When open banking and data privacy collide

Data has evolved into a defining force in retail banking but as banks formulate their strategies for the next decade, data is likely to become both a greater tool for success, and a source of risk.

The volumes of data created by the digital world will continue to grow at an exponential rate, and banks will need to keep building the skills and capabilities to leverage it for growth. However, the spread of open banking and data privacy regulations will reshape how banks collect and use data for years to come.

Open banking regulations that require banks to share account data with third parties at customers’ request have been implemented in Europe, Australia and Singapore. Though no such regulation exists in the U.S. today, major banks are already implementing open data sharing through application programming interfaces so their customers can benefit from third parties’ access to their data. U.S. Bank, for example, recently signed a number of data sharing agreements with fintech startups and is opening up customer data through APIs.

Banks that implement such changes stand to benefit from new customer offerings and revenue sources. In the United Kingdom, where an open banking mandate for the country’s biggest banks went into effect last year, banks are projected to gain more than $9 billion in new revenue thanks to open banking by 2022.

There’s a wide variety of opportunities for banks to improve their bottom line through open APIs. Licensing fees can allow banks to collect recurring revenue from third parties using their APIs to connect to customer information. Banks can also partner with third-party providers — including fintech startups — to create new personalized products that leverage APIs for customer data, and potentially share revenue from those products.

On the cost-cutting side, APIs can help manual back office work in verifying customer information for new credit applications and other uses.

Even though open banking may not become mandated in the U.S., banks here must start exploring these opportunities to keep their business and customer relationships strong as the industry’s landscape grows more digital. Top banking technology providers have already rolled out open banking capabilities to support their customers doing business in jurisdictions with open banking regulations.

While open banking can create new monetization opportunities, the growing prevalence of data privacy regulations around the world could bring new data-driven risks. This trend started overseas with the European Union’s General Data Protection Regulation, but it’s now coming to the U.S. through California's Consumer Privacy Act, which takes effect next year.

The law broadly applies to nearly any major company doing business in the state of California. It offers consumers many of the same powers and protections as GDPR, including the right to tell businesses not to share or sell their data, and the so-called “right to be forgotten.”

Several other states are considering similar new data privacy legislation, including in the state of New York.

At the same time, several companies have been hit by European regulators with major fines for GDPR violations, and U.S. companies are now bracing for a similar result.

Though open banking and data privacy can seem to be at odds with each other, both have an important common factor: They require that customers have more control over their data.

Banks will have to adjust to new requirements around transparency and customer access to data. However, bankers shouldn’t approach compliance with the attitude of locking customers’ data up and throwing away the key.

Instead, banks will need to ensure customers understand how and why their data is being used — both by the bank and external parties — and how the customer is benefiting from that use. Then banks will need to put the right tools in place for the customer to take command in terms of granting or blocking access to their data.

Investing in more modern, flexible infrastructures will also help in this respect by making it easier for banks to plug in different compliance controls and solutions to meet requirements in different jurisdictions — a need that will grow urgent as more states pass their own data privacy laws. Of course, banks will also need to continue to invest heavily in cyberdefenses to protect that data from harmful attackers.

Banks should implement these changes with the intent of becoming their clients’ go-to source for advice on data, providing the information, controls and protections for customers to safely share their data with other parties, when and where it benefits them. As public concerns around data privacy continue to grow, this can help banks keep their coveted “trusted adviser” position as they incorporate digital technologies that will accelerate change for businesses and consumers in the 2020s.