Banking After GDPR: Consent and Agility

By Paul Rohan

June 19 — Historically, confidentiality has been the priority of the banking industry. Today, additional cornerstones are emerging as customers have embraced — and come to expect — services that provide richer, more valuable experiences, such as offering financial advice based on past behavior and enabling payments or money transfers virtually anywhere to anyone. Fueled in large part by the proliferation of mobile devices, cloud services and app ecosystems, these changes require a competency many banks have never developed — sharing data.

The banking industry’s response to this disruption has been mixed. Some banking leaders have seen fintech companies and large digital platforms primarily as competitors. Others have leveraged the shifting landscape to create new partnerships, expanding the variety of contexts in which consumers can make transactions and supplementing core banking services with new offerings that help customers make better decisions with their money.

Regardless of which group an individual bank falls into, change is now mandatory due to the enactment of open banking regulations such as PSD2, the European Union’s mandate that banks make account information and payment functionality available to third parties, and GDPR, the new mandate requiring organizations to protect EU citizens’ personal data and privacy.

As a consequence of these technological and regulatory forces, new cornerstones have emerged in the banking business as adjuncts to confidentiality to further ensure customer privacy: consent and agility.

Consent and Agility Inform One Another
In the new banking landscape, the concepts of agility and consent are somewhat inseparable. For both regulatory and competitive reasons, banks must not put customers in harm’s way but must nonetheless offer new services based on data sharing. One mandate necessarily informs the other.

For example, if a bank wants to be big in financial services, it should provide products aimed at an array of customers: students borrowing for school, young families borrowing for a starter home, mature households focused on investments, high net worth individuals, small and medium businesses, and so on. Each of these customer groups will present different needs. And a team looking after small businesses will operate differently than a team looking after college students. They’ll share different types of data, make different kinds of partnerships, and produce different kinds of products for their customers.

This variety means a bank’s innovation management will need to be distributed enough to allow fast-moving teams to make the right choices for their respective markets yet also universally rigorous in its approaches to user privacy and consent. This requires an operational model that applies security across disconnected, decentralized teams but still gives those teams room to maneuver.

This maneuverability will be a big departure for many banks. Even if they are used to having different teams manage different types of customers, the world of data sharing moves and evolves at a far faster rate than the world of legacy finance. Many large banks have teams that include thousands of employees and are monolithic in terms of their operation. This increasingly antiquated approach isn’t built to scale new ideas quickly — and scaling new ideas quickly is exactly what legacy banks must do in order to compete with fintech upstarts and other nimble competitors.

Most of these banks will likely need to transition from teams of thousands to thousands of teams. The right to make decisions will need to be pushed down to a more modular level — yet privacy and consent will need to be cornerstones throughout the company.

Leveraging APIs to Move Fast and Protect Customers
Most of the secure data sharing overtaking the banking industry is achieved via application programming interfaces, or APIs, which are the mechanisms developers use to leverage data and functions for new applications and services. API management will be a very important part of the framework of controls that banks will need to put in place to scale quickly and safely in an open banking world. Regulators, shareholders and customers will expect the highest standards of data management, API product oversight, and partner management in this control framework.

Even in an enterprise with many independent teams, API management allows the organization to control access to data and to monitor both how data is being shared and with whom. As teams continue to autonomously pursue their individual strategies, robust management can provide an organization-wide layer of control, visibility and insight between data and the user-facing applications and services that use it.

The legacy banks that thrive in the future will likely need to make significant adjustments. They’ll need to get better at living in this world of APIs, modular application development and digitally-empowered customers. They’ll need to get better at seeing data not as something to be kept secret but as something to be leveraged with the customer’s approval for new services and opportunities. And they’ll need to get better at partnering into digital ecosystems and self-serving their markets with developer portals.

Banking is a durable business, and the industry itself will survive these disruptions — but the same cannot be said for individual institutions. Both to be in regulatory compliance and to remain competitive, these banks must not stand still; they must embrace the new banking cornerstones of consent and agility.

Paul Rohan is an open banking researcher and Apigee (Google Cloud) consultant.

  • Sign Up

  • Categories

  • Archive

Software: Kryptronic eCommerce, Copyright 1999-2019 Kryptronic, Inc. Exec Time: 0.066738 Seconds Memory Usage: 3.799858 Megabytes