Data

How US banks are preparing for the GDPR

  • U.S. banks and financial companies that operate in the EU or serve EU-based customers will soon need to comply with regulations that give customers control over how their data is used
  • The biggest challenge for banks is to track where customer data has been shared and to develop protocols to meet consent requirements
close

Email a Friend

How US banks are preparing for the GDPR

The race is on for banks to comply with the GDPR, the European Union’s landmark data privacy regulation.

On May 25, EU companies will no longer be able to collect and use personal data without the individual’s consent, under the General Data Protection Regulation. U.S.-headquartered banks and fintech companies with global operations are anxiously preparing to comply with the new rules, anticipating a time when U.S. customers will demand the same protections from their home institutions.

GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU. “Personal data” can include basic personal identifiers like a name, photo, email address or bank details, as well as things like posts on social networking websites, medical information or computer IP addresses. Customers have the right to a copy of the data institutions keep about them, as well as the right to be forgotten, or demand those institutions delete that data.

“[GDPR] requires all companies that process personal data to be more diligent with data protection,” said Aite senior analyst Ron van Wezel. “Also, the Open Banking Initiative in the U.K. as well as the directive in the EU require banks to share their data with third-party providers, if the customer gives their consent to do so — the trend in Europe is clearly that customers get firm control of their data.”

For U.S.-based banks with a global reach, it opens up questions about how to handle EU customer data and make sure they obtain customers’ consent to collect and hold their personal information.

“Most of the [financial] institutions are getting to know the basics very well; they’re embarking on large data discovery projects and examining the legal basis for holding the data,” said Shane Nolan, svp of technology, consumer and business services at IDA Ireland, an Irish government agency that advises U.S.-based companies expanding to the EU. “In some cases, the bank may have data they may have acquired from a third-party marketing company and data could be related to prospects.”

Data ownership and usage is already an increasing concern among everyday consumers thanks to the growing number and size of data breaches that have occurred over recent years, including the massive Equifax breach last summer that compromised data of 145.5 million consumers. The time is right for financial institutions to open direct discussions with customers about data, according to Rivka Gewirtz Little, senior director of product marketing at NICE Actimize, a technology firm helping U.S. banks meet GDPR requirements.

“Institutions need to start that conversation with their consumers and educate them about what they do with their data,” she said. “Use of data [to prevent] financial crimes isn’t the same thing as data collection for marketing.”

In recent years, banks have seen customer data as an important intelligence source for personalized marketing offers or customer experiences. U.S.-based bankers are increasingly aware of the necessity to acquire customer data while balancing privacy concerns of customers. But banks need to go back to the subjects to confirm their consent to hold the data. Companies that don’t comply with GDPR risk between 2 and 4 percent of their revenue.

The biggest challenge for large banks is understanding where their data is stored, which vendors may have accessed it due to contractual obligations and how to stay compliant with the consent rules, as prescribed by the GDPR. It’s easier for fintech startups, however, which are unburdened by legacy systems.

“Different companies are at different stages — everybody has to do the discovery process, and the downstream effect is that this is going to be an ongoing process, a continuous feedback loop that becomes part of the fabric of how they do business,” said Baber Amin, who works at the office of the chief technology officer at Ping Identity, a company that offers identity and access management solutions for banks.

U.S. bankers are watching their European counterparts, anticipating a day they themselves lose their monopoly on customer data to merchants and retailers like Amazon (with customers’ permission). They’ve been working to get ahead of their own regulators when it comes to creating data exchange standards, knowing it can take 18 to 36 months to get a framework in place. It’s better that banks prescribe those standards themselves than let outsiders, such as regulators or giant retailers slowly encroaching on the financial services industry, come in and do it for them, according to Kevin Kohut, global API strategy lead at Accenture.

“If we don’t do it now organically, with everyone cooperating and collaborating, then at some point, some entity — government or otherwise — will order us to do it,” Kohut said. “And they may or may not prescribe the best way to do it.”

0 comments on “How US banks are preparing for the GDPR”

Data, Podcasts

‘With Boost, we had to break things’: Experian’s Gregory Wright

  • Credit bureaus are moving along the value chain.
  • Experian's chief product officer joins the podcast to talk about lessons the firm has learned from Silicon Valley.
Zachary Miller | November 23, 2020
Data

Tearsheet’s 2020 Guide to Financial Data

  • Data underpins the modern financial services ecosystem.
  • Download Tearsheet's 2020 Guide to Financial Data free.
Tearsheet Editors | July 29, 2020
Data, Member Exclusive

Visa has Plaid and now Mastercard acquires Finicity for close to $1 billion

  • Earlier this year, Visa acquired Plaid, a leading financial data aggregation and insights firm.
  • Now, Mastercard is buying Finicity, pointing to the strategic role data aggregation firms play in global payments.
Michael Deleon | June 23, 2020
Awards, Data

Winner of Tearsheet’s Best New Alternative Data Product: Facteus’ Enlightmint

  • The chaos caused by the current pandemic requires new data analytics tools to understand what's happening and chart a path forward.
  • Facteus' Enlightmint is the winner of Tearsheet's 2020 Award for Best New Alternative Data Product.
Zoe Murphy | June 23, 2020
Data, Member Exclusive

‘More than the new oil’: Conclusions from Tearsheet’s DataDay Conference

  • The pandemic has shifted activity toward digital channels, amplifying the need for safe and secure data sharing between banks and fintechs.
  • Holding data is no longer a differentiator; institutions that thrive will make use of that data to build ongoing customer relationships.
Suman Bhattacharyya | June 19, 2020
More Articles