In the current furore about the collection of personal data by Facebook, the financial services sector must be breathing a sigh of relief. It’s only a decade since banks and other financial institutions were on the receiving end of the full force of public outrage, but in the Cambridge Analytica storm they have managed to keep largely out of the spotlight. This is in spite of holding a wealth of information about consumers – from spending habits to domestic details – that is of immense potential value in today’s commercial world.
This is partly because the financial services sector has been slower than some of its counterparts in other sectors, such as retail, to exploit customer data to the maximum for sales and marketing purposes. It is also due to the fact that of all areas of business, the financial sector is now among the most heavily regulated. A vast range of enhanced rules, laws and guidelines apply to the sector, some triggered by the financial crisis and others based on newer challenges such as cyber threats and Brexit.
From the recently revised Markets in Financial Instruments Directive (MiFID II), the new Packaged Retail and Insurance-based Investment Products (PRIIPs) regulation and this year’s proposed Insurance Distribution Directive (IDD), financial services companies have a lot to deal with.
The concerns raised by the Facebook revelations will only intensify this pressure. Privacy watchdogs on both sides of the Atlantic need to be seen to be doing everything they can to enforce data protection regulations as public anxiety about the safety of personal data increases, so organisations in the financial services sector will have to toe the line carefully.
In its Financial Markets Regulatory Outlook 2018, global consultancy Deloitte warns of the likely scrutiny by regulators of the financial services sector’s approach to personal data in particular. This raises some interesting challenges for compliance managers because some of the directives and regulations appear to impose conflicting requirements on the sector.
Regulation, regulation, regulation
One example is the new Payment Services Directive (PSD2), also known as the “Open Banking” regulation, which came into force earlier this year. Designed to open up the market to the new breed of young fintech companies, PSD2 requires banks to allow other organisations to access customers’ data through a set of open Application Programming Interfaces (APIs). At the same time, the EU General Data Protection Regulation (GDPR) will insist that companies must take full responsibility for the security and privacy of customer data, regardless of whether they are holding it themselves or if they are passing it on to a third party for processing. Adhering to both regulations simultaneously is going to be a challenge.
Another conflict for financial services companies comes when trying to balance the Financial Conduct Authority’s Conduct of Business requirements for call recording (COBS 11.8) against the Payment Card Industry Data Security Standard (PCI DSS). COBS 11.8 requires customer calls relating to financial products to be recorded in full and a complete recording is essential if a conversation with a customer is to be used as court evidence in the event of a dispute.
The PCI DSS, which protects credit and debit card payments, prohibits organisations from storing any of the sensitive information on credit cards, for example the long number on the front or the three-digit code on the back. This poses a problem for companies such as insurers, building societies or banks which take payments or account information over the phone. Until recently, the only way to avoid capturing the card numbers was to pause the recording, rendering it incomplete.
Get with the right tech
The answer to both of these problems – and to many of the other regulatory challenges facing the financial services sector – lies in technology. To comply with PSD2, banks and their new-found fintech partners are finding ways of creating secure, encrypted APIs. They are also implementing solid tracking systems to ensure that it’s clear who is responsible for which piece of customer information at any one time.
For the PCI DSS question, DTMF masking technology now makes it possible for customers to type in their own financial details and card numbers without the identifiable keypad tone being captured, so call recordings can be preserved in their entirety.
Such is the scale of the regulation challenge that a whole new “reg tech” industry is springing up to help the financial services sector deal with it. Technologies from blockchain to AI are being applied to find new ways of reporting on procedures, tracking information and keeping the regulators happy. When it comes to the protection of sensitive customer information, however, there is no panacea.
As long as the data exists within an organisation, it is vulnerable to attack and subject to any number of regulatory processes. In financial services in particular, the best policy is to stick to the “privacy by design” principle of the EU GDPR.
Hold as little sensitive data as possible, for as short a time as possible. If you don’t have it, it can’t be hacked and compliance is not an issue. It’s a simple policy but one that will protect your data, your customers, and ultimately your own reputation.
Sourced by By Tim Critchley, CEO at Semafone