Open banking opens a world of potential data mistakes for banks

Register now

Just prior to the General Data Protection Regulation (GDPR) going into effect both Europe and Britain instituted open banking policies that are pushing many large banks to open up their data, simultaneously allowing consumers to opt in to making this data available to third parties.

By opening up their client data in a secure way, banks allow third-party processors to build their own applications and services around the data, using application programming interfaces (APIs). In short, this new mandate diminishes banks’ hard-earned ownership of the customer relationship.

The advent of this is particularly unwelcome, coming, as it does, at a time when many people not only question the role of a bank after the recent financial crisis and gradual digitization of banking services, but also when their relationship with technology has changed. Twenty years ago, a company could dictate the technology that customers used to interact with them, but now customers decide through which technology or channel they use to interact, and how you, as a bank fit within their own personal value chain.
Banks are therefore under pressure to reinvent the relationship they have with their customer. If they don’t, there is a very real risk of third parties swiping this away, relegating banks to providing only the “pipes and wires” of financial transactions. While open banking is intended to empower customers to take control of their finances, make better-informed decisions and manage multiple accounts through a single application, the law of unintended consequences could kick in if banks realize data’s potential, yet forget about the human factor. Here are four ways this could happen:

Gathering too much data, or the wrong types of data. Banks may decide to aggregate financial data from other institutions themselves, but then add additional data such as social media, search history, etc., in order to build a customer profile that is as complete as possible. In doing so, they would be creating a “social graph” much like Facebook’s. The question then arises: Are they collecting too much data, or even the wrong type of data? At this stage, people may be forgiven for asking what business banks are in: Are they trying to provide better service, or gathering data for the sake of it? “Helpful” could turn into “malicious.”

Acting too often on data, or in ways that are intrusive. Once banks have rich data pools, they’ll want to act on it. This might happen through the provision of better deals, timely reminders, helping with automated budgeting, and so on. Potentially, notifications can be disruptive if they come too thick and fast. Furthermore, banks may wish to act in good faith, but cross the thin line of privacy almost unwittingly. When someone suddenly makes three purchases from Mothercare while they’d never previously done so, it’s likely they are pregnant, and may actually benefit from certain products and services. But surfacing these “just-right offers” at that time may be deemed as barging into someone’s private life. "Helpful" quickly morphs into "creepy."

Using data primarily for upselling, rather than insight provision. Most banks are publicly quoted and under short-term pressure to placate Wall Street. Cross-selling and upselling are powerful tools to drive additional revenue from a captive audience, as last year’s Wells Fargo debacle proved. Serving the right product at the right time is part of a successful customer service strategy, but if it becomes the key driver then it may result in the wrong customer outcomes. “Helpful” then becomes “forceful.”

Using data as a profit pool, rather than as an asset. Notably, banks have traditionally viewed the custody and protection of their clients’ data as a responsibility, more of a stewardship role than an asset to be commercialized. However, it is often argued that data is the new oil—and oil is very valuable. Banks may start to see customer data as a profit pool, rather than as a means to better service, and in doing so try to find ways to sell on the data. "Helpful" now looks more like "irresponsible."

And there are at least four pitfalls in view as banks try to meet the new data realities:

1. Regulatory risk. GDPR has brought in more and more regulation around use of data, specifically in Europe. As banks will be dealing with incredibly sensitive personal and financial data, there is a huge risk of data being misused inadvertently, thus opening the risk of massive fines.

2. Security risk. Data loss, identity theft, data protection violations, money laundering and financing terrorism: Accessing customer banking data has always been near the top of hackers’ wish list. In open banking, aggregated customer data such as transactions and balances held in a third-party provider’s infrastructure and servers (open APIs) pose a significant risk to cybersecurity.

3. Fraud risk. As open banking ecosystem serves as a platform for numerous stakeholders such as data providers, third-party providers, customers, regulators and government agencies, friction due to information asymmetry could emerge between the counterparties involved in a contract that makes use of customer data. This what happened in the Facebook-Cambridge Analytica breach. The risk of information asymmetry is inherent—for example, in predatory lending, financial institutions target financially unsophisticated borrowers to forcibly opt for the firm’s financial products.

4. Reputational damage. Arguably, this frightens banks the most. According to the Edelman Trust Index, 2018 saw a 20-point drop in trust in U.S. financial institutions. In fact, financial services (54 percent) was once again the least trusted sector along with consumer packaged goods (60 percent) and automotive (62 percent). While any of the previous risks would cause some issues, a major news story that data had leaked, technology had broken, or even that customer experience was poor could cause significant reputational damage to a bank.

For reprint and licensing requests for this article, click here.
Payment processing Compliance GDPR ISO and agent