Financial services: how to protect the use of personal data

7 min

When we surf the web, we voluntarily or involuntarily share information with sites and applications. When it comes to emails and passwords to access e-commerce sites, for example, we are carefree. But things get more sensitive when we are asked to enter our credit card details. Yet this information is essential to accessing financial services while creating value for companies and customers. So how do we share them while limiting the risks? Let us look at it together.

The value of data and trust between financial institutions and customers

When we talk about financial institutions, we mean banks (central, investment, commercial or retail), savings and loan associations, insurance companies, and brokerage firms. These are organizations that customers choose on the basis of trust, in the knowledge that their relationship will almost always be an ongoing one. In addition, financial institutions manage one of the most valuable assets we have: financial transactions.

A wide range of data must be shared with financial institutions in order to pay for insurance online, access a mortgage or make a bank transfer. From the personal and indispensable to the functional to personalize the service. Customers are only willing to provide this information if they see value in exchange.

For this to happen, financial institutions need to be as transparent as possible. After all, the relationship of trust with customers is based on the clarity of how the data provided will be used. It is crucial for a customer to know how, when and by whom their data will be used. If there is a lack of transparency, or if the financial institution misuses data, the relationship of trust will erode, and the impact on the company’s credibility will be severe.

The role of government and regulatory authorities

When it comes to personal data collected by financial institutions, we’re entering a sensitive area that requires regulatory authorities to get involved. The regulator’s role is to ensure that the correct procedures are followed in handling such data.
Today, the most important data protection laws and international regulations are the California Consumer Privacy Act, the Telephone Consumer Protection Act in the USA, and the General Data Protection Regulation in the EU.

Thanks to these regulations, achieving global coordination on the appropriate use of customer data is possible. Indeed, it is difficult for international financial institutions to treat customer data from different countries differently. To overcome this problem, the European GDPR, for example, speaks of privacy by design and privacy by default (article 25). This means that by focusing on the new technologies available, it is mandatory to structure settings that reduce data protection risks already at the design stage of the website or application.

The aspects to be focused on in order to meet the requirements related to the processing of private data focus on:

  • privacy as a default setting and a relevant consideration at the design stage;
  • functionality and helpful flexibility for customizing services;
  • data security throughout the product/service transaction;
  • the principle of transparency;
  • the centrality of the user.

In this way, by adopting the standards and protocols agreed upon by the regulators, the risk of financial institutions being sanctioned is drastically reduced.

Financial institutions

What private customer data are useful for financial institutions?

The private data that customers share with financial institutions is not just personal data but falls into several categories. In a report on the subject, Deloitte(1) identified 8 of them, which essentially collect information useful for personalizing products/services:

  • traditional identifiers: i.e. data that identifies a user, such as name, address, date of birth, gender, race, and social security number.
  • behavior and actions: the collection of information related to users’ habits expressed in public or private spaces, such as shopping, financial transactions, and online browsing.
  • thoughts and feelings: the choices and decisions that customers make while browsing online. This data is often used to create marketing psychographics;
  • images: photos taken by users or by robotic devices such as drones in public or private spaces.
  • location and space: data collected by geolocation technologies that provide companies with information about the geographic location of a person or property.
  • biological data: information related to a user’s physical characteristics, but also related to their physical and mental health.
  • personal communication: emails, bank statements, insurance policies, and all communications between customers and financial institutions, but also relating to the user’s behavior while browsing the site, which is detected through the use of cookies.
  • association/group privacy: groups and subgroups the customer belongs to or associates with, including political affiliations, personal hobbies, work-related groups, and religious groups.

All of these classifications differentiate the customer and, as mentioned above, are of considerable value to businesses. Why do financial (and other) companies need to collect all this information? To analyze buying behavior and tailor offers. If you create a product/service that meets the customer’s needs, you have a better chance of selling it in the first place and building customer loyalty soon after. This rule applies to all business relationships, but it is even more important in the financial sector.

What are the benefits of personal data sharing with financial institutions?

We have therefore seen that the collection of customer data is a crucial aspect in the development of more efficient, cost-effective services that are more responsive to customer needs. In addition, a user’s behavior on the bank’s website or applications, for example, enables the financial institution to simplify applications and the User Experience. Finally, data-driven forecasting improves the ability to assess risk management.

And how does the customer benefit from sharing? They benefit from having access to services that are always up to date and that improve their user experience. But the benefits of data sharing go beyond the individual customer and can have a global impact.

The digital acceleration made possible by data collection is a key element of financial inclusion, i.e. the ability of individuals and businesses from underserved communities to access useful and convenient financial products and services. Delivering services such as transactions, payments, savings, credit, and insurance in a responsible and sustainable way around the world is an enabler for as many as 7 of the 17 Sustainable Development Goals.

Financial institutions need to protect the privacy of their customers' personal, behavioral, and social data. Share on X

What are the risks of sharing sensitive data with financial institutions?

Like any organization that collects and manages users’ personal or sensitive information, financial institutions are a prime target for computer hackers. Fraud and identity theft are the biggest risks, but the reality is that the inappropriate activities of the institutions themselves also pose a risk. Let us see in what sense.

Digital identity theft is one of the most pervasive threats to financial services. Credit card cloning, as well as theft of identity card numbers and tax identification numbers, are the result of carelessness or, in some cases, the lack of security of certain devices such as mobile phones or tablets.

The attacks take the form of social engineering, ransomware or phishing. These techniques make it possible to clone the user’s digital identity and operate websites or applications in the owner’s name. This can be used to carry out economic transactions, steal data from health records or access finances.

Today’s technologies, such as AI and related applications that enable regular and automated verification, could greatly reduce these thefts. Unfortunately, their use by financial institutions is not always commensurate with the increasing risk. Just look at how each company has different ways of verifying access to the banking application. For example, there are institutions that ask for a code, others that use an OTP, and still others that rely on a fingerprint.

But as we said, in addition to attacks from external cybercriminals, there are also risks related to the misuse of customer data by financial institutions. One example is the sharing of user data with third-party vendors that support vital day-to-day operations for banks. Such access privileges can be exploited to steal credentials and data.

What should we look out for when choosing a financial institution to entrust our data to?

  • Carefully read the terms and conditions governing the use of the personal and sensitive information we share. Especially the contractual clauses, even if it is a 30-page package. The more transparent and detailed this information is, the more trustworthy the financial institution in question will be.
  • Ensure that the customer can update in real-time the preferences expressed regarding the processing of personal data and be sure that the new choices will be respected from then on. For example, if I no longer wish to receive account statements at my home address, I must be able to communicate with the bank and obtain an immediate change.
  • Check that the institution provides adequate protection of personal data and effective and up-to-date verification systems, such as security tokens, certified authentication applications, and biometric verification.

Subscribe to our newsletter

How to balance the opportunities and risks of sharing private data?

Choosing not to share behavioral and traditional identification data with financial institutions is no longer an option. The less information we share, the fewer services we receive and the longer it takes to complete a transaction. As a trivial example, if I do not create profiles in the bank’s application for people or companies to whom I make regular transfers, I will have to re-enter all the information each time, wasting time searching for the data and risking typing errors.

To achieve a balance between risks and opportunities, it is essential that three actors work in synergy: governments, financial institutions, and customers.

Governments need to ensure that all financial institutions comply with the principles of appropriate use of data through: supervisory authorities trained and equipped with the necessary tools to supervise; adapting and updating legal and regulatory safeguards.

Financial institutions should strive for transparency of information related to privacy, security, and data use in order to build trust with customers and regulators. They will also need to ensure proper communication with users about long-term data management.

Finally, customers will need to be informed about their government’s rules on the protection of their personal and sensitive data. At the same time, they should check that the financial institutions they trust take this into account in their ‘terms and conditions’. In addition, they should ask the companies they choose to manage their finances to provide full transparency on the use of their personal data and to allow them to change their preferences over time.

  1. Report Deloitte “Redesigning customer privacy programs to enable value exchange