Putting consumer in data-access control

A New York TV station used to preface its late news with, “It’s 10 P.M. Do you know where your children are?” Today, the question could be “Do you know where your financial data are? And who’s accessing your information?”

Control of personal data, especially financial data, is something Americans tend to be paranoid about in the abstract, and often quite careless, or at least, carefree, about in reality.

“All of us are consumers before we are professionals in what we do,” says Celent’s Zilvinas Bareisis, a senior analyst based in London who specializes in consumer issues. Bareisis, in an interview with Banking Exchange, admits that his own personal payment information is stored in systems or apps connected to Netflix, Uber, PayPal, and more, and that’s only the places that he remembers, because he uses them frequently.

“Sometimes we don’t even know what we are signing away,” Bareisis says. How often do we scroll to the bottom of an online disclosure and click “I agree” without reading so much as a word above that?

There’s a good deal of willy-nilly about the way consumers treat their information, Bareisis says. But he thinks this can be improved—perhaps even to competitive advantage—by banks taking the lead in establishing “consent and control centers” through which consumers can essentially use a dashboard approach, via app or otherwise, to monitor, control, and adjust use of their information.

Some of this already exists where banks give consumers the ability to control their card accounts, choosing when to shut off debit card functionality, for example.

“We often hear that data is ‘the new oil’ and ‘the lifeblood of the digital economy’,” writes Bareisis in a recent report, Consent For Data Usage And Sharing: A Crucial Bank Asset Going Forward, “and yet we do not show it enough respect. We think we are customers of various companies, yet many of those companies treat us as products, whose personal data and digital footprint can be exploited for their gain. Furthermore, our data exists in multiple silos, repeated over and over again, sometimes even within the same institution. When anything changes, trying to remember where an update is needed can be a real headache. And the more places data is stored, the higher the risk of fraud and data breaches.”

In the report mentioned, and a companion document, Building A Consent And Control Centre: Towards Monetising Customer Data, Bareisis makes a case for making a business out of helping consumers manage access to their data.

Most European banks have been concentrating on compliance with new upcoming data sharing rules. “While these are critical tasks,” writes Bareisis, “we urge the banks to think beyond compliance and to turn customer consent into a valuable asset. Given the pressures on the traditional banking business, monetising data with customer’s consent will become increasingly important.”

Other than some efforts at control at individual banks and at Mastercard and Visa, things remain fluid in the U.S. Bareisis does have an early pick for a potential winner that’s coming here, which we’ll cover at the end of this article. But for American banks this is a good time to think about the possibilities. Bareisis suggests that some institutions may go their own way, while some degree of collaboration among multiple institutions might also form the basis of a model.

Data comes to the forefront

Consumer financial data, from account information to the trail of behavior we leave behind with every financial transaction we conduct, has become a major issue. In the U.S., the Federal Reserve’s Gov. Lael Brainard has been speaking about data sharing and related topics in an ongoing series of speeches. The Consumer Financial Protection Bureau has published guidelines on data usage.

In Europe and the U.K., personal financial information has become the focus of major new regulatory regimes. In the European Union, for example, there are the General Data Protection Regulation (GDPR) and the Revised Payments Service Directive (PSD2).

A key element of the European effort is that screen scraping will no longer be permitted. Instead, consumers will be enabled to give third parties permission to access their data, and banks must comply with their wishes.

Not that this is any kind of Wild West of Data. Third parties must be authorized and registered as Account Information Service Providers to take part in this new way of treating consumer financial data.

“The idea is that the customer owns the data,” says Bareisis.

Bareisis points out that many questions remain to be answered, and not everything fits together neatly.

For example, in the E.U. there is the “Right to be forgotten,” under the GDPR. Essentially, this enables a customer to not only decide to stop permitting a third-party to access a particular type of data, but to turn back time, in a sense.

The right to be forgotten is also referred to as “data erasure,” and that is intended quite literally. Records must be deleted, information no longer distributed further, and third parties processing the data told to drop it. There is a provision that addresses “the public interest in the availability of the data.” Bareisis suggests that anti-money laundering use would be an example, though this is not completely clear yet.

“There are internal conflicts in the regulation that haven’t been resolved yet,” says Bareisis.

Providing consent and control

“I believe this is all part of improving the customer experience,” Bareisis says. “Product differentiation can be a good tool in the arsenal of creating that experience.” The more control an institution provides the consumer with, the more attractive it becomes to stay with that provider.

Part of the appeal of a consent and control center would be the ability to tweak access and more across multiple platforms, ranging from computers to smart devices.

“To minimize fraud,” writes Bareisis, “customers will expect to be able to control—grant, change, or revoke—the access level for each of these devices.”

Customers would gain the advantage of knowing at a glance at the bank’s center who can access what data of theirs. Think in terms of the settings section of an iPhone, which displays, say, which apps have access to Location Services and which don’t.

Once banks establish their own consent and control centers, the data relationships controlled through that mechanism could be broadened. Customers might connect their information contained with other players, such as utilities paid through that bank, into the bank’s center.

A bank that has earned a reputation for flexible and secure data storage would have an advantage. Bareisis suggests this might produce some income, and could save costs in related data-intensive processes such as know your customer processing.

Down the road might come other types of data, such as health information, though the further the approach veered from the financial information, the more additional issues might surface.

Looking at Wells Fargo’s “Control Tower”

Wells Fargo announced its intention to introduce Control Tower, its version of a consent and control center, in July. The service is expected to be rolled out in 2018. Bareisis finds the announced service “very interesting.”

The bank’s service would provide customers with a single source showing everywhere their digital financial footprint extends. Recurring payments, third party access, mobile wallets, devices, subscription relationships—anything that “touches” or “sees” their bank data—would be capable of being viewed and controlled.

“As people navigate through life, their financial ecosystems are always evolving,” says a Wells video about Control Tower. The video shows how a young woman named Ashley uses the service to manage her financial life.

“She’s able to manage all her devices from one place,” the video states, and adjust anything she wishes on the fly.