Technology tends to charge ahead of most other industries, and Facebook’s recent enormous data security breaches are no exception. First, the Cambridge Analytica breach compromised the private information of 87 million users—an enormous consequence of not reading contractual fine print and failing to monitor vendors.
On the heels of that debacle, 50 million Facebook users’ information was hacked through weaknesses in a new video-uploading program and ironically, another new site feature designed to give Facebook users more privacy control.
Granted, the data security of one of world’s largest technology company—with 2.2 billion users worldwide—operates on a different scale than most banks. But there’s an argument that banks have even more at stake than Facebook: not only because they hold and move their customers’ money as well as their data, but they also have a longstanding history of consumer trust unparalleled in almost any other industry.
The push to digitize banking has now given way to another wave of disruptive technology fueled by data: open banking. Data allows financial institutions to create the personalized, transparent experiences consumers demand. Through the rich data collected by tech giants, everything consumers experience is fast, personalized, almost human. These very traits are now expected from financial services companies’ digital offerings.
Indeed, replicating Facebook’s customer experience, or Amazon’s for that matter, represents the new standard to which most industries aspire, including banking. But without the requisite forethought, banks that prioritize Amazon levels of customer experience may overlook the concomitant risks. And that could well start them falling into those same traps that Facebook now confronts.
If banks get permission from their customers to use the rich amounts of data they generate, they have the basis to create much more personalized experiences. One early lesson of open banking in the U.K. is that people will forego a considerable amount of data privacy in exchange for something in which they see value. And because financial services companies are already trusted to provide sufficient value, it’s fair to say that the customer is probably willing to offer much more personal information to them: more than they’d have previously thought to give.
But if banks don’t approach this correctly it could cost them dearly, whether through breaches or data misuse, as we’ve seen with Facebook and many other companies. Also if banks gather information for the wrong reasons, they might lose their status as most-trusted businesses that put customer needs above profits.
Hard-learned lessons: How Facebook lost face
Lesson one: Facebook wasn’t sufficiently transparent about how they used data or who owns it. Very few people know that a photo posted on Facebook becomes its intellectual property. So when Facebook users upload certain pieces of data, they actually provide much more. Whether they know it or not, Facebook tracks them even when they’re not on Facebook.
Lesson two: The social media platform failed to monitor its third-party provider correctly. Cambridge Analytica got permission to use Facebook data to run a personality test, but then harvested the data of the test takers’ connections as well—because the contract wasn’t specific enough and teams on both sides did not adequately read the contract terms of service. When Facebook asked Cambridge to destroy all the data, they promised to do it… but they didn’t quite. And Facebook didn’t ask for proof that all the steps were completed. That left untold data hanging in the balance.
And finally, lesson three: Facebook never started with data privacy as a priority. Quite the opposite: They started with the question, “How can we harvest as much data as possible?” The platform works by getting as many participants as possible on board. Now, they must retrofit it to incorporate an array of concerns they either overlooked or chose not to consider.
With open banking’s rise, a very real risk exists that banks could stumble by failing to embrace data privacy from the outset. Instead, when they see how its richness can open up new business possibilities they might fall prey to an insatiable data appetite. Data privacy and security need to be upfront, primary considerations. Banks must put ethics before any benefits they could gain from the data.
A data with destiny: “I didn’t think this was possible.”
We’ll see more banks create marketplaces or at least opening up their data to third parties. And financial services companies can do some truly incredible things with the data: some whiz-kid, seamless magic that will make customers say, “I didn’t think this was possible.”
One such offering centers on far more accurate, insightful credit scoring. Let’s say a customer applies for a loan or insurance policy. If she opens up access to the incomings and outgoings of her bank account, the bank can establish exactly what she spends on or how much she saves: more behavioral type data. This would give a much more accurate, real-time risk profile than current methods can. While expediting the way to a “yes” decision that benefits the borrower, banks could cut the risk on this customer defaulting. That means a more nuanced underwriting decision and the possibility of finer interest rate gradations. And so the possibilities ripple further out.
Similarly, when customers allow access to their bank accounts, investment portfolios can be structured in a much more personalized way. Seeing how much someone spends or saves, or their multiple other financial behaviors, gives a much clearer view into risk appetite. The picture created by these multiple pixels could steer money into peer-to-peer lending, a savings account or a mortgage backed security, for example.
Putting it all together: Data transparency, out in the open
In sum, there’s much we can gain through an open approach to data. And as for caveats, banks can learn much from Facebook’s experience:
Be transparent about what you do with the data.
Be open about who owns it.
Be open about what you’re trying to achieve with it.
Establish excellent systems of monitoring and due diligence around any movement of the data.
The good news for U.S. banks is that time remains to take in these lessons. Properly learned and applied, that’s an occasion to press the “like” button many, many times.
Martijn Moerbeek is director of group digital strategy and innovation at Legal and General, a U.K.-based financial services and insurance firm managing more than $1.4 trillion in assets. He can be reached at [email protected].
Discover how the fraud landscape is evolving — from phishing attacks to man-in-the-middle, vishing and now, payer manipulation — and how the industry needs to take a different approach to resolve fraud...