Data Privacy Mechanisms In An Interoperable Banking Ecosystem
In this dynamically evolving financial services ecosystem, success is underpinned by fool-proof strategy driven by customer innovation at the crux. Recent seismic shifts post the pandemic has led to vast adoption and penetration of digital services across the board, irrespective of the industry.
Lifestyle brands, ecommerce websites, social media and OTT platforms have earmarked a behavioural shift in consumer expectations. The connectivity and engagement offered between these platforms have also set precedence for the banking industry. In a similar fashion, consumers are now keen to have to have their tools, information and services primarily available through banking to be able to engage with different companies. These blurred lines have transformed banking from a mere financial service offering to banking-as-a-service (Baas). Think of banking as a platform business that offers integrated experiences. To enable this, banks are focused on building APIs for deep connectivity, exchange of information and partnership with other platform businesses, fintechs and third parties on open networks.
Interoperable Ecosystems enable a Golden source of valuable Data and Insights
Today, technology adoption and digitization has led to organizations sitting on mounts of consumer data and information. When services are integrated between various financial and non-financial players, it paves way for data exchange through secure channels between all parties which can become a source of valuable consumer insights. These interoperable ecosystems break data silos, thereby enabling banks to provide better value proposition to customers in service delivery and quality. While consumers consent to data sharing between platforms on open networks, it requires strict data protection and privacy controls at our end to ensure their information is not misused. As an example of the initiatives being carried out as part of multi-entity collaboration, in 2021 the CBE initiated a mortgage financing initiative which allocates E£ 100 billion for low- and middle-income citizens to purchase housing units, which the government has channelled into its Mortgage Financial Fund (MFF) . The initiative aims for inclusivity and brings under its umbrella the self-employed, citizens with special needs or disabilities, and pensioners younger than 75 at the time of financing.
Adhere to data Governance and Protection to retain consumer Trust
As an industry, banking is in the business of trust. Consumers trust banks and financial institutions with crucial information to keep their money secure which makes data governance, consent management and privacy a mission critical aspect. Various governments have also recognized the importance of data protection and introduced country or region wide policies to ensure companies, including banks collect, use and share personal information with due diligence. Recent research by UNCTAD highlights that close to 80% of countries have put in place legislation or have draft legislations to secure the protection of data and consumer privacy. These measures by governments ensures companies adhere to controls and laws to protect public interest which reinforces consumer trust into the systems.
In 2020, financial zones such as DIFC in the UAE had enforced their own version modelled basis the famous European General Data Protection Regulation (GDPR). The Central Bank also legislated the Consumer Protection Regulation (CPR), which has been the guiding framework for all financial institutions in the UAE. The various layers of regulation ensure financial institutions operate with consumer interest as the central focus. Now, with a growing influx of digital services, the UAE government has introduced a federal law for data protection that circles around global best practices and enforces compliance and obligation among all companies that process personal data of individuals. Such central regulations set data protection principles that prevents misuse of personal data, reinforces trust and standardizes processes.
While the government has taken strict measures to protect data privacy, banks in the UAE can also follow a few guidelines and processes at their end in an increasingly interoperable environment to plug any infosec and data privacy loopholes. I’ve outlined three broad measures that banks can implement to give customers a secure and trusted experience as social and financial activities start to merge.
1. Setting Standards and Boundaries with external Partners
Most banks have championed the open banking network by creating secure APIs for deep integration with intermediaries such as third-parties and fintechs for customer information sharing. However, different companies have different sets of APIs. To seamlessly share information, while maintaining privacy, banks must reinforce strict data access controls, set limits on what information how much of it and when other intermediaries can access it. Implementation of contractual clauses will help in ensuring third-parties are made accountable. It’s safe to assume that banks would face the brunt on their brand reputation, and be liable for data breaches, fraud or scam between these links. Keeping that in mind, banks need to ensure that the external partners comply with the standards and boundaries put in place.
2. Do the due Diligence
All the infamous breaches and scams should be a lesson on accountability and responsibly. In the cycle between consumer, banks and third parties, the due diligence often presides with the bank. From authenticating customers, requesting consent and managing it, to authorizing data sharing, banks must create robust processes for each stage, assess all risks at every level and do continuous checks at regular intervals. This is to ensure the framework is being followed. Convincing consumers to share consent is a fairly easy task, but securely handling, storing, and modifying this data, while keeping hackers at bay is a critical task and should be non-negotiable between all parties involved. Another layer of due diligence can be carried out by vetting data storage capabilities and cybersecurity systems of the partners that banks onboard to ensure compatibility.
3.Follow Protocols and Strict measures Internally
The primary task for banks must be to introduce secure layers of cybersecurity measures to make sure their systems can support an interoperable ecosystem. Realigning the IT framework, governance policies and introducing additional security levels are a few ways this can be achieved. Track employee behaviour for any bad agents and have checks and balances in place for access controls. Instate two-factor authentication or verification to ensure only allowed set of personnel can access information.
We are operating in a world where customers will continue to demand integrated experiences from financial institutions but will not tolerate any compromise of their personal information in the process of sharing information between parties. And with the tech advances the industries have made, they shouldn’t have to either. Platform banking requires banks to raise their defensive guards on data privacy and governance. Complemented with central regulations, this will ensure an efficient and evolved mechanism of sharing consumer information.