Can banks become the guardians of personal data?
A recent survey of Nordic banking customers conducted by Nordea showed that 51% of respondents felt that they did not have an overview of the data they had shared with different companies and institutions, and did not know where their personal data was being used or stored. Subsequently, 79% of respondents answered that they would like to get more of an overview of the data companies and institutions were storing on them in their systems.
Despite this, 84% of those surveyed had never contacted a company or institution to find out what sort of personal data was being stored about them. Clearly identifying a need, 75% of respondents answered that they would be happy for banks to deliver a service that gives them an overview of how their personal data is being used by companies and institutions.
Trusted safe keeper
Perhaps due to their history and despite rapid changes in the industry, banks are seen as a trusted pair of safe hands for looking after personal data. A non-country specific survey conducted by Nordea found that banks were behind only the health service and government institutions as most trustworthy in protecting data in a secure manner, finishing ahead of retail stores, telecoms and internet-based companies. A 2015 survey conducted by Colombia Business School found that 57% of respondents were comfortable with banks handling their personal data, ahead of telecoms, retail, airlines, web-services and e-commerce companies.
In order to establish banks as the home for personal data management, each aspect of the data ecosystem has to be analysed, beginning with data itself and whether it is possible to classify it as a new asset class.
Katja Haasanen, New Business Design at Nordea, says: “Looking at how banks should help citizens to have better control of their data, not only with financial data but with data aspects in general, raises all sorts of questions. In the very beginning we’ve been thinking about how data can be defined in a quantifiable way so that it becomes an asset class in itself. As data is currently being packaged in differing amounts and in different ways, it’s obviously a challenge to give it a specific value and establish it as a commodity in the market. It would be helpful to try to create some kind of common agreed market wide definition of what data really is. Once we have defined a more common classification of personal data, we can move onto governance and other aspects like how we can ensure human centric data control.”
ID is an idea
One starting point for the development of a personal data management process is to define a digital identity which can then be used to provide more assurance and trust in the system.
Arto Kulha, New Revenues Working Group at Nordea, says: “It is important to look at how it might be possible to maintain a verifiable identity, connected to your real world one, in the digital world. As a minimum you should always have a base level digital identity that you can revert back to and have somebody, in this case a bank, maintain it on your behalf. To give you an example, let’s say that I am purchasing something from another private person online, here I could compare their identity provided by a bank to validate that it matches the information they provided in our online interaction. And just to take the idea a bit further and given that banks typically have information on a person’s financial behaviour, I could see myself asking my bank to provide me with a stamp of approval for being a solid citizen with my financials to smooth out any doubts that the other person might have.”
“I could envisage the digital identity evolving over time from just providing verification to containing more attributes that customers would then be able to share with service providers depending on the need. This would keep customers in control of their data and provide an audit trail for where it is allowed to be used”, add Arto Kulha.
As a minimum you should always have a base level digital identity that you can revert back to and have somebody, in this case a bank, maintain it on your behalf.
At the Nordic level, an identification and identity platform across countries would mean a person using their credentials from Finland for example, to ensure their identity to somebody in Norway. A Nordic wide platform could then be envisaged to provide the service for people across the Nordic region.
Another aspect that is closely linked to digital identity is consent management. In this case, banks would take on the role of providing consent management and user registration services to all type of companies. Companies would use a plug and play solution provided by their bank to handle all aspects of data related to customer consent and identification.
Katja Haasanen notes: “Consent management is linked to the wider topic of the fair data sharing economy where we expect that all businesses going forward will be sharing the data of their users in some way. The question is how you can do that in a very good GDPR regulated manner so that you are auditing and logging all of the consents that are required and that human centric data control will be enabled. This would also help in making sure that the data would be more fairly available not only for large platform providers but also for smaller companies. Banks would be able to help companies to handle consents so that they can focus on their main business. As banks are compliant and regulated businesses that need to take care of consent management anyway, they have the inherent knowledge that can be utilised to help society.”
As banks are compliant and regulated businesses that need to take care of consent management anyway, they have the inherent knowledge that can be utilised to help society.
“It might be the case that the fair data economy should become part of national and regional infrastructure like roads and health care, etc. This is still quite a long road and is currently being assessed at the EU level. Of course, we have small building blocks here already with GDPR, Open Banking and PSD2 already hinting at how this type of consent management would work in certain very specific scenarios. If you widen the whole thinking of what type of data can be shared with consents, then we end up at even larger theoretical outcomes where everything is open and interfaceable,” adds Katja.
Transparent data usage
The road to a future of banks offering a complete package of personal data management solutions from tracking data usage to identity and consent management services may be some way off.
Katja Haasanen continues: “Reaching a state where a person can transparently see all of the data generated about them across their purchasing, subscriptions, social media and browsing journey in one centralised view would be very difficult but it’s a nice ultimate vision. This will undoubtedly be a fundamental enabler for future business.”
“The interesting question would be: should you be able to sell this personal data yourself that you have gathered or that you can access via the bank? For example, if you wanted to offer your data for use in a health survey, how would you get compensation out of that data exchange? Thinking about the future, a preferable end state would mean that you really would like to be compensated for all of the places where your data has been used. Maybe this could replace these more confined range of benefits that are available nowadays from various loyalty programmes that reward customers in return for information people are providing to them about their behaviour,” adds Katja.
Reaching a state where a person can transparently see all of the data generated about them across their purchasing, subscriptions, social media and browsing journey in one centralised view would be very difficult but it’s a nice ultimate vision.
Arto Kulha says: “There might be a market place for an aggregator service that would actually make the queries on a person’s behalf to whomever has been using the data. However, the reality is that most of our data is spread across a vast number of services and being able to reach all of the possible data sources can be a challenge.”
Aggregated and anonymised data
Aggregated and anonymised data, also known as metadata or big data, has already been a source of large revenue streams for certain companies in the new digital reality.
Katja Haasanen says: “When we talk about personal data, there is of course the question of how to approach anonymised aggregated data. This is one of the key discussions that needs to take place in order to be able to understand and categorise the nature of the data. As anonymised data is not viewed as personal data and your data is being collected for some sort of statistical purposes, then the assumption would be that you would not get compensation and societal benefits should be enough for people to incentivise them to share their data. This is definitely the next part of the story that requires further investigation.”
Arto Kulha concludes: “In the context of data usage for societal benefits, in many cases societies already use for example aggregated health data for the benefit of the society. Maybe it would not be so farfetched if for example financial institutions would share insights on aggregated financial to help governments plan and run social programmes.”