Lessons on privacy, data protection and trust in financial services

6 minute read 12.06.2019 Paul Kallenbach, Susan Kantor

Financial institutions are faced with a number of regulatory, social and ethical considerations and challenges in approaching the protection of their customers' data. The right approach isn't always easy to determine.

Key takeouts

Amidst changing community expectations in the wake of the Financial Services Royal Commission, managing privacy compliance has become ever more challenging.

Conversations around privacy, data and trust are becoming more embedded within business-as-usual operations for banks, insurers and other financial institutions.

Maintaining a steadfast focus on the protection of customers' privacy is a non-negotiable for the financial services industry if they are to maintain consumer trust.

In an environment of changing community expectations, and in the wake of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Financial Services Royal Commission), financial institutions are faced with a number of regulatory, social and ethical considerations and challenges in approaching the protection of their customers' data. The right approach isn't always easy to determine.

During Privacy Awareness Week in May 2019, MinterEllison hosted a roundtable lunch with 16 senior privacy specialists in the financial services sector to consider some of the challenges and opportunities facing this industry.

With the imminent introduction of the Consumer Data Right (Open Banking) framework, the Notifiable Data Breach scheme in full swing, Europe's GDPR introducing new requirements for many Australian organisations, and artificial intelligence and other emerging technologies providing new opportunities but creating new risks, managing privacy compliance has become ever more challenging.

Against this background, a key issue for financial services organisations is to ensure that they consistently place the interests of customers at the heart of their approach to privacy, data security and data management.

Some of the key themes that emerged from our event are discussed below.

The right conversations need to happen at the right time

For privacy considerations to be properly factored into business decisions (for example, whether a new product should be introduced), conversations around privacy need to occur at the inception of the product development process. Participants at our roundtable indicated that conversations around privacy, data and trust are becoming more embedded within business-as-usual operations, and increasingly include data scientists.

The Financial Services Royal Commission highlighted the need to ask 'should we' not just 'can we'.”

These conversations can be challenging, as when it comes to considering the ethics of data use, there isn't always one right answer – there can be a range of legitimate views around what is (and isn't) ethical. However, these conversations are essential in building the culture of trust necessary to place the interests of consumers first when it comes to their data. Privacy Impact Assessments can be a useful tool for stimulating these discussions within organisations.

Privacy is not something we can 'set and forget'

Technology and regulation change all the time, but it is technology that is the more dynamic. This means that privacy settings for products approved in the past may become invalid or outdated as new technologies emerge (for example, the ability to quickly re-identify individuals using data analytics). Participants at our roundtable recommended regularly reviewing products that are already approved, and considering not just current concerns in the approval process, but anticipated future needs.

Organisations should start understanding and questioning what is in place and what should be in place.”

In practice, this means organisations need to conduct more regular product reviews to address not just regulatory change, but developments in technology that could impact data privacy.

Align your values with third party suppliers

Third party suppliers can present an additional layer of risk when it comes to privacy compliance. When looking to work with third party suppliers, participants commented that privacy protection is about more than being confident in suppliers' systems or having robust contracts in place – rather, it's important that organisations share similar values and a consistent mindset and operational approach to privacy.

Participants considered: 'Do we genuinely want to deal with parties that handle data differently from us?'

This may result in difficult conversations with third parties, but will contribute to a superior privacy and data protection outcome in the long term.

An overarching privacy policy should accommodate multiple jurisdictions

Many financial institutions are required to comply with differing privacy regulations across multiple jurisdictions. For example, many Australian financial services organisations are required to comply with the GDPR, which, in general, imposes obligations that are more onerous than Australia's Privacy Act 1988 (Cth).

This also means that a product that has been approved as being compliant with privacy laws in one jurisdiction will not automatically pass muster in others.

Participants recommended organisations develop an overarching privacy policy that will suit all countries in which the organisation conducts business, and then address the nuances in each jurisdiction on a localised basis.

Keeping customers informed is a challenge

Participants questioned if consumers have a thorough understanding of how companies are using their data – despite having provided consent. They wondered how people can properly exercise their rights if they didn't fully understand them.

This is particularly relevant in the context of the imminent Consumer Data Right (CDR) regime in Australia. A key finding from Data61's research into the Consumer Data Standards that will support the CDR is that education is critical. If the community doesn't understand privacy policies, or the implications of the outsourcing of services to third parties that may be located overseas, the community can become disengaged. The financial services industry must therefore find creative and relevant ways of making privacy policies more appealing and accessible to consumers.

Being transparent means being prepared to give customers control.”

Participants highlighted that a key aspect of educating customers is to explain why it is valuable for organisations to collect and retain data. They warned that, should organisations fail to properly explain this, customers may choose to opt out, with consequent impacts on key aspects of the business, including future product development and customer service innovation.

Emphasising the role of choice and trust

Participants observed the different data usage patterns in the younger generation of consumers, who seem less likely to express concern about privacy issues raised by the use of technology. They considered that this might reflect a greater inherent trust in technology, though they expressed concern that this trust may be blind, in that it may not reflect a full understanding of the way in which data is being used and the potential consequences of its compromise.

Due to the relative uniformity in how financial services intuitions use data, participants indicated that there were limits to the choices consumers are able to make. This places additional pressure on financial institutions to ensure that their privacy protections are comprehensive. Participants also observed that the Financial Services Royal Commission has also contributed a framework and language in which to consider and discuss these issues.

The artificial intelligence revolution: what can machine learning offer consumers?

Artificial intelligence (AI) can enhance outcomes for customers, but the technology and outputs can also be manipulated. Participants emphasised the importance for organisations to remember their social licence to operate when considering how they collect and process data.

Participants discussed some of AI's positive uses in financial services. For example, they raised an example of the use of AI in India, where banks are employing it to assist consumers to apply for and obtain bank loans, allowing consumers to access finance where they otherwise might not be able to.

The Financial Services Royal Commission emphasised the importance of the human element in helping people make decisions. How does this come into play when consumers are interacting with technology? Participants discussed the potential risks of technology delivering data that tells an incorrect or misleading story; for example, through social media. They emphasised the importance of data quality, and ensuring data and processes are tested thoroughly to retain the personal, human element in decision making.

Final word – gaining and maintaining consumer trust

Maintaining a steadfast focus on the protection of customers' privacy is a non-negotiable for the financial services industry if they are to maintain consumer trust. However, there simply isn't a 'one size fits all' approach to privacy and data protection that can address all of the challenges and opportunities faced by financial services organisations in an environment of significant regulatory change, heightened cyber risk and rapid technological progress.

What was evident from our roundtable is that the financial services industry is employing learnings from the Financial Services Royal Commission to ensure that customers are placed at the centre of organisations' approach to privacy, data protection and data management.

Contact

Paul Kallenbach

Partner, Melbourne
- +61 3 8608 2622
- +61 412 277 134

Trending

On the road: Australia’s privacy law overhaul begins

The most sweeping reforms to Australian privacy law in over twenty years