How US banks are preparing for the GDPR

The race is on for banks to comply with the GDPR, the European Union's landmark data privacy regulation. On May 25, EU companies will no longer be able to collect and use personal data without the individual's consent, under the General Data Protection Regulation. U.S.-headquartered banks and fintech companies with global operations are anxiously preparing to comply with the new rules, anticipating a time when U.S. customers will demand the same protections from their home institutions. GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU. "Personal data" can include basic personal identifiers like a name, photo, email address or bank details, as well as things like posts on social networking websites, medical information or computer IP addresses. Customers have the right to a copy of the data institutions keep about them, as well as the right to be forgotten, or demand those institutions delete that data. "[GDPR] requires all companies that process personal data to be more diligent with data protection," said Aite senior analyst Ron van Wezel. "Also, the Open Banking Initiative in the U.K. as well as the directive in the EU require banks to share their data with third-party providers, if the customer gives their consent to do so -- the trend in Europe is clearly that customers get firm control of their data." For U.S.-based banks with a global reach, it opens up questions about how to handle EU customer data and make sure they obtain customers' consent to collect and hold their personal information. "Most of the [financial] institutions are getting to know the basics very well; they're embarking on large data discovery projects and examining the legal basis for holding the data," said Shane Nolan, svp of technology, consumer and business services at IDA Ireland, an Irish government agency that advises U.S.-based companies expanding to the EU. "In some cases, the bank may have data they may have acquired from a third-party marketing company and data could be related to prospects." Data ownership and usage is already an increasing concern among everyday consumers thanks to the growing number and size of data breaches that have occurred over recent years, including the massive Equifax breach last summer that compromised data of 145.5 million consumers. The time is right for financial institutions to open direct discussions with customers about data, according to Rivka Gewirtz Little, senior director of product marketing at NICE Actimize, a technology firm helping U.S. banks meet GDPR requirements. "Institutions need to start that conversation with their consumers and educate them about what they do with their data," she said. "Use of data [to prevent] financial crimes isn't the same thing as data collection for marketing." In recent years, banks have seen customer data as an important intelligence source for personalized marketing offers or customer experiences. U.S.-based bankers are increasingly aware of the necessity to acquire customer data while balancing privacy concerns of customers. But banks need to go back to the subjects to confirm their consent to hold the data. Companies that don't comply with GDPR risk between 2 and 4 percent of their revenue. The biggest challenge for large banks is understanding where their data is stored, which vendors may have accessed it due to contractual obligations and how to stay compliant with the consent rules, as prescribed by the GDPR. It's easier for fintech startups, however, which are unburdened by legacy systems. "Different companies are at different stages -- everybody has to do the discovery process, and the downstream effect is that this is going to be an ongoing process, a continuous feedback loop that becomes part of the fabric of how they do business," said Baber Amin, who works at the office of the chief technology officer at Ping Identity, a company that offers identity and access management solutions for banks. U.S. bankers are watching their European counterparts, anticipating a day they themselves lose their monopoly on customer data to merchants and retailers like Amazon (with customers’ permission). They've been working to get ahead of their own regulators when it comes to creating data exchange standards, knowing it can take 18 to 36 months to get a framework in place. It’s better that banks prescribe those standards themselves than let outsiders, such as regulators or giant retailers slowly encroaching on the financial services industry, come in and do it for them, according to Kevin Kohut, global API strategy lead at Accenture. “If we don’t do it now organically, with everyone cooperating and collaborating, then at some point, some entity — government or otherwise — will order us to do it,” Kohut said. “And they may or may not prescribe the best way to do it.”