1. Comment
March 28, 2022

Data Privacy in Banking: Technology trends

Listed below are the key technology trends impacting the data privacy theme, as identified by GlobalData.

Data underpins and enriches all aspects of a service or product in retail banking, whether optimising channel interactions, personalising risk assessment (across credit, market, and operational), or helping customers make better financial decisions. Data is also critical to the development of transformative new technologies such as artificial intelligence (AI), big data, and the Internet of Things (IoT).

Continued tensions between new technologies and privacy

Some technologies are more incompatible with data privacy than others. For example, distributed ledger technology (DLT) is promising because it is transparent, traceable, and unchangeable. However, providers cannot delete information that is undeletable or correct data if the ledger is immutable. These are clear data privacy tensions in the DLT context.

A key advantage of AI is the ability to automatically detect new use cases, but how can consent be granted for purposes that are not yet known? In a big data context, a key advantage is combining multiple types and sources of data, which again may not have been expressly permissioned by users at the time of consent to one piece of data. Finding a way to balance privacy protections with enough flexibility to innovate and bring new sources of value continues to be a challenge for country-level regulation and individual-level institution investment.

Growth in emerging privacy-enhancing technologies

The challenge of privacy is the trade-off typically assumed; that to protect privacy we must forgo some innovation, and to drive innovation, we must limit some privacy. But emerging privacy technologies offer a third way, by helping banks process anonymous and/or encrypted data without losing any insight. The former centres on so-called obfuscation-based privacy-enhancing methods, such as anonymisation and pseudonymisation.

Anonymisation is a process of de-identifying sensitive data while preserving format and type. Well-known methods of anonymisation include, but are not limited to, tokenisation, randomisation, noise injection, suppression, and shuffling. Pseudonymisation involves ensuring all personally identifiable information including names, addresses, and social security numbers is identified and either removed, masked, or replaced with other values.

A separate but related area is encryption. Traditional data encryption, both for data at rest and in transit, requires decryption to perform queries or analysis and causes privacy to be compromised. It is also true that encryption increases the size of data considerably, causing a drain on bandwidth. However, homomorphic encryption is a privacy-preserving technology that allows third parties to process and, in some instances, even manipulate encrypted data without ever seeing the underlying data in an unencrypted format.

Data mapping

To make sense of the increasing volume, velocity, and variety of data coming into the enterprise, large incumbent banks are creating so-called data maps, to help register and categorise the types of data they collect on customers. This process has multiple components. One is understanding what type of data they actually need to better serve customers. Much of the data they collect might never be used for analytics purposes and keeping data for its own sake simply broadens the attack surface for data theft while increasing the risk of data privacy law breaches.

Data democratisation

Distributing information across teams and business units empowers individuals at all levels of hierarchy and responsibility to use data for better decision-making and to bring different perspectives to the data. However, every employee must be trained to a minimum level of comfort with the tools, concepts, and processes involved to realise more value from that data without significantly increasing its data privacy vulnerabilities. For example, in 2020 a credit analyst at Absa was able to access the group’s risk modelling process and sold personal information on 200,000 Absa customers to a third party.

Automation to put data transfer on compliance guardrails

Automating standardised processes for the removal or transfer of data can put the whole process on compliance guardrails, reduce cost and human error, and create enhanced scope to limit data duplication. These benefits, in turn, translate into a better experience when consumers request for the identification, removal, and transfer of data, and ensure it is done accurately and immediately. Tied to the organisation’s mapping initiatives, automation initiatives increasingly support data discovery in all pertinent infrastructure environments within a company and across its third-party partnership networks.

Ongoing legacy technology challenges amid data privacy/sharing mandates

A key challenge for large incumbent banks is managing the ability to enable data deletion requests or portability without destabilising other parts of a bank’s IT systems. In the UK, for example, the Financial Conduct Authority and the Prudential Regulation Authority are fixated on the security and stability of banks’ IT systems, especially the role of older core systems, yet things like General Data Protection Regulation (GDPR) and open banking request things of core systems that they were never designed to do. Contrast that with newer digital banks, such as Starling, which had the opportunity to embed new privacy principles into their systems as they built them.

Increased third-party risk management

Due diligence on new fintech partners is now a structured and standardised process for many banks, but extra careful consideration is required on third-party data management as regulators will hold the bank responsible for the actions of third-party vendors. As such, incumbent banks should work closely with vendor partners to develop best practices and include regular voluntary audits. Banks need assurances that vendors are using data per the California Consumer Privacy Act, the European Union’s GDPR, and other regulations.

Third-party vendor software and processes should integrate with a bank’s existing systems and compliance practices. Another strategy we have seen is banks adding their own legal opinion or opt-out messages to meet consumer marketing opt-out disclosures.

IoT in banking

More ‘things’ connected to the internet create evermore data points for commercial providers to capture, which may not have been explicitly permissioned by users and/or customers. Apple, as a handset provider, has done much to enable permission to be easily turned on and off within mobile devices by application, but when devices multiply and interact with each other, it is more difficult to provide informed consent, even if it is requested.

Also, with new technologies like the IoT, data is recorded automatically or are produced or inferred from other data using more complex methods of analytics, such as machine learning (ML).

Biometrics generate new data types and risks

The growing use of biometrics is generating additional data types, such as iris recognition, fingerprints, and so on, for which governance frameworks and methodologies do not always exist. ID Finance, for example, incorporates behavioural biometrics into its AI-based fraud scoring engine to boost loan approvals and reduce the incidence of non-performing loans. The firm’s pilot programme reportedly operated at an accuracy level of 97.6% and has now been rolled out to all seven markets of operation. Tala, a US alternative lending start-up, scores users on how they interact with the app, relying on about 250 data points that are then weighted and analysed using ML techniques.

Companies that are not set up to handle biometric data at the very highest standards will have to either delete the data, as we have seen Meta do with biometric data on over one billion users, or find a partner that does meet the bar. As banks are required by law to store sensitive data, it implies that deleting data likely will not be an option, and they will have to continue upgrading new systems and procedures.

Cloud migration

The increasing volume and velocity of data have increased the need for cloud migration. The key concern amid cloud migration is trusting a third party to store data and handle security-sensitive operations. Many banks favour a multi-cloud approach, to avail themselves of private, public, and hybrid deployments. But with multiple cloud networks, to track it can be even more difficult to identify where exactly data is being stored and accessed. As some big banks embark on core system migration to the cloud, as with JP Morgan’s announcement with Thought Machine, even more, mission-critical data activities are dependent on the cloud.

Voice banking privacy

Privacy concerns related to smart speakers have increased as the devices become more widespread. The technology is powered by a range of AI technologies allowing the main providers to gain access to a vast amount of highly valuable user data. As a result, customers are potentially locked into a company’s ecosystem, making it more likely that they will buy complementary products or access other services.

At present, smart speaker vendors handle privacy concerns through end-user license agreements or privacy policies but it is possible that, in the future, they may be required to include specific consent announcements in their devices, asking for verbal consent for recordings to be made and personal data captured.

Tokenisation

Tokenisation allows for card details stored on mobile wallets to be replaced by a one-use ‘token’ at payment, thus preventing consumer data from becoming exposed to fraudsters when making transactions. This technology is now the industry standard for card-based mobile payments. The widespread use of technology has had two major effects on the market. Firstly, it has brought wallet providers such as Apple and Google under the purview of payments regulators.

Secondly, sensitive data is concentrated in the hands of wallet holders, which makes the chain more secure overall but creates a single point of vulnerability which, if compromised, would be disastrous for the reputations of wallet providers, the finances of their customers, and potentially for the perception of mobile payments as a secure means of transaction.

Edge computing

By processing and storing data locally, edge computing can address the privacy and security concerns that arise when personal data is sent to a centralised cloud data centre. It can, therefore, help enterprises manage data residency and compliance obligations. Additionally, the edge offers an additional perimeter where potential security attacks can be detected and prevented.

This is an edited extract from the Data Privacy in Banking – Thematic Research report produced by GlobalData Thematic Research.

Related Report
img
GlobalData Thematic Research
img
GlobalData Thematic Research