Forget About that Cloak of Invisibility – Part Two

 Author: Deborah Matthews, debmatthews@jackhenry.com

In the financial services world, privacy concerns and regulation covering the use personal data are nothing new. The Gramm-Leach-Bliley Act requires FIs to allow consumers to opt-out of sharing personal information for third-party marketing. The Telephone Consumer Protection Act and CAN-SPAM legislation prohibit unsolicited commercial text messages and emails.  Yet to be determined… how the CFPB it will wield its authority in the privacy arena. (Stay tuned.) 

CRM systems have been around for years, helping FIs refine data to promote targeted product offers.  In the contemporary revenue compressed environment, some FIs are using tools to drive personalized offers that drive cross-selling and deliver additional revenue opportunities, such as merchant funded rewards (MFR) programs.  These MFR programs are designed to use data that is aggregated and fully anonymous in order to determine which offers to present, and are positioned to be mutually advantageous for both the FI and their customers.

But what happens when the broader universe of data is used in ways that impact consumers’ ability to access credit or insurance?  Today many insurance companies review credit ratings in order to “score” clients and set premiums. A recent article in The Economist predicts insurance companies will analyze card transactions at grocery stores to determine insurability (advice: pay cash if you are going to buy junk food!) What will come next? Will information gathered from posts on social networks, and intelligence purchased from data brokers, be considered in credit and lending decisions? Movenbank publicly stated that they will use information gathered from Twitter, Facebook and other social networks for lending decisions and pricing a customer’s relationship with the bank.

Here’s another area where it gets interesting. FIs face a privacy paradox because they are required to both restrict and use customer data. FIs have long been required to “Know Your Customer.”  This is accomplished through analysis of data from both historical interactions with the FI and other sources. 

The expanded FFIEC guidance on layered security calls for enhanced authentication processes.  FIs are required to understand customers’ “normal” financial behavior in order to identify anomalous activity. There is an evolving expectation for what is “commercially reasonable” for layered security: in a high-profile corporate account take-over case, the lack of behavioral analytics was a key factor that led the judge to rule against the bank.  And in another twist, technologies that some perceive as encroaching on privacy actually help protect:  proximity/location can be used as a security validation layer.

Privacy is almost inseparable from the issue of security, because of the threat of information falling into the wrong hands, the risks associated with fraudulent activity due to breaches and the growing specter of identity theft.  This is an epic issue for FIs even when the responsibility for a breach lies elsewhere; FIs are frequently impacted in some measure, ranging from diminished consumer confidence to operational burdens to financial implications.

Many FIs have a chief security officer, or house that duty within the responsibilities of the chief compliance officer or the chief information officer role. Maybe it’s time for FIs to consider adding a chief privacy officer.  FIs should ensure that their customers are clearly advised as to how their personal information will be collected and used. In his recent blog, Javelin Strategy & Research’s Mark Schwanhausser cautions FIs to consider their approach carefully to the inexorably linked issues of data mining, privacy, security and trust:

“FIs not only have an opportunity to profitably mine data, but they also have a trust edge over rivals. Nonetheless, they must mine data in a manner that protects customer privacy, enables customers to understand when and how they will benefit from sharing information and access, and errs on the side of transparency. ..Building trust takes time. Destroying trust takes only an instant.”