BBVA

We are a financial institution with global presence (EU, Turkey and the Americas). As a result we generate very rich data about the activity of our clients, both individuals and companies.
Financial institutions manage many types of consumer data. The most used according to paragraph 16 of the DP are:
-Identity details
-Contact details
-Property ownership details
-Education and professional details

All the financial data included in paragrpah 17 is widely used. Financial institutions use different subsets of these data types for different business processes (risk management, fraud management, customer service, reporting to supervisors, marketing,...)
There are two main sources of data: internal and external. The former refers to the information retrieved from the activity of identified individuals (our clients and their counterparties). The use of personal data (i.e. those that allow the identification of an individual data subject) allows the most accurate analysis towards the improvement of our services. The second type is mainly based on publicly available statistics that typically describe consumption trends. More importantly, these are aggregated (or anonymized) and, as such, serve a framework to provide context to the aforementioned analyses of individual behaviour.

Financial institutions may also rely on external data related to identified individuals, to which FIs may access with the prior consent from the data subject, such as credit bureaus.
Financial institutions mostly rely on internal data sources, as they usually provide more detailed/granular information about customers and we are able to control data quality assurance, something not always possible with external data sources.

Regarding internal sources of data there are different subsets: First, there is the information directly declared by our clients, for instance during the KYC process. This is largely static - e.g. gender, date of birth, address, etc. Second, there is the information generated during the use of services and products contracted by our clients (insurance, mortgages, loans…). And last, there is the footprint of their interaction with us throughout the different channels (web, mobile, branch…).
Customer feedback and satisfaction information is also used by FIs in order to improve customer relationship.
Clients must be engaged in the digital world and that implies the design of frictionless journeys (from personalization to anticipation). Then, there is the provision of new financial products (and better versions of the current ones) to keep up with the evolution of the industry. And finally, there is an increasing interest on the provision of new non-financial products based on the knowledge derived from our activity that could help our customers to make better decisions, always striking the right balance between innovation and personal data protection.
Granting or getting access to consumer data with the appropriate consent from the data subject will probably become a standard practice in the financial services industry, instead of a competitive edge. As a result, there will be an improved and larger supply of innovative products and services. Second, user experience will improve and financial institutions will be able to offer more customized products. Third, we expect prices for financial products to be driven down, especially as banks can estimate better the inherent risk of their clients. As an example, clients will be able to obtain more personalized offers, hence better prices, once they decide to share their data controlled by a certain financial institution with third parties.

On the other hand, we look forward to having a level playing field for financial institutions and non-financial corporations regarding access to personal data. The latest Payments Services Directive (PSD2) will grant standardized access to payments accounts to third-party providers acting on behalf of a client. Since the recent General Data Protection Regulation already recognises the individual right to data portability, authorities should guarantee access in a direct, standardized and automated format to personal data held in other digital platforms, if consented by the data subject. Today, GDPR does not guarantee technical interoperability in the portability of data, nor direct communication between data controllers, unless it is “technically feasible” (which is a concept yet to be clarified). A level playing field in the access to personal data is essential for banks to be able to build better products and services for our customers, based on more accurate information about their needs and preferences.
We generally agree with the benefits highlighted in the DP. As discussed in the previous question, prices being driven towards perfect competition may well be a major improvement for consumers. The rise of new data-driven companies that focus on underpinning more evidence-based decisions will also have positive outcomes. Clients will be able to make more informed and, hence, better financial decisions.

Finally, the use of the information along with public bodies and supranational organizations can make a significant contribution to shape new social development strategies. Moreover, access to more data by these bodies may trigger a better understanding of social and economic challenges, and promote financial inclusion.
Large organizations often face internal barriers to the legitimate and beneficial use of consumer data, such as the lack of a data-driven culture. Overcoming these limitations requires skills across financial institutions to be upgraded and technology to be adapted to the latest paradigms. In a nutshell, it implies moving from traditional finance roles onto the digital/technological arena.

For most financial institutions, trust is a key element in the relationship with our clients. For this reason we constantly analyze the convenience of launching new products or services, trying to exceed customer trust expectations and strict compliance with data and consumer protection regulations. In some cases this could create a self-imposed barrier to innovation, but we believe that this is the best way to develop long-lasting, win-win relationships with our clients.

We also see the following potential barriers:
-As an international company with a wide footprint we see that data protection laws are not homogeneous in all the territories in which we operate. Specifically, unjustified data location restrictions should be tackled.
-This is especially important when addressing issues related to cross-border data flows, which increase the complexity of managing data and make more difficult to have a whole picture view at the group level.
-The lack of standards for sharing customer data between data controllers could lower the pace at which financial institutions are able to use data controlled by non-financial third parties. Achieving greater industry standardization and promoting direct personal data sharing could boost innovation and enable financial institutions to offer better products and services to our clients.
-Banks have more legal requirements regarding privacy than non-financial or new players (so-called fintechs). This could result in an uneven playing field with a competitive disadvantage for banks. All the agents in the financial services industry should be submitted to the same requirements in relation to privacy, as long as they incur in the same risks and provide similar services.
Just a couple of comments about the risks described in the DP. Data protection and privacy concerns are already addressed in the new General Data Protection Regulation (GDPR). GDPR aims at the harmonisation of European data protection rules throughout the Union and for all sectors. Consequently, we think that privacy and data protection issues should be ruled by sector-neutral regulations. GDPR is one of the most advanced regulatory frameworks in the world regarding personal data protection, with high standard safeguards for consumers and their data, empowering the data subject. It applies to any company that controls or processes EU citizens’ data.

On the other hand, most of the risks identified in the DP, related to financial institutions data security, and to the integrity of the financial sector, are general risks that have existed since IT systems have been used for processing customer data. Those risks are not new or specific to innovative uses of consumer data.

In our view, financial institutions have historically effectively dealt with and will continue to take care of these risks in the future, devoting even more efforts and resources to empower European citizens in the legitimate exercise of their rights. There is no need for specific regulations for the financial sector, especially having in mind that the new GDPR reinforces personal data protection in the EU.
As a financial institution we always ensure that our business decisions meet (if not exceed) regulatory requirements. We comply with all the legislations on data protection and we are especially careful with the processing of personal data, since it is the basis for sustainable client trust in our institution.

Risks related to data security or potential stealing, hacking or leaking of customer data are present in any company’s day-to-day operations and, of course, also in the operations of financial institutions. For this reason, banks invest heavily in cybersecurity solutions and design every product, service and process having security in mind. We believe that the risks described above have existed since IT systems have been used for processing customer data. They will keep existing and are not specific to innovative uses of consumer data in the financial sector. As underlined in the response to the previous question, we are certain that there is no need to have specific regulation in this field for the financial sector.
Yes
[Financial institution"]"
alvaro.martin@bbva.com
Álvaro Martín Enríquez
671684816
Yes