By Karen Epper HoffmanPrivacy has become the new stealth hot-button issue—and when it comes to privacy surrounding financial information, people can be very touchy.
Consumers complain that their personal privacy is not respected, but often freely share sensitive information when it suits them, especially in the interest of receiving more personalized products, services or marketing. Hence, financial marketers find themselves in a pointed Catch-22 in marketing: hoping to connect in a personal way with customers or prospects, but unable to overstep certain boundaries that would transgress emerging privacy regulations.
“The over-arching feeling is that this is continuing to be a trend,” says Chris Nichols, director of capital markets for CenterState Bank, which recently merged with South State Bank and is in the process of assuming the latter brand. “We’re coming to grips with a new reality.”
Ron van Wezel, senior analyst for the Aite Group, says privacy and data protection are becoming central to bank policies. “First of all, banks need to comply with regulation and avoid data breaches which may harm their reputation and attract serious fines,” he says. “But next to compliance and risk mitigation, there is a strategic angle as well.”
Dara Chevlin Tarkowski, founding partner for Actuate Law of Chicago, says new data privacy regulation is focused on giving consumers more power and control over personal information. “And while most businesses think of ‘personal information’ as data points such as dates of birth and social security numbers, the definition of personal information is broadening significantly,” he says. The trend-setting California Consumer Privacy Act offers a popular example, whereby IP addresses, geolocation information, and transaction data can be tied to financial accounts or transactions.
Banks are “challenged” at a national level to deal with inconsistencies between what consumers say they want in terms of personalization, and the limits afforded by privacy rules. Peter Dugas, executive director of Capco, a business and technology consultancy, says that “banks are challenged at the national level to deal with significant inconsistencies in how Congress and administrators are approaching privacy.”
State governments have stepped in, as well as cities and counties, but these measures may only complicate issues. Indeed, the Clearing House recently conducted a survey that found two out of five (41 percent) of U.S. banking consumers already use at least one fintech app, most often relating to budgeting and saving, investment advice and lending. And, with regard to the privacy of the data they share when using financial apps online or on mobile devices, more than two-thirds of consumers say they are “very” or “extremely concerned.”
Indeed, “while banks have had to deal with data security matters for some time under FTC, PCI DSS, and state mandates like [New York State Department of Financial Services] cybersecurity, privacy under emerging state mandates and frameworks like CCPA introduce new operational and data governance challenges,” adds Jonathan Deveaux, head of strategic partnerships for enterprise data security for Comforte. “The big challenge is the emerging patchwork of state-by-state privacy regulations and enforcement. While many are similar in nature, each has its own definitions of personal data, rights under the law for consumers and operational impact.”
For example, a customer that operates across 20 states may be looking at 20 different frameworks and bills applying to them and their accounts, some of which are potentially in a state of revision being so new, like CCPA, Deveaux says.
Some financial institutions and third parties are hoping to sidestep regulations by steering clear of certain sensitive data. Rutger van Faassen, vice president of consumer lending for Informa, says that when it comes to capturing customer data, “We gather actionable data from lenders, no account or Social Security numbers. We’re looking for one-on-one targeting . . . the idea of the Holy Grail of the perfectly personalized offer.”
But no matter where a bank is located or what business it is in, industry observers believe that it is critical to consider potential privacy issues as they relate to their entire business. Greg Sawyers, SVP for compliance at Temenos, says that while there will be a delay in some regulations, “I caution most states not to be complacent. Everyone’s in the growth phase. We need to what’s looking to what’s coming down the pipeline.”
As these privacy issues are being worked out, many banks are taking a more reserved stance—eager not to run afoul of their own regulators or end up in the headlines. Jamie Warder, EVP and head of digital banking for KeyBank, says that a “conservative posture” allows the bank to use data to tailor the experience. “Respect for privacy and clients trumps even a better experience. We [have]absolute respect for privacy,” Warder says. Instead, the bank tries to be cognizant of the basic needs customers might have, and not inundate them with unrelated or unnecessary marketing pitches. “If we know you have a mortgage with Key, we might not show you a tile to do mortgage with Key.”
In many cases the concern comes down to control—did the customer explicitly offer control of their data to their bank, or another third-party agent? And, if they did, what do they expect in return for sharing their privileged information?
Van Wezel of Aite Group says that, “Customers must have the ability to withdraw or change their mandate to use data as easily as it is to give. GDPR [General Data Protection Regulation, European privacy regulations] has explicit principles for data management and customer rights that are shared by emerging regulations in other markets including the United States.”
Recently, Tealium, a compliance software company, surveyed 1,000 consumers about their relationships with various brands and their personal data privacy. The survey found nearly six out of 10 respondents think businesses are doing a good job handling their data, but 71 percent also say they don’t think it’s “possible to have total control over their own online data.”
And generational differences play a role as well. “Millennials more comfortable sharing their private data if they’re getting something back for it,” says van Faassen. “But it will be interesting to see what happens as this becomes more ‘top of mind.’”
Keith Brannan, chief marketing officer for Kasasa, an Austin, Texas-based community bank branding company, says that risk-averse, mid-sized and smaller businesses look at banking regulations “with a breath of uncertainty. They’re enter the playing field with not knowing how it’s going to be enforced.” Especially when it comes to more recent bank services, like online account-opening, community banks in particular are not sure how regulators will engage, Brannan adds.
But they are following the lead of larger banks. Thirty percent of large banks open new accounts online, compared to just 10 percent for smaller, community banks, he says. (Although those numbers are arguably rapidly increasing in recent months, in the face of the pandemic lockdown and more customers using digital access for many services.)
To err on the side of caution, banks should “establish a program for the most stringent of the plans. And know the variation of rules,” says Greg Sawyers. To that end, banks must institute policies that allow customers to access and delete their data as they see fit, he says, adding that automation may help with the burden here.
‘Most customers won’t opt out’
At present, Nichols believes that having an automated response to privacy concerns will afford most banks the flexibility they need. And, ultimately, with an eye toward getting the best deal in these tough times, he says that, “Most customers won’t opt out of potential marketing. We’re getting customers exactly what they want.” And, Nichols adds, banks rarely sell to third parties that would misuse customer data. Indeed, in his experience, fewer than 8 percent of customers opted out of targeted marketing from their bank.
Warder of KeyBank says there is a “lot of low-hanging fruit before you even get close to the line of privacy.” Hence, he believes that banks have a wide swath of opportunity to connect with customers and even prospects without coming close to transgressing privacy regulations.
Sawyers says the key concerns for most banks should be in how they might market to customers younger than 18, and how they manage their third-party vendor access to customer data. “We’re trying to achieve transparency, and accountability, for customer data,” he says. “You have got to have a plan … an understanding of the privacy policies, and how [they work]with your data collection.”
A frequent ABA Banking Journal contributor, Karen Epper Hoffman has been writing about the financial industry and technology for nearly 30 years. Her work has appeared in American Banker, the Wall Street Journal, PaymentsSource and others.