It’s hard to disagree with the notion that consumers should have the right to securely share their data with whatever company they please. The Financial Industry Regulatory Authority and Securities Industry and Financial Markets Association have both started dialogues on this topic, while three retail financial data aggregators, Envestnet’s Yodlee, Quovo and Morningstar’s ByAllAccounts, recently partnered to develop a data-sharing framework.
Yet while these conversations indicate that this topic is gaining importance here in the United States, none of the recent announcements make any concrete recommendations on how to improve the data-sharing process — they focus on setting “core principles” instead.
Instead of debating fuzzy concepts, the industry should look more closely at data privacy rules in Europe as a benchmark for a best practice in protecting identity. The General Data Protection Regulation, which goes into effect on May 25, ensures that companies prioritize the security of data. GDPR is a 200-page guide to help companies, including banks, ensure consumers are in control of how their information is protected and with whom it can be shared.
Many U.S. banks will have to comply with GDPR to serve their European customers anyway; therefore, it would be more efficient for the U.S. market to adopt GDPR-like conventions and to streamline their implementation efforts around the standard.
While GDPR lays out certain policies and behaviors, it does not dictate how to address its central principals. This is an area in which the discussion must move quickly. Full implementation of a GDPR-like protocol will require a complete retooling of information-management platforms across financial services. New technologies are needed to support a globally safe data-sharing ecosystem, not solely a reliance on agreements to implement best practices or large cyber insurance policies.
The current state of data sharing in retail banking and wealth management relies on a consumer giving his bank credentials to a third-party service. Specifically, consumers give their bank credentials to a third-party app so it can log onto a system holding their information and “scrape” financial data from the webpages. While consumers may not be aware of the danger of sharing credentials to their bank accounts, the industry is. Screen scraping should not be a permissible form of consent for accessing customer data — it exposes customer information to many forms of abuse, potentially including a fraudster transacting within the customer’s account. Consumer consent is a core tenet of GDPR, and new methods of obtaining that consent that do not violate consumer privacy, and which cannot be circumvented, need to be developed.
The industry needs to adopt the concepts of strongly protected centralized repositories of personally identifiable information that separate this information from the mountains of data about the consumer. This process of anonymization, including tokenizing information and segregating storage, ensures the bulk of data stored in systems cannot be easily associated with an individual and, therefore, cannot be used nefariously.
To understand the importance of anonymization, consider the Equifax breach, which led to the compromising of personal information, including Social Security numbers, for 143 million customers. The breach of their servers is believed to have been caused by the company’s failure to implement a security patch on a server. I strongly believe if the company had implemented an anonymized architecture, the breach of their systems would not have produced a breach of consumer data.
There are many more areas where technology can help serve as a solution. For example, financial institutions need to be able to know with certainty where every copy of a consumer’s information is stored to ensure it is adequately protected and that they can satisfy the consumer’s GDPR right “to be erased.”
Crucially, the banking industry needs to resolve to provide leadership and standards for a GDPR-like protocol here in the United States in advance of potentially disruptive regulation. Banks, which are primary collectors and controllers of data, are already doing much of the heavy lifting to protect data. Therefore, it is natural for banks to lead the charge on industrywide conventions, rather than fintech companies or nonoperating industry groups with little accountability. Banks are not the weak link in the ecosystem and they need to raise the bar in their service-level agreements with technology firms and to compel broad industry compliance.
Ultimately, the future of banking will rely on a globally trusted information-management ecosystem. The financial services industry should take the lead in building it here in the U.S. following the GDPR protocol, as it is now a reality that the industry will have to implement to do business with European concerns. An efficient, trusted flow of data will provide endless opportunities for banks to streamline operations and better serve consumers. GDPR provides a road map — industry resolve will drive investment and innovation.