The European Union General Data Protection Regulation (GDPR) comes into effect on May 25th 2018. It is important that banks prepare, as they will face fines of €20 million or 4% of worldwide turnover if they are in breach of GDPR; a point that has been recently emphasised in the UK by the Financial Conduct Authority (FCA). Due to the complexity and number of legacy systems that many financial institutions have; many feel that will be either faced with the huge costs associated with analysing all the data they hold and deciding why they hold it or face the reputation and financial damage that a breach of GDPR would entail.
It is true that banks with old, poorly documented legacy systems may well face huge difficulties with GDPR compliance. This will be especially true of banks that have increasingly added systems over the past 20 or so years without fully understanding the data flows between the systems. This will mean that if a customer invokes their GDPR right to be forgotten, then a bank can only be sure that the customer’s data has been fully erased if they have gone through the pain of analysing all the data held on the system.
Additionally requirements such as; carrying out a Privacy Impact Analysis before a major IT project that involves personal data, incorporating Data Protection by Design into the design of new IT systems or procedures will require a cultural change which will inevitably incur added cost.
However at the same time many feel that “data is the new oil”. This idea is based on the idea that if banks use the data held on their customers to provide greater insights to a customer’s spending habits and likely banking requirements then they can serve the customer better and the customer is more likely to both stay loyal to the bank and to open additional accounts. Indeed if a bank uses the opportunities that come from Open Banking to become an Account Aggregator they can monetise this insight further.
The bottom line is that if banks do not know what data they hold they will never be able to make use of it. This analysis could well provide insights into duplication of data between systems and banks may well be able to follow-up the analysis with a streamlining of the data flows within their disparate IT systems leading to efficiency savings both in a reduction in the number of databases but also the reduction of errors where correcting data on one system does not replicate that correction on a second system.
GDPR will force banks to invest in the analysis to understand what data they hold, where they hold it and why they hold it. They will have to be able to demonstrate who they share personal data with and ensure that they have the consent of their customers to do so. Once they have gone through the painful process of analysing all their databases and data flows between them they will be able to make use of the data. In fact done well GDPR could very well be profitable for banks as the use of data analytics on a well-documented set of data will provide greater insight to their customers.
With its Customer Data Protection module, Temenos not only offer the tools to allow a bank to support the requirements of the new regulation, but also supplies a metadata module of the personal data held on the Temenos core banking system. This data model will allow a bank to identify what customer data they hold and use that analysis to pay for the investment required for GDPR compliance by monetising the data held on their core banking system.