The New Rules for Banking

Trust in banks has declined since the global financial crisis a decade or so ago. And now the conflicting challenges of both protecting and sharing customer data simultaneously, if not done right, risk further undermining that declining trust.

On the other hand, the opportunity to embed the regulatory requirements as best practices should not be missed. Strong data protections and open banking support will separate successful banks from the stragglers.

Banks in the European Union, as well as global banks that do business in the EU, are in the midst of implementing two separate and sometimes conflicting regulations that could further undermine consumer confidence.

The General Data Protection Regulation (GDPR), an EU law in effect since May 2018 to protect data and privacy for all residents within the union, also regulates export of personal data outside the EU. The goal is to give individuals control of their personal data and standardize regulations. Standardization simplifies international business practices in the EU countries.

The EU’s Payment Services Directive 2 (PSD2), in effect since January 2018, requires banks to enable business and individual customers to use third-party providers to manage their finances and initiate payments. The third-party providers may be Apple Pay or other digital wallets. Other well-known tech companies such as Google and Facebook are likely to enter the digital banking market. Bank customers are likely to keep their money within the confines of a bank but use other providers for payments, investments and managing their finances.

Customers are now demanding protection of personal data (GDPR) and new means for flexible interaction with financial institutions (PSD2).

U.S. banks lag in this arena of digital and open banking. The laggards should quickly move to the customer services that EU banks are now rolling out. It may determine their success in the digital economy.

Modernization of back office functions through microservices and APIs, as well as the mandate to better protect data – referred to as the new rules of banking – carry the promise of improved customer experience, increased efficiency and increase innovation through collaboration with FinTechs.

Both GDPR and PSD2 have direct implications for a bank’s health. Under GDPR, EU consumers can now decide both how much of their data can be used by banks and other firms, while PSD2 opens customer banking data up to alternative payment and account aggregation providers.

PSD2 defines much of an emerging trend that gained early momentum in the UK – open banking. This approach holds tremendous potential in terms of attracting new customers – or conversely, increasing customer attrition. And failure to comply with GDPR could result in massive data breeches and EU fines that could be billions of dollars.

Even without fines, consider how Facebook lost $50 billion in market capitalization in just two days following the Cambridge Analytica data scandal. That doesn’t even account for the damage to the Facebook brand from security breaches affecting millions of users and the release of internal documents from a British parliamentary committee inquiry on the use of that data.

These regulations define the new rules of banking: Big risk but massive opportunities for banks to reach new customers and open new digital-only businesses. ING Bank has launched Yolt, a digital money management app, in three European countries to take advantage of PSD2 regulations.

Disregard these rules at the risk of your business’s future. So how does a bank manage the balance between openness and data protection?

It’s not easy. GDPR makes PSD2 more challenging, as opening up bank systems must be done while increased privacy and data protection regulations from GDPR make that process more difficult.

Here are a few recommendations on how to play under the new rules:

• Create strong data governance policies that drill down to the data field level and create a robust system for data anonymization where required.
• Enable the appropriate interfaces (APIs) and microservices by collaborating with platform providers and financial technology specialists, keeping in mind that governance of APIs goes hand-in-hand with data and analytical model governance.
• Empower digital payments processing with real-time fraud detection that analyzes every transaction with needed infrastructure to support authentication and detection in 50 milliseconds or less to both protect customers and meet new payments system settlement requirements.
• Build the appropriate ecosystems for open banking with technologies such as platform as a service (PaaS) and containers such as Docker.
• Prepare for data breaches with rules and processes before they happen. If you’re a bank, you’re a target. Don’t wait.
• Create clear and understandable privacy notices. Avoid the legalese and small print.

The new rules (not just) for banking are already here, and those who comply the fastest will be the winners, building their customer base, avoiding the scandal of a data breach and offering relevant and useful products that help customers manage their financial lives with ease.

My article originally appeared in BankNews on March 14, 2019.