What Banks Have in Common with Game of Thrones

If the banking industry was Game of Thrones, “Regulation Is Coming” would likely be the mantra to strike fear in leaders as does “Winter Is Coming” in the seven kingdoms.

Data privacy and security have been front and center for the last several years, but 2018 was a tipping point for consumers. Following the Facebook and Cambridge Analytica debacle and well over one billion compromised accounts, consumers are now demanding power over their data and the businesses that control it.

To combat the growing unease, the European Union implemented the General Data Protection Regulation (GDPR), which gives people control over their personal data. While the law is focused on the EU, it also addresses the exporting of personal data — including from the United States.

Similar to most companies in the U.S., banks and other financial institutions are taking a “wait and see” approach in regards to potential legislation that would impact data mining, sharing and operations. However, for banks that want to create a competitive advantage, now is the time to act.

Why now?

Last year, the California Consumer Privacy Act (CCPA) was signed into law and is currently the strictest consumer data protection law in the U.S. This law, which has been widely criticized by pro-business groups, does not give consumers complete ownership of their data like GDPR, but it does allow individuals to sue a company if their personal information is released as a result of a data breach.

In response, companies like Amazon, Apple, Google and others are now pushing for federal digital privacy legislation in 2019. They are leading the charge by business nationwide, but if GDPR and CCPA are any indication, legislation is coming, and it will favor consumers — who often appear to be the only victims in data privacy issues.

Regulation is inevitable because consumers are more educated than ever about data privacy, and they are starting to expect to be made more aware about how their data is being used by the companies with which they do business.

A study released last year found that only 8% of consumers strongly agree they trust businesses to keep their personal information secure. In addition, 79% of consumers reported they would stop doing business with a company that misuses their data — so the stakes are high.

Meanwhile, 93% of executives indicated their company has experienced a breach in the past three years. And even more relevant for banks — only 8% of executives said their company is effective at preparing for upcoming regulations. This must change…and quickly.

The Issue for Banks

As consumers and regulation move banks from data protection to data privacy as a mandatory minimum, banks have a significant challenge ahead. Not only are financial institutions one of the most targeted industries for cybercriminals, but naturally, banks often *need* personal information in order to provide valued services, such as opening a credit card, taking out a mortgage or securing a small business loan.

As regulation is introduced and implemented, banks will need to demonstrate value to *earn* consumer information. If a bank can explain why they need the requested data, as well as what they will do with the information, consumers will be more willing to comply.

Future regulation is likely to explain a consumer’s rights and require banks to identify how the data sharing could negatively impact them. This will likely lead to consumers having the ability to say “you can only use this information for the mortgage and nothing else.”

Of course, this will create a large operational impact on banks. Even if they are able to service a mortgage, they will not be able to share the data for credit card applications and other bank services. In addition, they might not be able to share any data with affiliates, which means they won’t collect revenue from the local home goods store who wants to send a flyer to the new homeowner. This will create an initial loss of revenue for banks. They may not even be able to share data with credit bureaus, which has the potential to disrupt how consumer credit is assessed.

Time will tell what future regulation in the U.S. will look like, but banks must begin to prepare — not only to avoid enforcement penalties — but also to gain a competitive advantage that will help make up for potential lost revenue streams.

A Competitive Advantage

Once new legislation is passed, the results will undoubtedly cost banks millions of dollars to change their operations, platforms, marketing strategies and outreach. This will be a significant operational cost that leadership must prepare for, but more importantly, banks will need to replace revenue streams that are no longer viable given the inevitable data privacy restrictions.

However, banks would be wise to view pending legislation as an opportunity rather than a hurdle. Proactive preparation will not only publicly indicate to consumers you are respecting their privacy, but it will establish you has a leader in the area, which will be valuable over the long-term as other companies and competitors fall victim to continued attacks and improper data management.

The minimum banks can do to prepare now is at the very least take an assessment of your current policies and processes, including relationships with external vendors. In order to make a change, banks themselves need to have a better understanding on how their data is collected, managed and shared. This is a basic vulnerability test that will be useful as you being to prepare for operational change.

The true industry leaders will develop their strategy and make the necessary plans to execute prior to regulation, but unfortunately, most banks will make the bare minimum changes to meet whatever standards are passed. Do this at your own peril.

Remember, “Regulation Is Coming,” and banks must act now to protect their data, their consumers, their market position and their reputation. Blockchain and its immutable ledger may make this all moot one day, but for banks, it is best to prepare for winter.

Edmund Tribue, Risk & Compliance Practice Lead, NTT DATA Services & Michael Goodman, VP, Data & Analytics and Technology Advisory Practice Lead, NTT DATA Services