Data

How US banks are preparing for the GDPR

  • U.S. banks and financial companies that operate in the EU or serve EU-based customers will soon need to comply with regulations that give customers control over how their data is used
  • The biggest challenge for banks is to track where customer data has been shared and to develop protocols to meet consent requirements
close

Email a Friend

How US banks are preparing for the GDPR

The race is on for banks to comply with the GDPR, the European Union’s landmark data privacy regulation.

On May 25, EU companies will no longer be able to collect and use personal data without the individual’s consent, under the General Data Protection Regulation. U.S.-headquartered banks and fintech companies with global operations are anxiously preparing to comply with the new rules, anticipating a time when U.S. customers will demand the same protections from their home institutions.

GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU. “Personal data” can include basic personal identifiers like a name, photo, email address or bank details, as well as things like posts on social networking websites, medical information or computer IP addresses. Customers have the right to a copy of the data institutions keep about them, as well as the right to be forgotten, or demand those institutions delete that data.

“[GDPR] requires all companies that process personal data to be more diligent with data protection,” said Aite senior analyst Ron van Wezel. “Also, the Open Banking Initiative in the U.K. as well as the directive in the EU require banks to share their data with third-party providers, if the customer gives their consent to do so — the trend in Europe is clearly that customers get firm control of their data.”

For U.S.-based banks with a global reach, it opens up questions about how to handle EU customer data and make sure they obtain customers’ consent to collect and hold their personal information.

“Most of the [financial] institutions are getting to know the basics very well; they’re embarking on large data discovery projects and examining the legal basis for holding the data,” said Shane Nolan, svp of technology, consumer and business services at IDA Ireland, an Irish government agency that advises U.S.-based companies expanding to the EU. “In some cases, the bank may have data they may have acquired from a third-party marketing company and data could be related to prospects.”

Data ownership and usage is already an increasing concern among everyday consumers thanks to the growing number and size of data breaches that have occurred over recent years, including the massive Equifax breach last summer that compromised data of 145.5 million consumers. The time is right for financial institutions to open direct discussions with customers about data, according to Rivka Gewirtz Little, senior director of product marketing at NICE Actimize, a technology firm helping U.S. banks meet GDPR requirements.

“Institutions need to start that conversation with their consumers and educate them about what they do with their data,” she said. “Use of data [to prevent] financial crimes isn’t the same thing as data collection for marketing.”

In recent years, banks have seen customer data as an important intelligence source for personalized marketing offers or customer experiences. U.S.-based bankers are increasingly aware of the necessity to acquire customer data while balancing privacy concerns of customers. But banks need to go back to the subjects to confirm their consent to hold the data. Companies that don’t comply with GDPR risk between 2 and 4 percent of their revenue.

The biggest challenge for large banks is understanding where their data is stored, which vendors may have accessed it due to contractual obligations and how to stay compliant with the consent rules, as prescribed by the GDPR. It’s easier for fintech startups, however, which are unburdened by legacy systems.

“Different companies are at different stages — everybody has to do the discovery process, and the downstream effect is that this is going to be an ongoing process, a continuous feedback loop that becomes part of the fabric of how they do business,” said Baber Amin, who works at the office of the chief technology officer at Ping Identity, a company that offers identity and access management solutions for banks.

U.S. bankers are watching their European counterparts, anticipating a day they themselves lose their monopoly on customer data to merchants and retailers like Amazon (with customers’ permission). They’ve been working to get ahead of their own regulators when it comes to creating data exchange standards, knowing it can take 18 to 36 months to get a framework in place. It’s better that banks prescribe those standards themselves than let outsiders, such as regulators or giant retailers slowly encroaching on the financial services industry, come in and do it for them, according to Kevin Kohut, global API strategy lead at Accenture.

“If we don’t do it now organically, with everyone cooperating and collaborating, then at some point, some entity — government or otherwise — will order us to do it,” Kohut said. “And they may or may not prescribe the best way to do it.”

0 comments on “How US banks are preparing for the GDPR”

Outlier OpinionsMakers

Data, Podcasts, Sponsored

‘Earned wage access is the next evolution in improving day-to-day liquidity’: Argyle’s Matthew Gomes

  • Director of strategy at Argyle, Matt Gomes, joins us on the Tearsheet Podcast.
  • Listen in to our conversation about how payroll and employment data API platforms enable financial institutions to bring the next generation of financial products to consumers.
Argyle | September 22, 2022
Data, Podcasts, Sponsored

‘Developers have become as central a figure as the banks’: Fiserv’s Niranjan Ramaswamy

  • VP and GM of embedded fintech at Fiserv, Niranjan Ramaswamy, joins us on the Tearsheet Podcast.
  • Listen to our conversation about how Fiserv empowers developers to build products that bring fintechs and FIs together.
Fiserv | September 21, 2022
Data

Another PayPal exec joins MX: 6 questions with CTO Wes Hummel

  • PayPal vp Wes Hummel joins MX as a CTO, merely weeks after PayPal svp Jim Magats joined MX as its CEO.
  • Hummel believes the next stage of development in the industry will see fintechs connect with the financial industry at large.
Subboh Jaffery | September 08, 2022
Data, Podcasts, Sponsored

‘Not all fintech integrations are created equal’: Fiserv’s Jon Nordhausen

  • VP of product strategy at Fiserv, Jon Nordhausen, joins us on the Tearsheet Podcast.
  • Listen to our conversation about how cloud data integration is removing friction and enabling new capabilities for data to flow seamlessly between fintechs and FIs.
Fiserv | September 07, 2022
Data, Podcasts, Sponsored

‘Data is the crux of open finance’: Fiserv’s Jamie DelMedico

  • General Manager of Fiserv’s Aggregation and Information Services unit, Jamie DelMedico, joins us on the Tearsheet Podcast.
  • Listen in to our conversation about the evolution of data processes that are helping drive the push toward open finance.
Zachary Miller | August 24, 2022
More Articles