Data privacy has become a hot topic in the news thanks to failures in security and concerns about how companies are using the personal data they collect about their customers or users. Facebook, for instance, faced scrutiny over its handling of consumer data both in the U.S. and in the U.K.
Data privacy concerns are particularly paramount for companies in the financial and healthcare sectors. Banks and other financial institutions manage a large volume of sensitive information about their customers, and the breach of such data can have dire consequences. As we increasingly depend on the cloud to store information and conduct financial transactions online, data privacy concerns continue to grow.
Concerns around protecting consumer information drove the European Union to create new laws that require companies to implement tighter security to protect consumer information while guaranteeing consumers certain rights related to their personal data. In addition, all 50 states in the USA have now implemented their own data breach notification laws.
We’ve developed this guide to help banks and financial institutions get a handle on the ins and outs of data privacy, including how it affects the way they conduct business and the potential ramifications for failing to adequately protect sensitive customer data.
In this guide, we’ll discuss:
The importance of data privacy
Data privacy refers to who’s allowed access to consumer information provided to institutions with whom they’ve entered into a business relationship. Workers at banks need certain information to verify the identities of those accessing an account belonging to a client. Financial advisors require certain client data to enter into a transaction on the behalf of those holding an account with them. Employees in another area may also need this information for other functions within a bank or financial firm.
Problems arise with data security when employees, security officials, and others tasked with protecting sensitive information fail to provide adequate security protocols. They may become careless about leaving their credentials around at home or in public places. This lapse allows hackers an easy way to access their company’s internal systems. Other issues arise when networks and web applications provided by institutions don’t have enough safeguards to keep out hackers looking to steal data. And because hackers are developing increasingly sophisticated attack methods by the day, ensuring that a company’s data security measures are adequate is an ongoing and complex task.
Customers use their bank cards for transactions trusting that their banking institution has proper security in place to prevent their information from being stolen. They’re also putting confidence in the fact that your institution won’t abuse that information by selling it for other purposes without their explicit permission.
According to SQN Banking Systems, the five biggest threats to a bank’s cybersecurity include:
- Unencrypted data
- Non-secure third-party services
- Manipulated data
High-profile security breaches have made things even more complex for financial institutions. Julie Knudson, in an article for ABA Banking Journal, points out that the Equifax breach (which impacted even more consumers than originally thought) “broadened the risk profile for many organizations”, noting that this massive, widespread breach is likely going to be a catalyst for changing regulatory expectations. What’s more, other threat vectors such as ransomware have only become increasingly common and more effective, despite financial institutions ramping up efforts to mitigate these risks.
The blurry line of consent
The issue of consent gets blurred in this age of digital exchange. Consumers might not realize what rights they’re signing away in a contract or other agreement with a bank or financial institution. They might not fully understand the sensitive nature of the data they’re providing, or the consents they’re granting when they utilize banking websites or apps.
Many marketing firms will pay top dollar to learn about the habits of individuals as a way of finding better ways to target advertising efforts their way. Selling user or customer data isn’t a practice that all organizations engage in, but some do, and consumers aren’t always clearly informed about how their data will be used or with what other entities their information may be shared.
With data-driven innovations such as open banking transforming the customer experience, banks and other financial institutions may struggle with finding the balance between maximizing the customer experience and ensuring adequate security for sensitive data. The crux of the matter is that banks need to leverage big data in order to keep pace in today’s highly competitive landscape, yet one misstep with sensitive consumer data can have lasting damage on an institution’s reputation – and consumer trust.
Data privacy and financial institutions
Someone agreeing to sign up for an account in previous years may also have inadvertently given permission for the institution to share certain details with marketers. The U.S. Congress passed the Gramm-Leach-Bliley Act (GLBA), commonly known as the Financial Services Modernization Act of 1999, placing restrictions around how this could be done. Federal agencies added additional guidelines years later, forcing banks and financial institutions to disclose the different ways customer information was being disclosed to that outside of the company.
These laws were designed to prevent abuses of consumer financial information, but it hasn’t been fully successful. For instance, Wells Fargo paid out $5.1 million to settle with the Securities and Exchange Commission (SEC) on charges that the organization “improperly pushed retail customers to actively trade complex investments in order to generate higher fees”. Although Wells Fargo admitted no wrongdoing, the company “has taken steps to address sales practices that occurred from January 2009 to June 2013”.
The emergence of GDPR
These issues aren’t just limited to U.S. financial institutions. Governments around the world found themselves inundated with cases of consumer information being stolen by hackers at different companies. The European Union, in particular, felt there needed to be more consequences for businesses failing to keep consumer data safe.
That determination brought about the implementation of the General Data Protection Regulations (GDPR) on May 25, 2018. These guidelines outline the responsibilities of institutions doing business with EU citizens to keep consumer data safe.
The GDPR outlines:
- Requirements for consent provided by consumers
- Making data collected on individuals anonymous to prevent identification
- Notifying of any breaches of consumer information
- Transferring data across different borders
- Requirements around appointing someone responsible for enforcing GDPR regulations
Lawmakers intend the GDPR to address any issues relating to how institutions handle consumer information. The law applies to any citizen belonging to a country within the EU, no matter where that business is currently located. That means the impact of GDPR has been felt beyond the boundaries of EU member states.
Consumer rights under GDPR
The entire GDPR law consists of 11 chapters with 91 associated articles. We’ve provided a few brief highlights of important points banks and financial institutions should be particularly aware of.
New rights for consumers – Consumers are provided more control over any automatically processed data. It also makes it easier for them to move their information between different entities, and direct that any company delete information they no longer wish them to have.
Data protection required from businesses – Businesses must make every effort to put reasonable security protocols in place to keep information safe and keep it from being exposed inadvertently or through more nefarious means.
Notification requirements – Rules now govern how businesses must provide notifications of any breaches of consumer information. They must let the authorities know about any occurrences within 72 hours of their discovery and provide details about how the breach happened and who was affected. Anyone with information exposed during the breach must also be made aware as quickly as reasonably possible.
New roles for data security – Companies subject to GDPR regulations must appoint a data protection officer charged with enforcing data security guidelines. They’re required to do this if they manage any personal information from consumers, including:
- Where consumers live
- Physical characteristics
- Salary or other employment information
- Health Information
- Specifics about a client’s race or ethnicity
- Religious orientation
Handling Lawful Consent In A Post-GDPR World
GDPR regulations apply to any institution doing business with any citizen of the EU. That means US banking and financial institutions holding any type of accounts for EU members are subject to those same standards, regardless of their size. Institutions need to be careful about containing clear consent to use the information for different types of activities.
It’s best to ask these types of questions when determining the need for consent:
- In what scope will we be using the information?
- Is legal consent required for a specific activity?
- Could you still perform an activity without consent?
- Would the client withdrawing consent affect the activity you’ve been using the information for?
- Is the consent needed to execute specific conditions of a contract?
The process of consent
Any requests for consent should be clearly understood by the consumer. The agreement should spell out any activities you will be using the information for. Consumers should also be made aware of their right to refuse consent and the effect it would have on the specific activity. The wording should not be overly technical and full of jargon that wouldn’t be understood by the consenting party. They have the right to see the following information in any agreement:
- The clear identity of who they’re giving the information to
- Why the data is needed
- What specific details they’re providing access to
- Any possibility of the data being accessed by a third party or sent across the borders of their current country
Institutions must be able to prove that they were granted consent to use information for a consumer. That means keeping records of consents granted, when, to what extent, and by what method. These records should be stored in a way where they can be easily pulled and presented upon request by the person granting it or any regulatory authorities.
Consent records should contain:
- The name of the person granting consent
- A date specifying when consent was given
- Any documents or data forms containing information provided by the consenting party
GDPR doesn’t outline specific requirements for how long a consent is considered valid. It’s a good idea to refresh consent periodically, particularly when you make changes in your company’s data guidelines.
Any requests made by consumers to take back any permissions granted around their data should be handled quickly and efficiently. Companies should establish a clear process for withdrawing consent and documenting every step of the process.
Systems should be updated to reflect the customer’s request and immediately block access to this data. Everything should be timed to prevent the inadvertent passing of protected information once companies no longer have clear consent to use that information.
Legislation within the United States.
The efforts taken by European governing bodies around protecting consumer information has spurred similar efforts in the U.S. California, for instance, pushed to include a ballot measure in the 2018 midterms. The intent behind it is forcing full disclosure from businesses on how they used the information they collected.
Since selling customer data has become such a prime revenue opportunity for so many companies, there’s been pushback on these efforts from many different industries. It was fought by titans like Microsoft and Amazon, who contributed to political campaigns working to defeat the measure.
Facing continued pressure from their constituents, the California legislature took it upon themselves to put their own standards in place. The California Consumer Privacy Act of 2018 contains many of the provisions asked for in the ballot measures. The CCPA became effective only recently though, on January 1, 2020. In February this year, a regulatory update added revisions to existing proposed regulations issued last year, but there were no major changes.
That means banking and financial institutions operating in California must comply with a standard similar to GDPR for California residents. Like GDPR, it outlines rules for obtaining consent, revealing what companies do with the information they take in, and allowing for consent to be withdrawn at any time. This gives consumers more control over their data and could have a huge impact on the digital advertising efforts of banks and firms.
As of March 2018, all 50 U.S. states have implemented their own data privacy regulations, in addition to the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. Some states simply added new regulations around notifying consumers about breaches. Others, like Vermont, seek to regulate those involved in selling any type of customer data. There’s currently no overarching federal law addressing data privacy in full. At most, there’s a patchwork of legislation targeted at specific sectors – which complicates matters for financial institutions that conduct business across multiple states, and especially those that operate nationwide.
That may be ready to change as current administration officials recently began discussions on implementing a national framework designed to address data privacy. U.S. lawmakers also seek to advance legislation to deal with issues surrounding how companies manage and often profit from consumer data.
Protecting The Data Privacy Of Consumers
Data security and data privacy often go hand-in-hand. Without proper security protocols in place, it’s impossible for organizations to guard against threats from outside and within. Banks and financial institutions need to make sure they’re implementing smart policies designed to educate and train employees on common standards when it comes to data privacy, including:
- Not opening or responding to suspicious emails
- Making sure websites don’t contain openings for hackers
- Keeping up security firewalls around any networks used for transporting data
- Securing data stores within the organization
- Monitoring any personal devices used by employees to access company systems
- Encrypting data sent over any public network
- Restricting access to certain data to select employees
Hackers have become more sophisticated about different methods used to gain access to information. That’s why it’s up to companies to not rely on outdated software or other archaic practices when handling customer data, and instead focus on following current best practices and leveraging the latest security techniques. Using unsecured networks for passing financial transactions should be considered unacceptable at any banking or financial institution.
It’s a good idea for banks to perform periodic audits of their security practices and how well they’re being enforced. Any shortcomings should be addressed immediately through educational reinforcement and possible punitive actions for more serious oversight lapses.
Preparing for changing standards
Banking and financial institutions need to remain diligent about tracking how laws affect their business operations in different states. They should also remain aware of the progression being made by proposed legislation at all levels of government. Failing to make policy and technological adjustments for these changes could result in huge fines, a loss of public trust, and other punishments as laid out in different laws.
The information provided in this guide should inform banks and financial institutions on the direction they should be taking with data protection and establishing clear consent guidelines. Permission given today doesn’t necessarily mean that customers agree with how your institution might end up using that data. Failing to provide adequate protection against different threats also subjects you to penalties from laws protecting citizens of other countries doing business with you.
Additional resources on data privacy for banks and financial institutions
For more information on best practices for data privacy for modern banking and financial institutions, visit the following resources: