BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING

Transcription

1 WHITE PAPER BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING

2 1 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING On December 15, 2015, the European Parliament, European Council and European Commission agreed to new consumer EU data protection principles. Called the General Data Protection Regulation (GDPR), it will require full EU member-state implementation by May 25, i GDPR s goal is to harmonise data protection regulations across the Continent, while at the same time reinforcing EU citizens' rights in the digital age. The European Commission believes streamlining these rules across the EU could save businesses about 2.3 billion a year by reducing fragmentation and costly administrative burdens. ii This carrot, however, comes with a heavy stick: Proposed fines for non-compliance could be as much as 4 percent of annual turnover or 20 million, whichever is greater. The Payment Card Industry Security Standards Council (PCI SSC), a coalition of credit card issuers, including American Express, MasterCard and Visa, estimates that fines against UK firms alone could rise from 1.4 billion in 2015 to 122 billion in iii GDPR will affect all companies that deal with the personal data of EU citizens, not just financial institutions (FIs) with European operations. For international FIs, GDPR is more than just a compliance requirement. It will fundamentally change key business processes in marketing and customer relationships and conflict with proposed regulatory requirements in other jurisdictions. As such, the legislation will challenge bank systems and processes, present new reputational risk issues and potentially undermine profitability and growth strategies. Six Key Changes: GDPR will bring far-reaching changes to how personal data is stored and used. The following sections highlight how GDPR will affect FIs. 2. Consent: From opt-out to opt-in Under GDPR, explicit consent will be required to justify the use of personal data. Financial institutions that have relied on opt-out rules will need to obtain clear and unambiguous consent from customers to use their information. The use of general contractual terms will not be sufficient for the proof of consent. This rule may play havoc with the bank's cross-selling efforts. Will GDPR cross out your cross-selling? Cross-selling products and services to existing customers is a vital part of FIs' strategy to increase revenues with little or no increase in marginal cost. If a customer has a savings account, why not sell him a mortgage, wealth-management services and credit cards as well? Beginning in 2018, GDPR will make cross-selling more difficult. A 2013 report from Deloitte studied the proposed impact of the GDPR and the cross-selling was not encouraging. iv The report indicated that GDPR could lead to a major reduction in the targeting power of European businesses, governments and NGOs in their direct marketing activities. Relying on its consumer survey result, Deloitte noted a marked consumer aversion to sharing personal data when asked to do so. This indicates that institutions must look to implement a more strategic, customer-centric approach to encourage consent to direct marketing. 1. A broader definition of personal data GDPR expands the definition of personal data to include any information that could be used to identify an individual. The regulation will require that any personal data held must be documented and include where it came from and with whom it is shared. Organisations that possess inaccurate personal data and share this data with others will be required to rectify errors held by others. This means FIs must know exactly what personal data is held, where it came from and with which companies or organizations that data was shared. Measures also must be taken to reduce the amount of personally identifiable information stored and ensure that information is not stored for longer than necessary.

3 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING 2 Figure 40: How consumers react when firms ask if they are willing to be contacted about future products and promotions 50% 40% 30% 20% 10% 0% Don t pay attention I like to be contacted I normally agree I never agree None of these Don t know Not applicable UK France Germany Source: Deloitte Consumer Survey 3. The right to be forgotten GDPR (Article 17) provides for the right to be forgotten or for erasure of consumer record on request. It also requires that companies holding the data inform other data processors it has been shared with that the subject has requested erasure of that personal data. (Article 17) further integrates the right to have the processing of private data restricted in certain cases. The requirements of (Article 17) appear to contradict other compliance-related legislation, such as AML provisions. The primacy legislation is not clear and organisations will need to evaluate these contradictions carefully, as part of their GDPR compliance programme. Know less/more about your customer Financial institutions have long recognised the importance of knowing your customer. From May 11, 2018, banks will be required to know a lot more. On May 5, 2016, the US Financial Crimes Enforcement Network (FinCEN) Final Rule v codified four anti-money laundering (AML) provisions or pillars found in Section 352 of the USA Patriot Act. FinCEN added a fifth pillar, requiring covered institutions to: Identify and verify the identity of the beneficial or true owner(s) of an account by determining who directly or indirectly owns 25 percent or more of the equity interests of the legal entity customer; or Determine which individuals control, manage, or direct a legal entity customer, including an executive officer or senior manager, or any other individual who regularly performs similar functions. To obtain this level of information, FIs will need to ask far more intrusive client questions and be willing to share this information with potential competitors, seemingly in direct contradiction to the goals set out in GDPR. Forget credit history, too? It s also unclear whether the right to be forgotten will infringe on the ability of FIs to collect, gather and report credit information to credit bureaus and other agencies. The Deloitte study suggested, that given an opportunity to do so, consumers would request erasure of any negative credit history if the opportunity arose. vi

4 3 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING Figure 16: Consumer who report that they would cancel their credit history (a) Consumers who have previously had a loan or credit card application rejected 70% 60% 50% 40% 30% 20% 10% 0 Very likely Fairly likely Fairly unlikely Very unlikely Don t know UK France Germany (b) Consumers who have no problems obtaining a loan or cedit card agreement 70% 60% 50% 40% 30% 20% 10% 0 Very likely Fairly likely Fairly unlikely Very unlikely Don t know UK France Germany Source: Deloitte Consumer Survey If FIs are no longer able to rely on credit information, they will lose the ability to distinguish between those who can afford to make loan repayments and those who cannot.

5 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING 4 4. The right to object/the right to data portability (Article 20) creates a right of data "portability" or the ability for consumers to transfer their data from one electronic data processing system to another. (Article 21) grants consumers the right to learn about and object to how their data is used and stored. FIs will have 30 days to comply with such requests and will not be able to charge for responding to such enquiries. If a request is refused, policies and procedures will need to be in place to demonstrate why the request meets the refusal criteria. Additional information will also need to be provided to people making requests such as data retention periods and consumers will enjoy the right to have inaccurate data corrected. As such, GDPR will change the information flow dynamics. Consumers will be able to limit access to their information while obtaining a cost-free right to obtain information or transfer that information about themselves at any time. This shift may generate extensive and ongoing access requests, which will have considerable logistical implications. 5. Data breach notification 6. Appointment of a data protection officer Under GDPR, FIs will be required to appoint an independent Data Protection Officer (DPO). This individual will be under a legal obligation to notify a Supervisory Authority without delay regarding any breach. The DPO is similar to a Compliance Officer, yet they serve different roles. The DPO is expected to be proficient at managing IT processes and data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations. The appointment of a DPO within a large organisation will be a challenge, both for the Board of Directors and for the individual given the position. Given the scope and nature of the appointment, there will be a myriad of governance and human factor issues that organisations and companies will need to address. For example, the DPO is expected to perform as a mini-regulator, acting independently of the organisation. Yet, the DPO will need to hire and support an internal team and be responsible for the team s continuing professional development. (Articles 31 33) will require FIs to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) if it results in consumer risk. Accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data would be considered a breach. The duty to notify customers immediately may conflict with an FI s obligation to manage reputational risk. In 2014, an FBI official told the Financial Services Roundtable that more than 500 million records had been stolen from FIs over the prior 12 months. vii In 2015, S&P issued a report suggesting that banks with weak cybersecurity controls could be downgraded even if they had not been hacked. The rating agency said it would consider doing so if it determined an FI was ill-prepared to withstand a data breach or if a breach caused reputational harm or resulted in losses that hurt profit. viii

6 5 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING Addressing the Recordkeeping Burden The concept of accountability is at the heart of the new GDPR rules. All personal data held will need to be documented, easily accessible, and include how and where the information came from and whether it was shared and with whom. Measures will need to be taken to reduce the amount of personally identifiable information stored and ensure that the information is not stored for longer than necessary. A recent study by The International Association of Privacy Professionals (IAPP) revealed that the vast majority of respondents (66 percent) rely upon manual or informal processes that might include , spreadsheets and other bootstrapping means. ix More than half of those surveyed said they use manual processes to conduct 5,000 or more surveys each year. If this were not complicated enough, most FI customer data is stored in multiple siloed systems with differing levels of quality. This data often sits on different bank platforms, a result of numerous bank mergers and acquisitions. Behind the scenes, FIs are struggling to keep up with their existing data requirements. This is especially true when it comes to privacy assessments. What tools do you use to perform data inventory and mapping (select all that apply)? Overall <5,000 >5,000 We do it manually/informally with , spreadsheets, and in-personal communication. 62% 70% 53% We use a system developed internally. 36% 30% 43% We use governance, risk management and compliance (GRC) software that we customise for our inventory/mapping purposes. 12% 9% 16% We use a commercial software tool designed specifically for data inventory/mapping. 10% 9% 12% We outsource our data inventory/mapping to external consultants/law firms. 8% 9% 6% Don't know 2% 2% 2% GDPR represents a fundamental reshaping of data protection legislation, giving consumers more rights and placing an increased onus on businesses to secure private data. With less than 15 months to comply, FIs need to rethink how they manage, store and share customer data. Most fundamentally, the law enshrines requirements for consumers to give clear consent over how their data is used, as well as empowering them with new rights around how their data is used. For compliance purposes, this approach demands that businesses capture consent in an auditable flow, using a flexible and secure platform to manage data securely. The good news is that digital rights management technology already exists, which can enable businesses to evolve to this new data protection paradigm. The challenge is time. May 2018 will be here before we know it, and businesses now know they absolutely must be GDPR-compliant by that date. Consumer trust in data privacy will become essential to business success. Financial institutions must embrace the idea of informed consent and be willing to work with customers in new data partnerships. This means implementing a customer-driven approach to information sharing where the consumer is empowered to share and rescind their consent and their data.

7 BANKING ON PRIVACY: HOW THE NEW EU GDPR RULES WILL CHALLENGE GLOBAL BANKING 6 1 EUROPEAN COMMISSION. REFORM OF EU DATA PROTECTION RULES. REFORM/INDEX_EN.HTM. 2 IBID.?? 3 VARMAZIS, MARIA. PCI WARNS NEW EU DATA PROTECTION REGU- LATION COULD RESULT IN 122 BILLION IN FINES, NAKED SECURITY. 4 DELOITTE. ECONOMIC IMPACT ASSESSMENT OF THE PROPOSED EUROPEAN GENERAL DATA PROTECTION REGULATION, FINAL REPORT, FEDERAL REGISTER/ VOL. 81, NO. 47 / THURSDAY, MARCH 10, 2016 / PROPOSED RULES, WEDNESDAY, MAY 11, DELOITTE FINAL REPORT, HOWARTH, FRAN. THE DAMAGE OF A SECURITY BREACH: FINAN- CIAL INSTITUTIONS FACE MONETARY, REPUTATIONAL LOSSES, SECURITY INTELLIGENCE, APRIL 30, GENCE.COM/AUTHOR/FRAN-HOWARTH/ 8 S&P GLOBAL MARKET INTELLIGENCE. HOW READY ARE BANKS FOR THE RAPIDLY RISING THREAT OF CYBERATTACK?, SEPTEMBER 28, IAPP-TRUSTE PREPARING FOR THE GDPR: DPOS, PIAS, AND DATA MAPPING. MORE THAN 240 PRIVACY PROFESSIONALS WERE ASKED ABOUT THEIR ORGANIZATIONS PROGRESS TOWARD GDPR COMPLIANCE.

8 About FIS FIS is a global leader in financial services technology, with a focus on retail and institutional banking, payments, asset and wealth management, risk and compliance, consulting and outsourcing solutions. Through the depth and breadth of our solutions portfolio, global capabilities and domain expertise, FIS serves more than 20,000 clients in over 130 countries. Headquartered in Jacksonville, Florida, FIS employs more than 53,000 people worldwide and holds leadership positions in payment processing, financial software and banking solutions. Providing software, services and outsourcing of the technology that empowers the financial world, FIS is a Fortune 500 company and is a member of Standard & Poor s 500 Index. For more information about FIS, visit Contact us: If you would like more information about GDPR and the solutions that FIS provides, please contact bonita.osgood@fisglobal.com Telephone: +44.(0) twitter.com/fisglobal twitter.com/fisemea getinfo@fisglobal.com linkedin.com/company/fisglobal 2017 FIS FIS and the FIS logo are trademarks or registered trademarks of FIS or its subsidiaries in the U.S. and/or other countries. Other parties marks are the property of their respective owners