Striking the right data balance

This month I decided to look more closely at what some governments around the world are demanding by way of access to, and in some cases control of, data associated with transactions and the processing of those transactions.

After all, governments need access to financial data for a range of purposes including stopping tax evasion and money laundering.? While most governments have a policy that gives them access to data without stifling innovation or raising costs, not all have done so, let's take a closer look.

Expansion of financial regulation

Governments have been expanding their regulatory footprints across the globe. Examples include the relatively new personal data legislation such as GDPR as well as laws designed to prevent money laundering (AML) and check on people’s taxable affairs wherever transactions associated with them take place. A notable example of the latter is the US Foreign Account Tax Compliance Act (FATCA) which went live in the States during June 2014 and, as a result of a wave of Intergovernmental Agreements (IGAs), was extended right around the world.

FATCA demands detailed financial information reporting. It is a prime way that national tax revenue collection authorities can ensure that their citizens are paying the right level of tax, regardless of where their assets are, and where there income is being generated. So far, so sensible given the pressure on governments to increase their tax receipts and the increasingly global nature of doing business.

The need for regulation is understandable - given the risks and amounts involved.? However, governments rarely seek to find a balance between the need for information and the costs involved since they universally pass those costs onto the industry participants and ultimately end users.

Payments data protection

Where industry standard creators do have an advantage over governments is their understanding of costs within the industry. The Payment Card Industry Security Standards Council (PCI SCC) which was founded by American Express, Discover Financial Services, JCB International, MasterCard and Visa back in September 2006, gave the payments industry nearly a 12 year head start in terms of developing and managing its Data Security Standard (PCI DSS) before personal data protection legislation - most notably EU General Protection Regulation (GDPR) - was enacted in various forms around the world during 2018.

As such, the PCI has very sophisticated standards and protocols for ensuring cardholder data is appropriately secured and protected during processing and storage. In other words, all these systems are very mature and strike a sensible balance between data protection and innovation.

However, the next stage of evolution is potentially much trickier for global paytech innovators like Mypinpad. It also threatens to stifle steady migration from cash to digital transacting which most countries want to stimulate. Let’s take a closer look:

Level 1 transaction data control

Increasingly, governments want transaction data stored only inside their jurisdictions since it is much more convenient for them. The issue here is not so much having a copy of the data within a jurisdiction, but rather that it is the only copy.? Having databases distributed across each country, that a company such as Mypinpad operates in, eliminates the ability to enjoy economies of scale by centralising data processing systems with modern cloud technologies.

The financial service industry has understood and accepted now that the use of well-designed cloud technologies provides great benefits to companies and individuals alike, at low cost.

Mypinpad is inevitably using processing transactions via one or more cloud providers. The same is true for Mastercard and VISA-based transactions which are all, by their nature, processed across multiple borders. Most of the payments world can live with Level 1 Transaction Data Control.

Level 2 transaction processing & data storage ‘Total Control’

However, more worrying is the emergence in recent times of a Level 2 Transaction Data Control. Level 2 countries build on the data requirements by also requiring the processing of all transactions within their borders.?

This means that if Mypinpad and other payments providers want to process transactions from citizens of some countries, we will need to set up dedicated data processing environments in each of those countries, each of which will require PCI-DSS compliance frameworks to be in place. Our economies of scale collapse if we are having to set up processing and data storage systems and infrastructure in each of these countries. Our only solution if we want to do business in these countries is to try to negotiate often expensive exemptions or not support transactions by people working or resident in those countries.

There is real potential for those requesting Level 2 transaction data control to inadvertently experience adverse economic consequences. The cost of digital transacting is likely to rise substantially. Inevitably, citizens will be driven to transact more in cash, when governments around the world are pushing to increase the percentage of transactions completed electronically, so they are more trace-able (and taxable). Paytech innovation is stifled and inevitably that acts as a brake to economic development as money supply is squeezed.

Transaction data protection and access, not total control

In summary, the framework for securing data collected in the processing of transactions and stored as a record of that transaction is already very strong thanks to very mature international financial regulations and PCI DSS. Transaction data can be shared with relevant government departments for the purposes of preventing the proceeds of crime being laundered to buy legitimate goods and services. FATCA and AML legislation should prevent money getting into the wrong hands and, of course, enables governments to collect optimal tax receipts.

However, governments need to be wary of demanding ‘within country’ processing and storage of that transaction data. It is not necessary, it prevents transaction costs falling, stifles progress towards digital-dominated transacting and will only serve to drive economies backwards longer term. What price total control?