In the debate over how consumers' data can be used by retailers and marketers, banks seem largely paralyzed on the issue, letting others argue the merits of more or less data access. Yet with the push for data privacy possibly leading to costly new regulations, now is the time for banks to weigh in. If they don't, they run the risk that the public policy debate could eventually hurt their historical "trusted agent" position.
The current data privacy debate is contentious and unproductive. At one extreme are powerful digital aggregators and fintech players arguing that they must be free to mine and use consumer data without restrictions in order to bring consumers convenience, choice and better service. At the other extreme, consumer advocates contend that data mining and sharing is a fundamental violation of consumer privacy. As the two camps go on arguing in circles, digital commerce is rapidly expanding — online shopping accounted for 39% of 2015 U.S. holiday sales — exposing consumer data to unprecedented vulnerabilities.
Banks may be cautious about wading into the debate since the two extremes seem impractical. They would not want to be seen calling for unfettered freedom for businesses to use and share consumer data, nor are they likely to support making all consumer data off limits. But there is an alternative solution in between: putting consumers in the driver's seat of deciding how their data can be used and by whom.
The U.S. has a history of enacting regulations in reaction to "data privacy" crises. Nixon-era abuses triggered the creation of a special Senate committee led by Frank Church to look into government spying on civilians, which in turn led to the 1978 Right to Financial Privacy Act. More recently, the 2015 Cybersecurity Information Sharing Act was in part a response to the 2013 Target data breach, and some of Facebook's practices have triggered a call for congressional hearings. And so it goes.
There has been a strong call for privacy protections in the wake of the Edward Snowden revelations about government snooping. But how might U.S. lawmakers and regulators react to a private-sector version of that story: a company using consumer data in highly invasive and objectionable ways? The consequence could be painful restrictions on how companies, including banks, access and use data.
One template for how government policymakers could respond in such an event is the onerous restrictions of the European Union Data Protection Directive, which is a favorite model of many privacy and consumer advocates in the U.S. The populist and often anti-bank rhetoric of this year's presidential primary campaign further underscores that, in the wake of a crisis around data privacy, banks could be saddled with heavy new regulatory burdens even though they likely played no part in the triggering crisis.
As tech aggregators and consumer advocates continue to approach the issue from opposite ends, banks could take a high road that calls for neither unlimited access by businesses to consumer data nor a complete clampdown.
Specifically, banks could support empowering consumers to take charge of their own data exposure by allowing them to set their own risk tolerances regarding data sharing. There are already multiple precedents for this type of path. The Truth in Lending Act helps consumers make informed choices about the release of their information during the credit process. The Health Insurance Portability and Accountability Act empowers individuals to decide how much of their medical history to reveal and to whom.
Research by Pew and others has long shown that consumers are willing to share information — if they can choose when and where — and that most favor opt-in approaches that would give them more control over how their personal data is collected and used.
Banks could also take an active role in building data aggregation platforms that help consumers strike a balance between sharing and privacy, thereby creating new revenue streams and differentiating the financial services sector from other players in digital commerce.
Taking a more proactive role in the privacy debate might require banks to step outside of their comfort zone. But doing so now is preferable to letting other voices and events determine the eventual policy.
Bob Hedges is a partner and global leader of the Financial Institutions Practice at A.T. Kearney, a global strategy and management consulting firm. He can be reached at firstname.lastname@example.org.