluating the intensive use of customer data by credit institutions as useful and beneficial for both for the improvement of the customer relationship and the business operations of the bank. Such an opinion of the EBA could foster balancing of interests to legalize certain data processing.

Furthermore, the work of the joint banking supervisors should not create new, special and restrictive requirements for the use of customer data by financial institutions. There must be a level playing field in the use of customer data between FinTechs and banks.

Looking into the technical side of barriers, the legacy IT infrastructures of financial institutions can create technical barriers to progress (in terms of capacity and cost of maintenance). Some old infrastructures are bottlenecks for banks in putting relevant information to innovative use. FinTech companies have the advantage that they start with a new infrastructure, which means that they do not have to adjust (and invest) to already existing rules. Also, data collection and the innovative use of those data was originally not necessarily in the banks’ core focus, which means that the quality of data that banks have is not necessarily of right one. In addition organisations also face in some cases a limited skill set with regard to e-privacy issues.

On the one hand the purpose limitiation principle introduced by European data protection law (and reflected in the national dp laws of the Member States) prevent financial institutions from using consumer data collected in the course of fulfilling contracts or legal obligations for other purposes. Beside the introduction of the non-incompatible-purpose legitimate clause in Art 6 para 4 of the General Data Protection Regulation industry specific exemptions would benefit a further use without the need for the data subjects consent.
On the other hand the local regulated banking secrecy might create a burden insofar as internal banking secrecy prevent from using customer data other than for regulatory purposes or only where the relief from banking secrecy is available. Here the EU might influence the Member States on a common approach regarding the secrecy protecting data of bank customers.
Regulatory requirements led to punctual improvement of the data infrastructure and system architecture. As proposed in the discussion paper, additional revenue, product quality and cost reduction might the final result of using consumer data. These “end results” can be achieved if the following challenges have been implemented in advance:
1. Recognition
2. Discovery
3. Modeling and simulation
4. Contextualization
5. Analytics
6. Storage, streaming, security and processing

Each of these disciplines is tackled within separate data infrastructure hubs. Connecting each hub and reasoning the data gives a holistic picture on the consumer. As a further result, all available data has to be structured to make it further useful for analytics, modeling and simulation models. While advancements in the space of consumer data can make financial services faster and more convenient, foster competition in the marketplace and reduce costs, they can also increase security and resilience risks in the underlying IT infrastructure if they are not implemented with due diligence.

In advance to data management consumer data is only passively recorded through transactional payment or account data. With the implementation of the PSD2 legislation the risk of having third party providers (TPP) hiding the consumer transaction, is limiting the ability of a bank to correctly interpret the customers need and the ability to support businesses.
Yes, in our view the described risks are quite accurate and almost complete. We suggest only adding, that by using predictive analytics (e.g. neural networks) even financial institutions could rely on decisions where they will be not able to prove causality between input data and decision.

Furthermore since there is no level playing field between financial services providers which are non-financial institutions (e.g. FinTechs) and financial institutions (in particular banks) consumers may experience higher risk of breaches to their privacy by the less regulated institutions. Consumers may not be able to distinguish between financial institutions and financial services providers. This risk could be mitigated by applying the same standards for all institutions processing personal and financial data.
We have not observed materializing the mentioned risks. But customers are often not aware that third parties have access to their account. Here more transparency could be applied.
[Trade association"]"
Dr. Franz Rudorfer