Data

How US banks are preparing for the GDPR

  • U.S. banks and financial companies that operate in the EU or serve EU-based customers will soon need to comply with regulations that give customers control over how their data is used
  • The biggest challenge for banks is to track where customer data has been shared and to develop protocols to meet consent requirements
close

Email a Friend

How US banks are preparing for the GDPR

The race is on for banks to comply with the GDPR, the European Union’s landmark data privacy regulation.

On May 25, EU companies will no longer be able to collect and use personal data without the individual’s consent, under the General Data Protection Regulation. U.S.-headquartered banks and fintech companies with global operations are anxiously preparing to comply with the new rules, anticipating a time when U.S. customers will demand the same protections from their home institutions.

GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU. “Personal data” can include basic personal identifiers like a name, photo, email address or bank details, as well as things like posts on social networking websites, medical information or computer IP addresses. Customers have the right to a copy of the data institutions keep about them, as well as the right to be forgotten, or demand those institutions delete that data.

“[GDPR] requires all companies that process personal data to be more diligent with data protection,” said Aite senior analyst Ron van Wezel. “Also, the Open Banking Initiative in the U.K. as well as the directive in the EU require banks to share their data with third-party providers, if the customer gives their consent to do so — the trend in Europe is clearly that customers get firm control of their data.”

For U.S.-based banks with a global reach, it opens up questions about how to handle EU customer data and make sure they obtain customers’ consent to collect and hold their personal information.

“Most of the [financial] institutions are getting to know the basics very well; they’re embarking on large data discovery projects and examining the legal basis for holding the data,” said Shane Nolan, svp of technology, consumer and business services at IDA Ireland, an Irish government agency that advises U.S.-based companies expanding to the EU. “In some cases, the bank may have data they may have acquired from a third-party marketing company and data could be related to prospects.”

Data ownership and usage is already an increasing concern among everyday consumers thanks to the growing number and size of data breaches that have occurred over recent years, including the massive Equifax breach last summer that compromised data of 145.5 million consumers. The time is right for financial institutions to open direct discussions with customers about data, according to Rivka Gewirtz Little, senior director of product marketing at NICE Actimize, a technology firm helping U.S. banks meet GDPR requirements.

“Institutions need to start that conversation with their consumers and educate them about what they do with their data,” she said. “Use of data [to prevent] financial crimes isn’t the same thing as data collection for marketing.”

In recent years, banks have seen customer data as an important intelligence source for personalized marketing offers or customer experiences. U.S.-based bankers are increasingly aware of the necessity to acquire customer data while balancing privacy concerns of customers. But banks need to go back to the subjects to confirm their consent to hold the data. Companies that don’t comply with GDPR risk between 2 and 4 percent of their revenue.

The biggest challenge for large banks is understanding where their data is stored, which vendors may have accessed it due to contractual obligations and how to stay compliant with the consent rules, as prescribed by the GDPR. It’s easier for fintech startups, however, which are unburdened by legacy systems.

“Different companies are at different stages — everybody has to do the discovery process, and the downstream effect is that this is going to be an ongoing process, a continuous feedback loop that becomes part of the fabric of how they do business,” said Baber Amin, who works at the office of the chief technology officer at Ping Identity, a company that offers identity and access management solutions for banks.

U.S. bankers are watching their European counterparts, anticipating a day they themselves lose their monopoly on customer data to merchants and retailers like Amazon (with customers’ permission). They’ve been working to get ahead of their own regulators when it comes to creating data exchange standards, knowing it can take 18 to 36 months to get a framework in place. It’s better that banks prescribe those standards themselves than let outsiders, such as regulators or giant retailers slowly encroaching on the financial services industry, come in and do it for them, according to Kevin Kohut, global API strategy lead at Accenture.

“If we don’t do it now organically, with everyone cooperating and collaborating, then at some point, some entity — government or otherwise — will order us to do it,” Kohut said. “And they may or may not prescribe the best way to do it.”

0 comments on “How US banks are preparing for the GDPR”

Data

‘Leveling the playing field’: Could rent reporting pave a path to greater financial inclusion?

  • Timely rent payments aren't taken into consideration by credit bureaus, missing an opportunity to score thin- or no-file people.
  • Rent reporting could turn out to be a solution.
Rivka Abramson | July 22, 2021
Data

Cheat Sheet: White House pushes the CFPB to formalize consumer access and control over financial data

  • Executive order encourages the CFPB to issue regulations that put consumer data in the hands of the consumers.
  • The directive builds on existing legislation known as the Dodd-Frank Act of 2010.
Shehzil Zahid | July 13, 2021
Data

Download: Tearsheet’s 2021 Data Guide

  • Finacial data is the underpinning of the modern financial experience.
  • Tearsheet's 2021 Guide to Data explores trends and opportunities in financial data.
Tearsheet Editors | June 17, 2021
Data

Tearsheet’s 2021 Guide to Data Aggregation

  • Financial data ecosystems are being built around financial institutions and fintech firms.
  • Tearsheet's 2021 Guide to Data Aggregation
Tearsheet Editors | June 09, 2021
Data, Member Exclusive

Five things we learned from Tearsheet’s second DataDay Conference

  • The financial services industry – including banks, fintechs and aggregators – are focusing on ways to allow for secure, consumer-permissioned data access.
  • The industry in the U.S. is moving towards adoption of a standardized way to safely transfer account data as new use cases emerge.
Suman Bhattacharyya | June 08, 2021
More Articles