Home / Banking Strategies / Where regulation meets responsibility: The unwritten rules of customer data

Where regulation meets responsibility: The unwritten rules of customer data


Granted: Banks and consumers have much to gain from the effective use of account holder data. But sometimes, the ones and zeros don’t add up and bank efforts fail to stack up.

It’s not as though both parties come at the Great Data Dilemma from cross purposes. Most banks want to gather and use customers’ data to better serve them and offer timely, targeted services. And customers in general approve, in part because it means (or should mean) they won’t be bombarded with irrelevant product offerings.

So, if banks want to gather and use customer data and customers can benefit from that, what could go wrong?


Today a tangle of rules, regulations and responsibilities force banks to think inside the box. And that creates a tension between serving customers and showing caution. Customers want it both ways, even if banks can’t find an easy way.  

Since 2002, banks have labored under multiple regulations, including the Financial Information and Safeguards Rule and the Gramm-Leach-Billey Act (GLB). Industry observers say banks have mostly shown diligence in sticking to these regulations—which require them to inform customers that they gather and use retail bank account information. Customers can opt out if they don’t approve; some states, notably California and Vermont, require customers to opt in.

“Banks live and breathe by GLB act,” says Lisa Sotto, partner and chair of the global privacy and cybersecurity practice for law firm Hunton Andrews Kurth LLP. “It laid the groundwork for what banks need to do to protect consumers.”

You might think technology would make that job easier. Not so: Sometimes, it’s quite the opposite. While adhering to these regulations has become standard practice, the demand for customer-friendly technologies complicates matters for banks.

“Consumers are driving the need for more digital services,” says Claude Hanley Jr., partner with Washington D.C.-based Capital Performance Group LLC. “And this creates a new frontier where the cybersecurity risks increase. There are also additional questions about who has access to this information.”

For one thing, banks today work with many more fintech companies to provide such services. And that means they must oversee those third parties to make sure they address privacy and security concerns.

One example of the fintech dilemma involves account-holder budgeting, a service many customers seek. If banks can extract data that reveals how customers spend their money, they can help them analyze spending habits—and figure out how to save more and meet financial goals.

But many banks lack the in-house capabilities to do this and turn to outside firms for help. “As more third-party fintech companies are given access to customer data, banks have to put the proper safeguards in place so their partners adhere to the right practices,” Hanley says.

Sotto notes that customer privacy and security rules haven’t changed in recent years, but financial institutions may find it harder to enforce as the number of relationships expand.

“It’s the same set of rules, but it’s more complicated,” she says. “Banks need to take responsibility for what their service providers do. You can put in contractual provisions and observe the service provider’s practice at their offices, but ultimately there’s a limit to what you can do.”

Moving some components of bank relationships to social media could create additional problems, Hanley says.

He points to criticism some social media outlets such as Facebook have weathered over consumer information misuse. In response, Facebook and others have developed new consumer protection policies.

Hanley explains that Facebook earlier this year came out with its own rules specifically for financial institutions. So banks now have another layer of rules to worry about atop government regulations.

“Social media channels now have their own guidelines for marketing on their networks,” he says. “Banks need to know those rules and make sure they comply.”

But even when banks succeed in meeting the nitty-gritty of regulatory requirements—which they so often do—some argue they can do more to protect consumer rights. That falls into two areas: First, they must make sure customers understand what information financial institutions gather and how they use it. That leads to real value in exchange for data, not just haphazard product pushing.

Second, the language around disclosures is too often clear as mud—meaning customers have no idea what they’re accepting or rejecting.

Alyson Clarke, principal analyst with Forrester, a research and consulting firm, notes that while most banks’ disclosures on data gathering meet legal requirements, they lack meaning to customers. “Most privacy and security statements are poorly written and written for lawyers,” Clarke says. “And they’re hard to find. You need to explain in simple language what information you collect and what you do with it.”

Tiffani Montez, senior analyst for Aite Group, agrees that customers want more than boilerplate disclosures or to simply opt in or out of all data collection. Customers want the right to say what personal information banks can or can’t use, as well as how it’s used. That, she notes, goes beyond legal requirements.

Most important, customers need proof they will benefit from releasing their data. Rather than leverage the information for what Clarke calls “evil”—that is, the sole use of selling any product regardless of its usefulness—Clarke contends banks should use it to generate meaningful dialogues. Using data for good guidance ultimately leads to better, more profitable relationships, she adds.

“A lot of savings tools that banks offer don’t even ask the customer what they’re saving for,” Clarke says. “It helps to know that and understand the customer. And it should if you’re really interested in them.”

So yes, financial services organizations need to follow the rules as written. But when they adhere to the unwritten rules of customer care—and bestow bona fide value for abundant data—both sides benefit.    

Want more Banking Strategies? Sign up for our free newsletter!

Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications. In the 1990s, she founded and edited Financial Service Online, a magazine covering Internet-based forays into banking and investment services.

For more articles like this, check out our recent executive report: Compliance: Beyond the Regulations.