WEF White Paper Appropriate Use of Customer Data

White Paper
The Appropriate Use of

Customer Data in Financial
Services
Prepared in collaboration with Oliver Wyman

September 2018
Contents
Executive summary 3
Background 6
Opportunities and risks 7
Customer data challenges 8
Conclusion 30
References 31
Acknowledgements 32
World Economic Forum®
© 2018 – All rights reserved. The views expressed in this White Paper are those of the author(s) and do not necessarily
No part of this publication may be reproduced or represent the views of the World Economic Forum or its Members and Partners. White Papers are
transmitted in any form or by any means, including
photocopying and recording, or by any information storage submitted to the World Economic Forum as contributions to its insight areas and interactions, and
and retrieval system. the Forum makes the final decision on the publication of the White Paper. White Papers describe
research in progress by the author(s) and are published to elicit comments and further debate.
REF 160418 - case 00048540
Executive summary
In an effort to understand better the implications of the Fourth Industrial This document builds on the
Revolution – a technology-led transformation that is fundamentally altering Balancing Financial Stability,
the way people work, live and relate to one another – the World Economic Innovation and Economic Growth
Forum prioritized a review of the financial system through its initiative, White Paper published in June 2017,
Balancing Financial Stability, Innovation and Economic Growth. A key part of which made the following findings:
this review focused on the appropriate use of customer data in financial services.
1. Major innovation-driven change
This review began a year ago and several developments since have is coming to financial services.
reinforced the urgency of this work. Whether it is data breaches at large Firms are increasingly competing
organizations crucial to the provision of credit, disclosures of controversial or partnering at different points
data-sharing practices at social media firms offering payment services, or along the financial services value
considerations by big techs to partner with banks and exchange customer chain to take advantage of unmet
and transaction data, the accelerating data-fuelled transformation of financial customer needs, less efficient cost
services demonstrates the need for stakeholders to align on principles governing structures, high capital usage and
the use of customer data. Uncertainty about what it means to use customer attractive returns.
data appropriately could cause a loss of trust that could lead to instability in the
2. These changes can bring
financial services system.
enormous benefits to the
Policy-makers recognize the need for guidance and have been financial services system.
implementing legislative responses, most notably through the European Benefits include improved
Union’s General Data Protection Regulation (GDPR). California and China customer experience, better risk
have passed similar laws and numerous jurisdictions are currently formulating management and greater efficiency
or reviewing their respective data regulations. These necessary efforts introduce for incumbent industry participants
important checks and balances, yet are insufficient. An uncoordinated and new value creators.
proliferation of global data frameworks may prove counterproductive in the long
3. Managing some systemic risks
run, resulting in further regulatory fragmentation with adverse knock-on effects
introduced by this wave of
for innovation and new business formation.
innovation poses challenges.
Through a series of roundtable discussions and interviews with industry The appropriate use and
executives and experts across multiple regions, the Forum stakeholders competitive advantage of
identified the lack of global principles to guide the inherent trade-offs to be customer data was identified
made in the use of customer data as a major foundational gap. A draft set as a key area of focus by the
of global principles has been developed and the Forum stakeholders encourage Stewards of the Forum System
their adoption. The principles, focused on control, security, personalization, Initiative on Shaping the Future of
advanced analytics and portability, demonstrate the feasibility of achieving high- Financial and Monetary Systems
level consensus on customer data collection and use practices globally. and the Steering Committee of
the Balancing Financial Stability,
The consequences of inaction on the appropriate use of customer data
Innovation and Economic Growth
– such as overexposure to risk, the stifling of innovation, or competitive
initiative.
inequity leading to poor industry structure – demand the expedited, yet
careful, implementation of these principles globally. To address the range 4. The financial services system
of practical implementation challenges, the principles suggest a series of next would benefit from certain tools
steps for governments, incumbents and challengers. By following the roadmap to achieve greater enablement
developed to tackle these obstacles, stakeholders can better manage the and risk management. These
trade-offs of using customer data and addressing key data-related challenges – include a more standardized
ultimately, balancing financial stability, innovation and economic growth. regulatory treatment framework
across jurisdictions.
The Appropriate Use of Customer Data in Financial Services 3

Using data to build a better financial system
1 Customer data are critical to innovation and growth, but data misuse risks a loss of trust
that could destabilize the financial services system
Customer Business
New products and services tailored to individual Development of new products and services
needs Better risk management capabilities
Enhanced customer experience Cost savings from more efficient internal operations
Financial inclusion for underserved individuals
Regulatory penalties or reputational damage from
Financial losses due to fraud misuse of customer data (loss of customers)
Loss of privacy if data are used without consent Operational losses from fraud or cyberattacks
Exclusion from products or services due to real Market disruption for companies that depend on
or perceived risks pooled risk or cross-subsidization
2 Stakeholder discussions identified five challenges to reach consensus on the appropriate

use of customer data in financial services
Challenge 1: Challenge 2: Challenge 3:

Varying stakeholder incentives Regional differences around the Complexity of different data types,
regarding the use of world in societal and cultural beliefs uses and collection approaches
customer data concerning customer data
Challenge 4: Challenge 5:
Lack of common principles for Issues of practical regulation and
framing issues implementation of shared principles
3 Governments, incumbents and challengers need to take action in 10 key areas to ensure
the financial system evolves appropriately
Governments Incumbents Challengers
1. Enable global coordination on 5. Strengthen trust with 8. Meet or exceed

principles for the appropriate customers and regulators expectations from customers
use of customer data by proactively addressing and regulators to provide
data privacy, security and financial products and services
2. Establish legal and
appropriate use
regulatory safeguards 9. Manage risks associated with
that balance customer data 6. Deepen customer using new types of customer
oversight and innovation relationships by focusing on data or advanced analytics
long-term data stewardship
3. Ensure supervisors have 10. Protect customer data while
over short-term commercial
the tools and expertise to maximizing growth and value
incentives
provide effective oversight of creation
customer data 7. Collaborate with other
incumbents and challengers
4. Develop customer data
to demonstrate industry
critical infrastructure and
leadership on customer data
associated standards and
protocols
Source: World Economic Forum and Oliver Wyman
4 The Appropriate Use of Customer Data in Financial Services

Global customer data principles
“Companies should be clear about their use of customer data, attain customer
Control agreement to their customer data policies and, where appropriate, seek consent
for specific uses.”
What is meant by control? What conditions are required to be effective in practice?

Control refers to the relative ability of businesses and consumers - Informed consent: Companies need to provide clear and accessible information
to use and capture value from data. about how customer data will be used (e.g. terms and conditions).
- Transparency: Customers should be able to view or know the data that are collected
Key questions: - When is consent required to use customer data? about them, how they are used and whether they are shared with a third party.
- What is required for informed consent? - Ability to revoke consent: Customers should be able to request that data about them
- Can customers request to know the data about no longer be used by an organization (e.g. the right to be forgotten).
them held by companies? - Legitimate use: Companies may not need to seek consent when using data for
legitimate interests (e.g. those required by law).
Security “Companies should be held responsible and accountable for data security.”
What is meant by security? What conditions are required to be effective in practice?

Security refers to how data security responsibility is balanced - Liability: A clear liability framework should be in place that ensures the responsible
between customers and companies. party is held accountable for data security and for harms caused by breaches of its
respective data security duties of care.
Key questions: - What responsibilities do companies have to secure - Traceability: Companies need to be able to identify where data were improperly used
customer data? or accessed in the event of a security breach.
“Companies should be able to create individual customer-level profiles that

Personalization allow them to provide differentiated customer services.”
What is meant by personalization? What conditions are required to be effective in practice?

Personalization refers to whether companies can provide - Intervention: Customers should be able to intervene to gain information or limit the
differentiated services to customers. use of data they control, and companies should respond appropriately.
- Limited use: Where reasonable, a maximum time period that data can be retained by
Key questions: - Should businesses treat people equally or as companies should exist, as well as limits on certain sensitive data types or uses.
individuals?
- To what extent should companies incorporate
customer preferences for data use?
Advanced “Companies should be able to comprehensively test, validate and explain

analytics their use of data analytics and models to customers.”
What is meant by advanced analytics? What conditions are required to be effective in practice?
Advanced analytics refers to whether safeguards are needed to - Justification: Customers should have the right to request why a decision was made
use new models and statistical approaches. (e.g. why the model methodology is appropriate, why the output is justified).
- Challenge: Customers should have the right to correct incorrect or incomplete data
Key questions: - Are safeguards necessary to prevent data from about them held by a company.
leading to discrimination and exclusion?
- Should customers have the right to correct or
update data about them?
“Companies should, where appropriate, allow customers to access,

Portability download, transfer and/or permit third parties to manage data about them.”
What is meant by portability? What conditions are required to be effective in practice?

Portability refers to the ability of customers to transfer data - Accessibility: Companies should allow customers to download data about them in
about them between private-sector participants. machine-readable format or through standardized APIs, depending on companies'
stage of development and jurisdiction.
Key questions: - Who should be able to authorize the transfer of - Third-party permissions: Accessibility encompasses customers giving third parties
customer data between private-sector permission to download their data.
participants?
- Do data formatting standards need to be created?

Background
The generation of data has exploded, with the global Figure 1: Annual global data volume
volume of data predicted to double from 2018 to 2022
160
(Figure 1). While data are having a transformative effect Existing data
across industries, this paper focuses on the role of data 140
Data volume (zettabytes)

Forecasted data
in financial services, where incumbents (large, successful 120
companies that predate the digital revolution) as well as
100
financial technology (fintech) and large technology firms are
rapidly increasing their abilities to collect and use data about 80
the people using their products and services (customers). 60
Technological innovations have improved the ability of 40

businesses to capture and use customer data. Internet- 20
of-things technologies allow companies to collect a greater 0
variety of customer data, such as customer locations and
2010
2011
2012
2025
2013
2014
2015
2016
2017
2018
2019
2021
2024
2022
2020
2023
behaviour. Advanced computing increases the ability to
store, manage and transfer data, while advanced analytics Year
permits greater insight into customer behaviours and
preferences (Figure 2).
Certain marketing companies have about 1,500
These innovations have created opportunities for
data points on approximately 96% of US citizens
business innovation. They have also led to uncertainty,
however, about what it means to use customer data
appropriately. Governments around the world are debating 95% of the top free mobile apps
whether to adopt elements of Europe’s new General collect customer data (location, social networks, etc.)
Data Protection Regulation (GDPR). Business leaders are
considering what they would do if a third party misused
customer data. And finally, customers are asking how Note: Data points are units of observations or characteristics (e.g. gender,
companies are collecting, using and sharing data about location, ethnicity) related to the referenced citizens.
them, and what benefits they are getting in return. Sources: Reinsel et al. (2017), CitiBank (2017)
Figure 2: Impact of technological innovations on customer data

Technology Description Examples of customer data impact
Digitization Electronic housing of customer information and digital Collection of a greater variety of customer data, such
interface to facilitate information processes as purchase history and web browsing time
Internet of things Network of internet-connected objects able to Secure verification of customers’ identity
collect and exchange data using embedded sensors
Collection of customers’ locations and behaviours
Biometrics Identity authentication through use of uniquely physical Secure verification of customers’ identity
or behavioural characteristics (e.g. facial recognition,
fingerprints, voice recognition)
Advanced analytics/ Statistics and modelling used to determine future Data mining to provide better insight into behaviours
artificial intelligence performance based on current and historical data and preferences
Robotics Software solutions that automate routine, repetitive or Reduction of operational costs for consuming,
rule-based processes manipulating and acting on customer data
Advanced Network of remote servers hosted on the internet; Increase in ease of storing, managing, transferring and
computing systems based on quantum effects; devices created processing data
(quantum, edge, using mobile components; optimization from
cloud, mobile) performing data processing at the edge of the network
Open application Publicly available API that provides access to a Secure sharing of data with reduced risk of breach
programming proprietary software application or web service
interfaces (APIs)/
microservices
Distributed ledger Public transactions enabled through a database Customers regaining control of personal data,
technology consensually shared among networks spread across including access and transfer
(blockchain) multiple sites, institutions or geographies
Advanced Advanced encryption methods, such as zero Development of alternative approaches to sharing
encryption knowledge proofs and tokenization of data personally identifiable information

Opportunities and risks
The opportunities and risks in customer data (Figure However, failing to protect customer data appropriately
3) have implications for the global financial services means companies face significant risks. Protecting
system. Both customers and businesses deserve the customer data is challenging: data can be misused by
opportunity to benefit from the expanded use of such data. bad actors within a company, stolen by cybercriminals or
For these benefits to be realized, however, customers need inappropriately shared with third parties. Data misuse can
to trust that data about them will be used appropriately, lead to direct financial losses, due either to an increase in
and that they will share in the value created. fraud claims or regulatory fines. Companies that fail the
“newspaper test” (i.e. the implications of their misusing
Companies can design products and services
data when such practices are publicized) can also face
customized with customers’ individual data. Most
significant reputational consequences.
financial products and services are standardized, making
it difficult for businesses to meet the unique needs of their Customer data may also pose risks to market stability
customers – people with diverse financial circumstances because of changing economic incentives. Increased
who may want to study at a university, buy a house or availability of more granular customer data could encourage
start a company. Expanded use of customer data can help companies to focus on their most profitable customer
companies design cheaper and better services, such as segments. This could lead to disruption in markets that
targeted insurance products for gig-economy workers with depend on pooled risk or cross-subsidized products and
varying income over time, or customized loan products for services. In parallel, customers could be excluded from
businesses with seasonal sales. using products or services due to real or perceived risks.
The opportunities for customer data to create value Finding consensus on the appropriate use of customer
for both businesses and customers are enormous. In data is critical to balancing financial stability, innovation
addition to better products and services, the expanded and economic growth. While a lack of customer data
use of this data can increase economic growth by bringing safeguards can weaken trust, over-regulation can also
new customers into the financial system. This is particularly hinder innovation by restricting development of products
true for many customers in developing countries, where and services that customers want. Managing key trade-offs
alternative data sources can allow for greater access to and identifying areas of common ground will be critical to
savings accounts and credit products. ensuring the benefits of customer data are realized across
the financial services system.
Figure 3: Customer data opportunities and risks

The dignity of the human person, and a healthy
Customer Business community, can be protected only if the
expansion of economic opportunity is balanced
New products and Development of new
with human rights and respected mutual
services tailored to products and services responsibilities. Big data can deliver improved
individual needs financial support for people, especially
Better risk management benefiting the previously ‘unbanked’ poor.
Enhanced customer capabilities
experience
But it must not exploit the ignorant, the naïve
Cost savings from more and the marginalized. Big data and artificial
Financial inclusion for efficient internal operations intelligence should not produce diminished
underserved individuals life opportunities and constrained autonomy
Financial losses due to Regulatory penalties or for the minority. A healthy community cannot
fraud reputational damage from be achieved where microdata analysis results
misuse of customer data in groups being excluded from banking or
Loss of privacy if data are
used without consent Operational losses from
insurance services merely in the name of
fraud or cyberattacks targeted profit maximization.
Exclusion from products
or services due to real or Market disruption for
perceived risks companies that depend Bishop Paul Tighe, Secretary of the Pontifical Council for Culture, The
on pooled risk or cross-
Vatican
subsidization

Customer data challenges
Five major challenges (Figure 4) make it difficult to gain 4. Lack of common principles for framing issues
consensus on the appropriate use of customer data: concerning the appropriate use of customer data across
topics such as liability, consent and transparency
arying stakeholder incentives regarding the use of
1. V
customer data across customers, governments and 5. Issues of practical government regulation and
businesses implementation of shared principles across
governments and the financial services industry
2. Regional differences around the world in societal and
cultural beliefs concerning customer data Each of these key challenges comprises common
questions underpinning global conversations and debate
3. Complexity of different data types, uses and collection
about the appropriate use of customer data, particularly in
approaches, making it challenging to create consistent
the financial services sector.
standards and practices
Figure 4: Customer data challenges
Challenges Common questions
How can businesses use customer data to add value for customers?
Varying stakeholder incentives
What regulations may be needed to balance potentially competing
interests across customers, governments and businesses?
Important context
How should governments consider regional differences as they develop

regulatory frameworks for customer data?
Regional differences
How can governments and businesses facilitate alignment on the use of
customer data across regions?
How should governments and businesses define and categorize different

customer data types, collection approaches and uses?
Data complexity
How can stakeholders increase alignment on definitions and categories
for different customer data types, collection approaches and uses?
What should businesses need to tell customers about how they collect
and use customer data?
What customer data types, collection approaches and uses should

businesses need consent for?
Who should be accountable for security breaches or misuse

Lack of common principles of customer data?
Should there be limits on certain customer data types, collection

Opportunities for action
approaches and uses by businesses?
What should customers be able to view or know about how customer

data are collected and used by businesses?
Based on their respective objectives, what steps should governments

and businesses take to practically implement common principles?
How should governments evaluate the costs and benefits of customer

data regulations?
Issues of practical government regulation How should financial service regulators approach customer data?
and industry implementation
How can companies create appropriate internal governance practices
for customer data collection approaches and uses?
What types of infrastructure or common standards and protocols may

be needed to facilitate the appropriate sharing of customer data?

1. Varying stakeholder incentives Incumbents are eager to leverage customer data
but prioritize stability and safeguarding their market
Customers, governments and businesses have specific and position. Incumbents – large, successful companies that
sometimes competing interests regarding customer data predate the digital revolution – are investing in their data
(Figure 5). infrastructure and actively working to enhance their offering
Customers appreciate that data about them can be of digital products and services. Many firms, however, face
used to create tailored products and services but significant challenges in upgrading their legacy technology
are concerned about privacy and misuse of that data systems. Incumbents also need to address new market
(Figure 6). Customer data have allowed businesses entrants, as well as changes required by new and pending
to streamline applications for many financial products regulations.
and services, saving time and enhancing the customer Challengers prioritize innovation and growth while
experience. Customers also have gained access to adapting to changes in public and regulatory attitudes.
innovations based on both personal and aggregated Challengers within financial services, particularly small
customer data. However, many of them are concerned fintech firms, often focus on gaining access to larger
about data authenticity and the impacts of data misuse, markets, which increasingly involves partnering with
from the growing number of automated telemarketing incumbents. Challengers outside financial services,
phone calls to issues about fraud and identify theft. particularly established technology firms, are also
Governments are eager to spur innovation and growth considering offering financial products and services
but are concerned about risks that may weaken trust directly (business to consumer) or to other financial
in the financial system. While regulators around the services companies (business to business). Both types of
world are experimenting with new tools and approaches, challengers must adapt to the regulatory environment and
they struggle with how to address products and services consider whether and how to partner with incumbents.
that fall outside existing regulatory frameworks. The pace
of technological advances means that existing laws and
regulations can quickly become obsolete, frustrating
both customers and businesses seeking to access new
innovations. However, customers can also become
concerned if they feel governments are not sufficiently
protecting them from new risks.
Figure 5: Customer data stakeholders
Customers
Appreciate that data about
them help to create tailored
Businesses
products and services, but
concerned about privacy and Enthusiastic to leverage
other risks from data misuse customer data to generate
insights and create profit, but
unclear how to adapt to
Data use changing regulations and
landscape public sentiment
Incumbents Challengers
Prioritize stability and Prioritize innovation
Policy-makers and
safeguarding market and disrupting
governments position market
Eager to spur innovation and
growth, but mindful of risks to
customers that may weaken
trust in the financial system

Figure 6: Customer views on how companies should handle their data
Customers want financial institutions to use data about them in ways that
they can benefit from
• Most customers are uncomfortable with smartphone and tablet apps using their personal data and
are worried that sharing data makes them targets for marketing campaigns
• 84% of those surveyed feel they have less than sufficient control over the way organizations use
data about them
How do customers want financial institutions to use their data?1
80%
70%
60%
50% Current usage Preference for future usage
40%
69
30%
20% 38 32 37
10% 25 21
15 2
0%
Protect you against adverse Anticipate your needs and offer Sell your data to other None of the above
behaviours (e.g. alert me before you customized products and companies to earn a profit
I incur a fee or if the price I’m services
paying is likely to decrease in the
near future)
Customers are often willing to share data for free or discounted products
• 50% would accept free or discounted products in exchange for less privacy, including 45% who
would allow their automobile driving habits to be monitored to receive cheaper insurance premiums
• Customers are willing to share a non-required piece of data2 for various benefits, including:
80% 79% 77%
69%
63% 61%
56%
Rewards from Cash back Coupo n fo r future Lo catio n-based Less spam Exclusive Recommendations
company disco unts customer service
Customers are more willing to share data with brands they trust3
• 75% are more willing to share personal data with a brand they trust
• 48% would lose trust in their bank and 28% would switch to a new bank if their bank were
accused of unethical business practices that did not impact them personally
1
The question in the Oliver Wyman 2017 Trust Survey of about 4,800 US adults was: “How do you think that your primary bank currently uses your less
sensitive personal and account history data (e.g. contact info, purchase history, etc.)? How would you prefer that the company use your less sensitive
personal and account history data in the future? Please select all that apply.”
2
A non-required piece of data refers to personal information not required to receive the service. The results shown are from a 2015 survey by the Center
on Global Brand Leadership at Columbia Business School, in conjunction with Aimia, of over 8,000 consumers across four generations in five countries
(United States, Canada, United Kingdom, France and India). See Quint and Rogers (2015).
3
Results are also from the 2015 survey. See Quint and Rogers (2015).
Sources: European Commission (2015); CitiBank (2017); Morey et al. (2015); Cooper and LaSalle (2016); KPMG (2017); Oliver Wyman (2017); Quint and
Rogers (2015).

2. Regional differences Europe
Although stakeholder perspectives are important, Europe has enacted comprehensive data protection
significant differences exist in beliefs and regulations and open banking legislation that views protection of
concerning customer data around the world. While more data as a human right. The GDPR requires companies
than 120 countries have enacted data protection legislation, that are based in the EU, process data in the EU or do
this paper highlights three distinct regional approaches: business with EU customers to examine their data usage
practices and remediate gaps to avoid financial penalties.
–– E
urope recently established the GDPR, an overarching The GDPR reinforces data protection requirements
data protection law that provides strong personal data and establishes new individual rights (8), including data
protections and enhances residents’ rights to data portability and the right to be forgotten. For open banking,
about them. the revised Payment Services Directive (PSD2) requires
–– In the Americas, and particularly the United States, banks to provide access to customer bank account
numerous sectoral laws are aimed at preventing information and payment initiation to third-party providers,
physical and/or economic harm rather than codifying provided customers consent to this.
data protection as a fundamental right.
–– Countries in Asia-Pacific, with comparatively less focus
on individual data ownership rights, have focused on
balancing economic development and financial inclusion
with the need to protect sensitive data.
Understanding regional differences is important
because customer data increasingly crosses political
boundaries. In the past, companies were often subject to
regulation in a single jurisdiction. Now, they may need to
account for their customers’ locations, their data storage
centres and data processing facilities when considering
what regulations will apply to their activities. For companies
that leverage multiple cloud-based service providers, even
identifying the appropriate jurisdictions may be challenging.
Figure 7: Europe and the implications of GDPR
GDPR data principles1 Key implications of GDPR

Lawfulness, Data should be processed lawfully, fairly 1. Increased territorial scope as GDPR applies to all companies that
fairness and and in a transparent manner in relation to process data on EU residents
individuals
transparency 2. Stricter penalties requiring compliance, with revenue-based fines (≤
4% of annual global turnover or €20 million), broad supervisory powers
Purpose Data should be collected for specified, and greater risk of private claims
limitation explicit and legitimate purposes and
not further processed in a manner that is 3. Strengthened consent conditions requiring clear and accessible
incompatible with those purposes forms, as well as greater ease to withdraw consent
Data minimization Data processing should be adequate, 4. Wider data scope as “personal data” and “special categories” of
relevant and limited to what is necessary personal data (sensitive personal data) defined more broadly
5. Expanded rights of data subjects, including the right to have data
Accuracy Data should be accurate and, where
erased and the right to have data transferred to another controller (data
necessary, kept up to date
portability)
Storage Data should be kept in a form that permits 6. Privacy by design/default, such that privacy might be considered
limitation identification of data subjects for no longer throughout the product development process, and that companies
than is necessary default to strict privacy settings
Integrity and Data should be processed in a manner that 7. Appointment of data protection officers who must adhere to internal
confidentiality ensures appropriate security for personal record-keeping requirements
information
8. Regulation of suppliers (data processors) and controllers
Accountability The controller should be responsible for,
9. Mandatory notification of data breaches
and be able to demonstrate compliance with,
the principles above 10. Higher bar for lawful processing of data
11. Increased accountability measures
1 General Data Protection Regulation (GDPR), Article 5: Principles relating to processing of personal data.
Sources: European Union Agency for Fundamental Rights (2017); Allen & Overy (2018); DLA Piper (2017); Accenture, Seizing the Opportunities Unlocked
by the EU’s Revised Payment Services Directive PSD2 (2016); Wintermeyer (2017); Bowcott (2017); CitiBank (2017)

Americas address a company’s failure to comply with their own
privacy practices. It is important to note, however, that
Sector-specific legislation in the Americas, and despite these regulations, the United States does not have
particularly the United States, regulates the use of a comprehensive national data privacy or use policy. In
personal data within industries (Figure 8). On a federal light of this, states are independently developing legislation.
level, the Gramm-Leach-Bliley Act applies to financial In mid-2018, California passed the California Consumer
institutions and to businesses that provide financial Privacy Act of 2018, changing requirements for how
products and services. In terms of enforcement, the businesses in the state handle data and setting a precedent
Federal Trade Commission (FTC) promotes consumer for other states’ consideration.
protection of personal data and can investigate and
Figure 8: US federal legislation on customer data
Financial institutions Credit reporting

• Gramm-Leach-Bliley Act • Fair Credit Reporting Act
enacted in 1999 • Applies to consumer reporting agencies
• Dodd-Frank Act, Section 1033, • Aims to protect consumers from inaccurate
requires financial institutions to information on credit reports
provide customers with copies
of data about them
• CFPB has issued principles on Healthcare
financial data sharing and
aggregation • Health Insurance Portability
• Several FTC rules regulate and Accountability Act and
protection and disposal of associated rules
financial data • Applies to all entities that handle
protected health information
• Regulates the collection, use and
Internet service providers protection of PHI
• April 2017 repeal of FCC’s privacy rule
for broadband ISPs Minors
• FCC privacy rule included browsing
• Children’s Online Privacy Protection Act
history and app usage as sensitive data
applies to websites collecting data on children
and detailed customer consent
under 13 years of age
requirements
• Regulates privacy policies, obtainment of
• Repeal of regulation enables ISPs to sell
consent and website operator’s responsibility
data without customer consent
to protect children’s privacy and online safety
Notes: CFPB = Consumer Financial Protection Bureau; FTC = Federal Trade Commission; FCC = Federal Communications Commission; ISP = internet
service provider; PHI = protected health information.
Sources: Jolly (2017); King and Raja (2013); Raul (2016)
Data-driven products and practices could be a powerful force for financial inclusion and
efficiency, but they will only be used if they achieve consumers’ trust. Financial service providers
need to demonstrate that data is being collected, stored and used in a way that aligns with their
customers’ interests – regardless of where the data comes from.
Greg Medcraft, Director, Financial and Enterprise Affairs, Organisation for Economic Co-operation and Development (OECD), Paris

Asia-Pacific Figure 9: Asia-Pacific regulatory developments
Asia-Pacific countries have
increasingly focused on A series of laws regulates the use of SOUTH JAPAN
personal data, such as criminal law, civil KOREA
strengthening data protection law and cybersecurity law
(Figure 9) while enabling economic The Personal Information Protection
CHINA Commission supervises enforcement of 2015
growth. Although some ongoing The Privacy Commissioner for reforms to the Act on the Protection of
efforts seek to harmonize data Personal Data is studying GDPR Personal Information
with the intent to implement HONG
protection regulation in the region, similar reforms KONG TAIWAN, CHINA
varying political agendas and levels SAR
The National Privacy Commission is
of expertise pose challenges to THAILAND monitoring implementation of the first
VIET NAM PHILIPPINES comprehensive data privacy law
developing a comprehensive regulatory CAMBODIA
framework. Key considerations for
regulators include whether to align Data localization
measures threaten
regulations with GDPR, how to balance MALAYSIA BRUNEI foreign access PAPUA
financial inclusion with the need to SINGAPORE
to markets NEW
GUINEA
protect sensitive data, and the role
of government. An example of these INDONESIA
ongoing considerations, China’s recent The Personal Data Protection Act,
with some of the stiffest
data protection law taking effect in non-compliance penalties in the The Open Banking Review was
May 2018 laid out broad principles on region, is enforced by the Personal recently released by the
Data Protection Commission Treasury Department
personal information protection but
left key issues related to scope and AUSTRALIA
implementation unresolved, to be filled
in as a further understanding of issues
like interoperability is brought to light. Sources: Hogan Lovells (2017); Raul (2016); DLA Piper (2017); ADMA (2017)
3. Complexity across data type, Data type: Historically, customer data included paper-
based records (Figure 10) that served a single purpose and
collection approach and use changed slowly over months and years. Sensitive personal
The three key dimensions for customer data are data data, such as a person’s social security number or bank
type, data collection approach and data use. They have statements, were relatively easy to define and protect.
important implications for questions about the appropriate Customer data currently includes real-time electronic data
use of data in financial services, as well as the competitive with few industry barriers. Data aggregators can collect data
advantage associated with data. from numerous sources to create customer profiles, or to
Figure 10: Traditional and emerging types of customer data predict data that could be considered sensitive, such as a
person’s financial or health status, or biometric information.
Traditional forms Emerging forms
Data collection approach: Customer data can be
Fingerprints, volunteered by customers, observed from customer
Public records, tax
Identity filings
photographs, iris
behaviour, inferred by companies or obtained from third
scans, digital IDs
parties. For example, a customer with a mortgage from
Medical records, Fitness tracking, a bank would provide volunteered data in the application
Health insurance claims sleep/eating habits
form, such as their demographic data and income. The
Peer-to-peer customer’s loan payment history would be considered
Bank statements,
Financial credit scores
payments, online observed data, while data from the bank’s underwriting
budgeting
models on the size of the loan they qualify for would be
Social media inferred data. The bank could also seek out observed or
Social Organization registries connections and inferred data from third parties, such as the customer’s
activities credit score (Figure 11).
Location Telephone books Geolocation tracking
Media Web browsing

Library checkout
activities, content
behaviour histories
streaming

Figure 11: Data collection approaches As businesses and governments design data
governance frameworks, some data types, collection
Definition Examples approaches and uses may require stricter oversight.
Volunteered Explicitly provided by Demographic data, For example, financial or health data may be more sensitive
data customer self-reported income than publicly available social media data. Similarly, selling
data to a third party may require more oversight than data
Created through Transaction history,
Observed data customer activity web browsing history use tied closely to the function of a product or service, or
that is required by law. Finally, data that a company infers
Proprietary forecasts Underwriting output, or observes about its customers may require different
Inferred data using other data types customer profiles
considerations compared to data volunteered by a
Third-party Purchased by FICO credit score, customer.
data institution background check
Data governance frameworks may also consider the
Note: FICO refers to the Fair Isaac Corporation, which created the credit interaction of data types, collection approaches and
score. Source: World Economic Forum and Oliver Wyman uses. Companies may choose, for example, to enact strict
standards for certain sensitive data types, even if they
Data use: Customer data can be used for a variety of
are volunteered by the customer or used as a core part
purposes, including core business processes, improving
of a company’s business operations. Figure 12 provides
products or services, risk management and marketing,
an example of a simplified data governance framework;
or can be shared with third parties. The same data can
however, in practice, governments and businesses will likely
sometimes be used for multiple purposes – for example,
need to tailor their approaches to the opportunities and
leveraging existing transaction data to develop new
risks they face in using customer data
products or target new customers through marketing.
Selling or transferring data to third parties can also occur
for multiple purposes, either because the data are needed
to operate the third party or to monetize the data’s value.
Finally, some data uses are also mandated by law, such as
anti-financial-crime reporting requirements.
Figure 12: Illustrative simplified data governance framework (not prescriptive)
Requires least Requires most Sensitive data types requiring

strict governance strict governance strict governance regardless
of collection approach or use
Sell to third parties
Facilitate targeted
marketing !
Data use
Optimize operations
and manage risk
Improve a product
or a service
Conduct core
business ! !
Volunteered data Observed data Inferred data
Data collection approach

Source: World Economic Forum stakeholder interviews and Oliver Wyman

4. Global data principles Figure 13: Customer data framework
The development of global principles for financial Societal and cultural Standards, regulations,
beliefs regarding data oversight and supervision for
services is an important first step in harmonizing use and ownership data use and ownership
customer data laws, regulations and practices.
Customer data principles are not a substitute for country- or
industry-specific guidance; however, principles can provide A. Principles B. Governance
a framework (Figure 13) to address the challenges described
in the previous sections.
Principles can support coordination across the following
dimensions:
The future of
–– Regional differences in societal and cultural customer data
beliefs. Europe’s focus on data as a human right has
emphasized privacy and limited data use. In contrast,
Asian countries have stressed the economic benefits C. Industry
D. System
of customer data, particularly for financial inclusion. A structure
set of global principles is critical to identifying areas of
common ground that balance the opportunities and risks
in customer data. Resulting system-wide Resulting industry structure
data risks and benefits and practices regarding data
–– Regulatory inconsistencies across jurisdictions. More use and value capture
than 120 countries around the world have enacted data Source: World Economic Forum and Oliver Wyman
protection laws. Global principles can provide a useful
tool for businesses and governments, particularly in
Principles: Societal and cultural beliefs are an important
jurisdictions where regulatory frameworks are still being
arbiter of what are considered fair or unfair uses of customer
developed in the wake of Europe’s GDPR regulation, and
data. Media attention can also spotlight abuses or highlight
where regulatory harmonization is a key consideration.
innovations that are seen as valuable, even if they are not
–– Wide-ranging industry practices and customer officially allowed under current regulations.
experiences. Companies use different types of data
Governance: Characterized by transmission mechanisms
within and across industries in significantly different ways.
for policy-makers and regulators to establish and enforce
Global principles can support developing best practices
the rules of the game, this includes standards, regulations,
that benefit both businesses and customers.
oversight and supervision.
Industry structure: Focusing on how data are used in
practice and how the value of customer data is distributed,
industry structure addresses both customer experience
and the relative strengths and weaknesses of incumbents
and challengers.
System: The resulting system-wide opportunities and risks
from how data are used will ultimately influence societal and
cultural beliefs and restart the cycle.
The economy is reorganizing into a series of distributed peer-to-peer connections across

powerful networks – revolutionizing how people consume, work and communicate. The nature
of commerce is changing. Sales are increasingly taking place online and over platforms, rather
than on the high street. Intangible capital is now more important than physical capital. Data is
the new oil. In the financial sector, these innovations will allow people to manage their finances
seamlessly, from tracking how much they spend, to managing their future savings and current
loans. For the financial sector to be effective in this new economy, it needs to continue to be
resilient, fair and dynamic, while acknowledging the responsibilities that come with employing
this new data. This is best achieved by combining public regulation with private standards that
represent the collective view of best practice and then buttressing them with a series of hard
incentives that foster adoption and adherence.
Mark Carney, Chair of Financial Stability Board; Governor of the Bank of England

Customer data principles need to balance the opportunities and risks concerning customer data in financial services.
Discussions with the Financial Stability, Innovation and Economic Growth (FSIEG) stakeholders have highlighted the
trade-offs associated with the spectrum of five key themes: control, security, personalization, advanced analytics and
portability (Figure 14). In each of these areas, focusing too much on customer protection can limit innovation, preventing
the development of products and services that create value for customers and businesses. However, data misuse can also
pose serious risks, including for customer trust that is needed to support future data-related innovations.
Figure 14: Customer data trade-offs
Control Security
Should businesses or What responsibilities do
customers control how companies have to secure
customer data are used? customer data?
Personalization
Should businesses
treat people equally
or as individuals?
Portability
Who should be able to
authorize the transfer of Advanced analytics
customer data between Are safeguards necessary to
private-sector participants? prevent data from leading to
discrimination and exclusion?
Control balances the relative abilities of businesses even lead companies to exit products or markets where the
and consumers to use and capture value from data. average customer is not profitable. Greater precision allows
On the business control side of the spectrum, companies for more customized profiles for individual customers. This
would have the right to use any type of customer data for can benefit customers with attractive risk profiles but it can
any purpose. This supports innovation but also poses risks also prevent high-risk customers from gaining access to
of data misuse. With greater customer control, companies services.
need consent to use different types of customer data for
Advanced analytics balances the opportunities and
a specific purpose. This increases transparency but also
risks of new models and statistical approaches.
creates frictions that can affect the customer experience.
Focusing on risk would require companies to limit the use
Security balances the opportunities and risks of holding of models that cannot be explained. This can reduce fraud,
companies responsible for protecting customer data. data inaccuracies or discrimination based on sensitive
On the risk side of the spectrum, companies are characteristics; however, it can also restrict innovation, as
considered liable for any data breaches. This incentivizes well as lead companies to avoid entering markets that have
greater investment in cyberprotection but could make limited customer data or where data quality is questioned.
it difficult for new entrants to comply with complex On the other hand, focusing on opportunity would mean
regulations. On the opportunity side, customers are placing fewer restrictions on model use. This could increase
ultimately liable for the implications of data breaches. This innovation but it could also lead to a higher risk of data
places the fewest limits on innovation but also requires misuse or even business failure if companies are not able to
significant customer due diligence on which companies are employ successful risk management practices.
most likely to protect data about them.
Portability balances the benefits of open versus closed
Personalization balances the benefits of privacy with data ecosystems. In a closed data regime, companies
the advantages of precise customer profiles. On the have full control over whether and how to give customers
anonymity side of the spectrum, customers are each access to data.
offered the same products and services. This enables a
high degree of privacy with limited discrimination against
protected classes; however, it may weaken profitability, or

This incentivizes curated ecosystems that address a Despite broad consensus on the principles, their
wide range of customer needs but may make switching implications for customers, governments and
providers difficult. On the other hand, open data regimes businesses were debated. To capture the richness and
allow customers to download and transfer information, or nuance of these discussions, further details for each of the
allow third parties to manage data about them. Open data principles on four important questions are provided, namely:
ecosystems can increase customer choice and reduce
–– What does the principle mean?
switching costs; however, they can also decrease the
incentive for companies to invest in their existing data stores. –– What was the range of perspectives on the principle
held by the stakeholder group?
The Forum-convened stakeholder group has developed
a set of global principles for the appropriate use of –– What conditions are needed for the principle to be
customer data in financial services. It seeks to balance effective in practice?
the trade-offs for each of the five themes. The principles,
–– What factors may affect how the principle is
summarized in Figure 15, are based on interviews and
implemented?
working group meetings with more than 100 stakeholders,
including representatives from the Americas, Europe and Several brief example cases of how companies are thinking
Asia-Pacific, and from incumbents, fintech companies, about the application of these principles are also included.
governments, academia and law firms. These principles are
prioritized according to stakeholder interest and their broad
potential for generating trust in the financial services system.
Figure 15: Customer data principles
“Companies should be clear about their use of customer data, attain customer
agreement to their customer data policies and, where appropriate, seek consent
for specific uses.”
Control
Key conditions:
– Informed consent: Companies need to provide clear and accessible information about how customer data will be used (e.g. terms and
conditions).
– Transparency: Customers should be able to view or know the data that are collected about them, how they are used and whether they
are shared with a third party.
– Ability to revoke consent: Customers should be able to request that data about them no longer be used by an organization (e.g. the
right to be forgotten).
– Legitimate use: Companies may not need to seek consent when using data for legitimate interests (e.g. those required by law).
“Companies should be held responsible and accountable for data security.”

Security
Key conditions:
– Liability: A clear liability framework should be in place that ensures the responsible party is held accountable for data security and for
harms caused by breaches of its respective data security duties of care.
– Traceability: Companies need to be able to identify where data were improperly used or accessed in the event of a security breach.
“Companies should be able to create individual customer-level profiles

Person-
that allow them to provide differentiated customer services.”
alization
Key conditions:
– Intervention: Customers should be able to intervene to gain information or limit use of data they control, and companies should respond
appropriately.
– Limited use: Where reasonable, a maximum time period that data can be retained by companies should exist, as well as limits on
certain sensitive data types or uses.
“Companies should be able to comprehensively test, validate and explain their

Advanced
use of data analytics and models to customers.”
analytics
Key conditions:
– Justification: Customers should have the right to request why a decision was made (e.g. why the model methodology is appropriate,
why the output is justified).
– Challenge: Customers should have the right to correct incorrect or incomplete data about them held by a company.
“Companies should, where appropriate, allow customers to access, download,

Portability transfer and/or permit third parties to manage data about them.”
Key conditions:
– Accessibility: Companies should allow customers to download data about them in machine-readable format or through standardized
APIs, depending on the companies' stage of development and jurisdiction.
– Third-party permissions: Accessibility encompasses customers giving third parties permission to download their data.

Control “Companies should be clear about their use of customer data, attain
customer agreement to their customer data policies and, where appropriate,
seek consent for specific uses.”
What is meant by control? What is the range of perspectives about control?

Control refers to the relative ability of businesses and Most subject matter experts moderately favour customer
consumers to use and capture value from data. control versus business control over customer data.
Range of
Key questions: - When is consent required to use Business Control perspectives
Customer Control
customer data? Companies Companies Companies Companies should

- What is required for informed should not need should need should need need consent to use
consent to use consent to share consent to use different types of
consent? or share customer data customer data for customer data for
- Can customers request to know the customer data with third parties different purposes different purposes
data about them held by companies?
What conditions are required to be effective in practice? What factors may affect how control is implemented?
- Informed consent: Companies need to provide clear and - Data type: Identity, financial and health data are seen as
accessible information about how customer data will be requiring stronger customer control than publicly available
used (e.g. terms and conditions). data (e.g. social media data).
- Transparency: Customers should be able to view or know - Data collection: Inferred data are viewed as the intellectual
the data that are collected about them, how they are used property of companies, while customers are seen to retain
and whether they are shared with a third party. control over volunteered and observed data.
- Ability to revoke consent: Customers should be able to - Data use: Companies should be able to use data for core
request that data about them no longer be used by an products and services; however, explicit consent is
organization (e.g. the right to be forgotten). considered necessary for sharing data with third parties.
- Legitimate use: Companies may not need to seek consent
when using data for legitimate interests (e.g. those required
by law).
Security
“Companies should be held responsible and accountable for data security.”
What is meant by security? What is the range of perspectives about security?

Security refers to how data security responsibility is Most subject matter experts perceive security as a risk rather
balanced between customers and companies. than an opportunity.
Range of
Key questions: - What responsibilities do companies Risk perspectives
Opportunity
have to secure customer data? Companies Companies Companies Companies should not
should be should follow should make a be considered
considered best practices on reasonable effort responsible for data
responsible for data security to ensure data security beyond legal
data security security beyond requirements
and liable for legal
any breaches requirements
What conditions are required to be effective in practice? What factors may affect how security is implemented?
- Liability: A clear liability framework should be in place that - Data type: Certain types of data, particularly identity,
ensures the responsible party is held accountable for data financial and health data, are seen as more important to
security and for harms caused by breaches of its respective protect compared to anonymized data.
data security duties of care. - Data collection: This is seen as less relevant, excluding
- Traceability: Companies need to be able to identify where how it may be connected to data type.
data were improperly used or accessed in the event of a - Data use: Sharing data may require additional protections,
security breach. particularly since it involves balancing liability between
additional parties.

Personalization
“Companies should be able to create individual customer-level profiles that
allow them to provide differentiated customer services.”
What is meant by personalization? What is the range of perspectives about personalization?

Personalization refers to whether companies can provide While personalization is actively debated, most subject
differentiated services to customers. matter experts lean towards precision versus anonymity.
Key questions: - Should businesses treat people Anonymity
Range of perspectives Precision
equally or as individuals? Companies Companies Companies Companies should

- To what extent should companies should treat all should be able to should be able be able to create
customers the create broad to create individual
incorporate customer preferences for same customer narrow customer-level
data use? segments customer profiles
segments
What conditions are required to be effective in practice? What factors may affect how personalization
is implemented?
- Intervention: Customers should be able to intervene to
gain information or limit the use of data they control, and - Data type: Certain types of data may be too sensitive to use
companies should respond appropriately. – for example, individual characteristics that cannot be
- Limited use: Where reasonable, a maximum time period changed (e.g. DNA, gender, race).
that data can be retained by companies should exist, as - Data collection: Consent is seen as necessary before using
well as limits on certain sensitive data types or uses. data obtained from third parties.
- Data use: Debate continues about whether there should be
limitations for specific data uses, or if societal checks should
be made on outcomes (e.g. requiring basic provision of
services for all customers).
Advanced
analytics “Companies should be able to comprehensively test, validate and explain
their use of data analytics and models to customers.”
What is meant by advanced analytics? What is the range of perspectives about advanced
analytics?
Advanced analytics refers to whether safeguards are
needed to use new models and statistical approaches. While advanced analytics is actively debated, most subject
matter experts moderately prefer risk to opportunity.
Key questions: - Are safeguards necessary to prevent
Range of perspectives Opportunity
data from leading to discrimination Risk
and exclusion? Companies Companies Companies Companies should not
- Should customers have the right to should not be should test and should face restrictions on the
allowed to use defend the use comprehensivel models they use
correct or update data about them? models that of models that y test models
cannot be cannot be that cannot be
explained explained explained
What conditions are required to be effective in practice? What factors may affect how advanced analytics
is implemented?
- Justification: Customers should have the right to request
why a decision was made (e.g. why the model methodology - Data type: Advanced approaches may unintentionally
is appropriate, why the output is justified). incorporate proxies for sensitive data, such as gender or
- Challenge: Customers should have the right to correct race, which may be prohibited in certain jurisdictions.
incorrect or incomplete data about them held by a - Data collection: Models using large amounts of highly
company. granular observed data could pose privacy concerns.
- Data use: Debate continues on whether there should be
limitations for specific data uses, or if societal checks should
be made on outcomes (e.g. requiring basic provision of
services for all customers).

Portability
“Companies should, where appropriate, allow customers to access, down-
load, transfer and/or permit third parties to manage data about them.”
What is meant by portability? What is the range of perspectives about portability?

Portability refers to the ability of customers to transfer Most subject matter experts lean towards the concept of
data about them between private-sector participants. open data versus closed data for portability.
Key questions: - Who should be able to authorize the Closed data
Range of
perspectives
Open data
transfer of customer data between Companies Customers Customers Customers should be

private-sector participants? should decide should be able to should be able to able to download,
whether to give download data download or transfer and allow third
- Do data formatting standards need to customers about them transfer data parties to manage data
be created? access to data about them about them
about them
What conditions are required to be effective in practice? What factors may affect how portability is implemented?
- Accessibility: Companies should allow customers to - Data type: Identity and demographic data are seen as
download data about them in machine-readable format or priorities for data portability, followed by financial data.
through standardized APIs, depending on the companies' - Data collection: Inferred data are seen as the intellectual
stage of development and jurisdiction. property of companies and should not be portable. While
- Third-party permissions: Accessibility encompasses volunteered data provided by the customer should be
customers giving third parties permission to download their portable, less consensus exists on observed data.
data. - Data use: Portability is seen as most appropriate for data
used for core products and services, or data that are already
outsourced to third parties.
Example case: Deterring financial crime through data sharing

In a hypothetical case study, fictitious “Mundus Bank” can be used. In this scenario, a Mundus Suspicious Activity
Alert is triggered related to an account in Singapore. An investigation is launched, which identifies related trade and
transaction flows that include a Singapore account receiving funds via the United Kingdom from Latin America. The
payments were for textiles, imported from China to Paraguay. The enquiry also finds that a Mundus account in Dubai
sent funds to a second Mundus account in Singapore. The payments were for goods imported to Hong Kong from the
United Arab Emirates (UAE). Following the flow of funds, Mundus Bank identifies transactions involving many different
jurisdictions. Finally, a parallel investigation is opened by Mundus Turkey that also identifies suspicious activity linked to
the Hong Kong account.
In this scenario, Singapore has the most complete view of the potential criminal network, but even there the view is
incomplete: data-sharing restrictions in Turkey mean that Singapore has no visibility of Mundus Turkey’s investigation.
Other jurisdictions have a far less complete view. The UAE will only see the transactions that flow through the UAE
account, and Hong Kong’s view is similarly restricted. Authorities in Australia, Canada, Mexico, New Zealand, Turkey
and the United Kingdom would see nothing. Each Mundus country office must comply with local data-sharing
regulations, which prevents Mundus Bank from establishing a complete picture of a client’s global footprint. Mundus
Bank may not discuss identified financial crime risk in non-Mundus accounts with the banks where additional accounts
are held. This hinders it from finding and following critical illicit financial paths in a large network.
Law enforcement and financial institutions have achieved notable successes against illicit finance within individual
jurisdictions, despite the considerable barriers to information sharing and collaboration. Increased information sharing
would enable banks to better meet the challenge of international illicit finance, while respecting client confidentiality and
supporting the growth of international trade.
Rakshit Kapoor, Group Chief Data Officer, HSBC, United Kingdom

Example case: Enabling better customization of product offerings and accelerating underwriting through improved
data portability
Data portability in banking provides a complete and almost instantaneous set of customer data in a digital format. It
creates a wide range of business opportunities for My Money Bank (MMB), a medium-sized French bank specialized in
lending to individuals and SMEs.
Two particular areas stand out:
1. Accelerating the underwriting process by enabling significant process automation and more innovative credit scoring
2. Enabling better customization of product offerings to specific customer contexts and improving cross-selling
Thanks to data portability, MMB will have immediate access to many more customer behavioural indicators (income,
spending trends, etc.), in particular through current account statements over a long period of time. Detailed information,
i.e. each cash inflow or outflow, is to be clearly identified and classified. Specific behavioural patterns can then be
identified from the account activity, leading to new credit scores for the account holder. From these patterns, MMB will
gain a much deeper understanding of the customer profile – especially in terms of affordability – and subsequently can
provide the customer with a tailored credit proposal.
Accessing customer activity has recently become easier in France thanks to the wider popularity of account
aggregation services. Next year, PSD2 (the upcoming European payment directive) will enable financial and non-
financial institutions to access the banking activity of retail customers who agree to it. The directive will regulate how
the exchange of such data will take place, along preset APIs (interfaces). This will unleash the much wider use of
transaction data, beyond the closed realm of the traditional universal banks that hold these accounts.
Three key challenges remain for MMB to achieve such opportunities:
1. Capture and monitor customers’ consent over their personal data usage, especially since MMB does not hold
customers’ primary current bank account
2. Adapt the platform to increase flexibility in quickly connecting to diverse third-party customer data sources
3. Develop more advanced capabilities around data analytics and pattern modelling, i.e. far beyond traditional credit
and customer relationship management scorecards
Jean-Pierre Nelissen, Chief Information Officer, My Money Bank, France
Philippe Martinie, Chief Risk Officer, My Money Bank, France
Example case: Underwriting fraud prevention with machine learning

As the price of auto insurance differs from place to place due to risk assessments, people may try to lower their
insurance premium by providing false information about their address. This behaviour, however, when the risks are
not properly assessed and distributed, results in significant losses for insurance companies and higher prices for
customers overall. To cope with these issues, a machine learning solution used in predictive underwriting can support
the insurance company by identifying incoming customers at risk of such behaviours in real time. This risk is reflected
by a personalized anti-fraud underwriting score. The solution offers controlled levels of fraud, better combined ratios
and, in turn, fairer costs for customers.
In cases of automated individual decision-making, including profiling, a privacy impact assessment and the
implementation of suitable measures to safeguard the data subject’s rights and freedoms (at least the right to obtain
human intervention) are important to ensure an adequate level of data protection. In addition, transparency – providing
the customer meaningful information about the profiling and its consequences – is essential and promotes customers’
trust in new, personalized insurance products.
Philipp Raether, Group Chief Data Protection Officer, Allianz, Germany

5. Practical government regulation The next steps are organized around key objectives
(Figure 16) and examples of action steps for each
and industry implementation stakeholder group. Stakeholder interviews and working
The principles identified by FSIEG stakeholders groups helped to prioritize key objectives for each
demonstrate a relatively high degree of consensus stakeholder group to take advantage of the opportunities
on the appropriate use of customer data in financial in customer data while mitigating the risks. From there,
services. While stakeholders are still debating several action steps, which will need to be tailored depending on
principles, such as personalization and advanced analytics, the region, have been identified for stakeholders to achieve
they provide an important starting point for comparing quick wins and thus create a foundation for success. Finally,
against existing regulations and industry practices. a brief description is included of the objective’s current
state, especially related to each region.
The principles suggest a series of next steps for
governments, incumbents and challengers faced with
practical issues of regulation and implementation.
By becoming more aligned with the principles, these
stakeholders can better manage the trade-offs of
appropriate data use and can address key data-related
challenges while maintaining customer trust and economic
stability. This alignment is especially important in regions
where data frameworks are still under development.
Figure 16: Customer data stakeholder objectives
Control Personalization Advanced Security Portability

analytics
Enable global coordination on principles for the appropriate use of customer data
Governments Establish legal and regulatory Ensure supervisors have the tools and expertise to provide
safeguards that balance customer data effective oversight of customer data
oversight and innovation
Develop customer data critical

infrastructure and associated standards
and protocols
Strengthen trust with customers and Deepen customer relationships by focusing on long-term
regulators on the use of customer data data stewardship over short-term commercial incentives
Incumbents Collaborate with other incumbents and challengers to

demonstrate industry leadership on customer data
Meet or exceed expectations from Protect customer data while maximizing growth
customers and regulators to provide and value creation
financial products and services
Challengers Manage risks associated with using new types of customer

data or analytics

The expected effect of GDPR on
growth and innovation
A European view on data
Finance has long been an activity built on information, with no physical goods exchanged
in most transactions. Unsurprisingly, protecting personal data from fraud or misuse is at the
core of banking because it must safeguard customers’ financial assets.
The digitization of finance has triggered an evolution towards a true data-driven activity, in
which data are not a liability but a source of value for customers. On the one hand, big data
analytics is a means to improve processes in the never-ending quest for efficiency, which in
turn results in more affordable financial services. On the other, most importantly, data open
the door to better understanding customers’ true needs and to helping them make better
financial decisions.
In Europe, data privacy is considered an individual right that is now reinforced under
the GDPR. Critics argue that the GDPR burdens innovation, because it sets such a high
standard for data storage, transmission and processing that it increases barriers to entry
significantly. Some of the short-term trade-offs in adopting such a demanding regulation
are clear. However, achieving economic growth or delivering more innovative solutions to
clients should not be at odds with respecting the fundamental right to privacy. The aim must
be to achieve both.
We live in a time in which technology enables third parties with access to our data to
“discover” our most intimate preferences or beliefs, not to mention our purchase decisions.
Privacy is the ultimate guarantee that the ongoing digitization of our lives will still leave
individuals in control.
Greater social welfare will be achieved if the right balance is found between protecting
individual rights and stimulating friction-free access to and use of data. If the exchange of
data for better services is to be a repeating win-win game, it is necessary to ensure that
short-term gains do not generate new long-term risks or a general loss of trust between
financial intermediaries and their customers.
The GDPR sets a high standard for any company operating in Europe. Though not yet a
global standard, it has forced companies and governments around the globe to reflect on
the kind of protection individuals deserve. European regulation might be cumbersome in
the short term, but it will better prepare firms for a future in which data privacy will be an
increasing concern for individuals.
Carlos Torres Vila, Chief Executive Officer, Banco Bilbao Vizcaya Argentaria, Spain

Governments
Objectives Examples of action steps
1. Enable global coordination on principles for the appropriate use q Create a customer data bill of rights defining what companies
of customer data need to tell customers about how they collect, share and use
different types of data (e.g. volunteered, observed, inferred)
2. Establish appropriate legal and regulatory safeguards that
balance customer data oversight and innovation q Propose testing guidelines and a dispute resolution framework
for approaches using advanced analytics
3. Ensure supervisors have the tools and expertise to provide
effective oversight of customer data q Develop a data liability framework that ensures the responsible
party is held liable for any data breaches
4. Develop customer data critical infrastructure and associated
standards and protocols q Develop API standards for open banking that leverage
feedback from industry and align with global practices
Global principles Customer safeguards

More than 120 data protection laws exist around Government consumer protection efforts have not kept
the world, with varying objectives and enforcement pace with the growing use of customer data. While
mechanisms. Given different economic and cultural consumers have limited awareness of how data about
contexts, data regulations can be expected to differ across them is used, most believe that providing personal data is
countries and regions. However, fragmented regulations, part of modern life, and they are willing to share data if they
particularly for security, impose significant costs, including believe there is a fair value exchange. For example, most
organizational inefficiency, uncertainty about jurisdictional consumers want companies to use data about them to
oversight and uneven participation in global data flows. prevent adverse actions, such as overdraft fees. However,
few consumers are willing to allow financial institutions to sell
Adopting global customer data principles can help
data about them to third parties without additional benefits.
harmonize regulations and support data-fuelled
innovation and economic growth. Governments can Legal and regulatory safeguards should balance
identify and address regulatory gaps and inconsistencies customer data oversight and innovation. This may
concerning customer data through common principles. include focusing on several of the conditions highlighted
Collaboration and consultation with private-sector in the section on principles, including informed consent,
participants on principles can make it easier for companies transparency, the ability to revoke consent, and legitimate
to operate globally and for customers to benefit from cross- use, which help customers understand and control how
border goods and services. data about them is collected, used and shared.
Status: Some convergence has occurred on shared data Status: The GDPR has created a comprehensive
principles, particularly within Europe. In the United States, framework for consumer protection in Europe. In the
the Consumer Financial Protection Bureau has released United States, several federal bills have been proposed
separate principles focused on consumer-authorized following the Facebook congressional hearing, although
financial data sharing and aggregation. In Asia-Pacific, it is unclear if they will be adopted (note that California
country-specific principles have been developed in China has passed state-wide legislation). In Asia-Pacific, some
and Singapore. Further, intergovernmental organizations, companies have begun to face a customer and regulatory
such as the Organisation for Economic Co-operation and backlash for their data collection and sharing practices;
Development, have issued principles focused on privacy however, most customer protection efforts are in the early
as it relates to customer data. stages of development.
Next steps: As reflected in meetings with international Next steps: Governments around the world will need to
stakeholders, additional work is needed to develop a continue debating and refining approaches to customer
more specific understanding of idiosyncrasies related safeguards. This could include developing a data “bill of
to the use of customer data across regions. This is rights” to protect customers, or a data liability framework
particularly true for Europe, the Americas and Asia-Pacific to ensure responsible parties are held liable for harm
as these regions work to develop their own frameworks, caused by data breaches. Additionally, numerous
and as existing frameworks like the GDPR evolve over outstanding questions regarding customer protection
time. For emerging markets (e.g. parts of Asia, Africa and must be discussed further, such as how stakeholders
the Americas), understanding the costs and benefits of should approach the distinction between revoking
customer data protections will be especially important consent for collection of new data and revoking consent
considering resource limitations and the potential trade- for all data ever collected. Lastly, governments will need
offs regarding economic growth and innovation. to continue refining enforcement strategies pertaining to
customer data regulations.

Supervisory expertise Critical infrastructure
Most supervisors have limited experience dealing The financial services system is interconnected and
with customer data. Compared to existing risks, such increasingly reliant on data and technology.
as market, credit or conduct risk, supervisors may have The benefits of open banking rely on the ability to
less knowledge of the underlying technologies related easily and securely transfer data between companies.
to customer data or of the methodologies used for risk Significant logistical and security challenges, however,
assessment. In addition, the organizational structure can complicate sharing data between two banks (or
of most supervisory bodies is focused on incumbent non-bank intermediaries) in the same country, let alone
financial institutions. As new challengers seek to provide between different countries or different regions. Other
financial products and services, supervisors must work essential elements of the financial system also face notable
with a wider range of firms – from small fintech firms to challenges on cybersecurity.
large technology companies – that may be subject to
Customer data critical infrastructure can facilitate
multiple types of oversight.
economic growth and mitigate the risk of catastrophic
New tools and expertise can allow supervisors system failure. Adopting common standards and protocols
to provide effective oversight of customer data. for open banking or digital identity infrastructure, and
Recruitment and training efforts can be expanded, as well leveraging existing world-class standards, such as the
as knowledge-sharing efforts within and across regulatory Payment Card Industry Security Standards and those of the
agencies. In addition, governments can also consider using International Organization for Standardization, can support
new tools and approaches that leverage public-private private-sector innovation on customer data. Incorporating
partnerships strong cybersecurity practices into protocols can also help
address key security challenges, building trust across the
Status: Regulators around the world have begun to financial system.
develop new tools and approaches, from regulatory
sandboxes to fintech charters. Recruiting new Status: In Europe, PSD2 has incentivized progress on
employees, however, is challenging given the limited standards for open banking. However, further work is
number of people with relevant skills and the high needed in the United States, where multiple joint ventures
demand from the private sector. between banks, fintech firms and larger technology
companies make standardization more difficult. In Asia,
technology platforms often offer a range of financial and
Next steps: First, additional debate and discussion is non-financial services; however, interoperability can be
needed to clarify the role of financial service regulators limited and is likely to become a point of focus.
in customer data protection. Second, as regulators
work to develop new tools and approaches to ensure
the appropriate use of customer data, additional work is Next steps: Further regulatory guidance may be needed
required to evaluate the respective costs and benefits, on how data can be shared (e.g. controlled environments,
as certain regulations may have large effects on costs data anonymization guidance). Adopting common
but few tangible benefits. Finally, effective enforcement standards and protocols for critical infrastructure will likely
may be costly, particularly given limited supervisory support private-sector innovation on customer data. One
resources, which may encourage expanding public- possibility might be to develop API standards for open
private partnerships. banking, leveraging industry’s feedback and aligning with
global practices. Geography will play a key role in the
success, however, especially given differences across
data policies and in underlying infrastructure between the
United States and Asia-Pacific.

Incumbents
Objectives Examples of action steps
1. Strengthen trust with customers and regulators on the use of q Develop a customer data strategy that articulates a clear value
customer data by proactively addressing data privacy, security proposition on how customer data can create value for customers
and appropriate use
q Define "red lines" for inappropriate uses of customer data,
2. Deepen customer relationships by focusing on long-term data including specific data types, uses and collection approaches
stewardship over short-term commercial incentives
q Establish a dialogue with regulators to identify industry best
3. Collaborate with other incumbents and challengers to practices for appropriate uses of customer data
demonstrate industry leadership on customer data
Customer trust Data stewardship

Incumbents want to better leverage customer data but Incumbents are facing increasing incentives to
worry about losing the confidence of customers and commercialize or monetize customer data. In the
regulators. As cited in Figure 6, nearly half of customers short term, using such data for marketing purposes, or
would lose trust in their bank if it were accused of unethical even selling customer data to third parties, can increase
business practices that did not affect them personally, and revenue. However, these uses can pose risks to longer-term
over a quarter would consider switching to a new bank. customer relationships if individuals feel that companies
These survey results highlight the inherent value and fragility are using data about them to enrich shareholders rather
of trust as an asset in the financial system, and the possible than to create products and services that provide value for
consequences of its loss. In addition, the cost of regulatory customers.
fines is expected to increase. For example, the GDPR allows
A long-term mindset of data stewardship can deepen
regulators to penalize a company at up to 4% of its global
customer relationships. Developing a data strategy that
yearly revenue if data are used inappropriately.
clearly articulates appropriate (and inappropriate) uses of
Proactively addressing data privacy, security and data can support a culture where both businesses and
the appropriate use of data can strengthen trust. customers benefit from the growing use. This culture
Compared to challengers, incumbents often have long- serves as an important safeguard against the short-term
standing relationships with customers and regulators to commercial incentives that employees will increasingly face
serve as a starting point for communicating how they plan in their day-to-day decisions concerning customer data.
to use customer data. Data strategies will vary across To that extent, employees can play a prominent role in a
institutions. In the future, some institutions may decide to developed data strategy.
market their reputation for privacy, while others may offer
highly-specialized financial products for customers willing to Status: Underlying technological capabilities often limit
share additional personal data. However, it is critical for all the use of data. Amid additional opportunities to increase
actors to be transparent and highly aware of customer and revenue through the use of customer data, companies
regulatory concerns. are starting to be mindful of the short- versus long-term
value of their existing customer relationships.
Status: Trust remains a valuable commodity that may be
affected by companies’ use of customer data. Compared Next steps: As systems improve, companies will need
to challengers, incumbents start with a relatively high level to define their own internal governance mechanisms
of trust in their use of customer data for financial services. for customer data. These will need to be geographically
tailored to customer and regulatory preferences in
different jurisdictions. To enhance a culture of data
Next steps: As companies expand their use of stewardship, companies may also consider offering
customer data, they should remain aware of public specialized training for employees on the appropriate use
perceptions, which can change quickly. Where of customer data.
appropriate, a defined customer data strategy may
become useful and could consider efforts to educate
customers and improve data literacy.

Collaboration
Customer data’s complexity challenges incumbents
to clearly articulate their customer data strategy to
customers and regulators. While incumbents may typically
ask for consent to use customer data, some necessary
exceptions include deterring terrorism financing or money
laundering. Alternatively, for data portability, some limits may
be needed on how much data a customer can download or
transfer to a third party, accounting for possible proprietary
information.
Collaborating more with other incumbents and
challengers can demonstrate industry leadership on
customer data best practices. By developing a realistic
consensus on how principles can be implemented in
practice, incumbents can strengthen trust with customers
and regulators. Effective self-regulation can reduce the
likelihood of costly compliance-focused regulatory efforts.
Increased collaboration can also facilitate joint ventures,
such as shared data utilities or cybersecurity measures that
benefit actors across the financial system.
Status: Incumbents have collaborated on data protection

and cybersecurity initiatives, such as Sheltered Harbor
in the United States. Significant opportunities exist for
incumbents to work together or with challengers to
develop best practices on how to use data appropriately;
for example, they could leverage prior collaborative work
on cyber topics.
Next steps: Incumbents should continue to collaborate

to demonstrate industry leadership on customer data and
to recognize the many advantages of strengthening trust
with customers, reducing the likelihood of compliance-
focused efforts and facilitating profitable joint ventures.
Challengers can also play a role in collaborating with
other industry stakeholders.

Challengers
$ Objectives Examples of action steps
1. Meet or exceed expectations from customers and regulators q Enhance terms and conditions and privacy management
to provide financial products and services tools to provide customers with greater control over how data
about them are collected, used and shared
2. Manage risks associated with using new types of customer data
or analytics q Develop an appeals process that provides customers with a
rationale for decisions made using advanced analytics and allows
3. Protect customer data while maximizing growth and value
them to correct errors in data about them
creation
q Adopt cybersecurity best practices to build trust and increase
opportunities to partner with incumbents
Customer trust Risk management

Challengers have both the obstacle and the opportunity Challengers are well positioned to develop new
of defining a new financial services value proposition products and services leveraging advanced analytics
for customers. While fintech companies start from a and new forms of customer data. These solutions offer
blank slate, larger technology firms face a slightly different challengers the opportunity to serve new customers outside
challenge of translating their existing reputations on the use the traditional financial system, as well as to expand service
of customer data to financial services. Both fintech and large to customers poorly served by the current system. However,
technology firms have an opportunity to convince regulators new products and services may also create business risks
of the value they can provide to customers while addressing if companies are unable to effectively manage new risks
the issue that financial services regulation has not always associated with limitations of alternative data sources or
kept up with technical advances. with changing customer risk profiles.
Challengers can use their strengths to build trust Challengers need enhanced tools and approaches to
with customers and regulators. While customers may manage risks and create value. In addition to business
be hesitant to share data about them with an unknown risks, challengers should be aware of regulatory risks
company, fintech firms can overcome this challenge by associated with advanced analytics and alternative data
clearly communicating how they will use customer data to sources, such as unintentional discrimination against
create innovative products and services. Larger technology protected groups which can also affect customer trust.
firms must clarify whether they will use customer data
differently for their financial products and services than Status: A wide range of practices exists on how
for their technology products and services. Finally, both challengers use data across fintech and large technology
fintech and larger technology firms will need to work with companies, as well as across regions. As they evaluate
regulators to adapt existing approaches for new financial new data sources and models, many firms face
products and services. challenges in how to collaborate with other firms without
giving away valuable intellectual property.
Status: Customers have become more cautious following
publicity on recent data breaches but most are still
willing to share data about themselves with companies. Next steps: Given possible business and regulatory risks,
However, a higher degree of trust is often required challengers may develop policies targeted to manage
for financial data compared with other types of data. these risks and mitigate their effect on customer trust.
Whether established technology companies or relatively For example, companies may choose to develop an
new fintech firms can develop this trust will be an appeals process that provides customers with a rationale
important question for the future. for decisions made using advanced analytics and allows
them to correct errors in the data about them.
Next steps: Whereas incumbents may need to protect
their existing reputations, challengers can start from
a relatively blank slate. To develop customer trust,
fintech firms may consider developing clear data use
policies, enhancing terms and conditions and privacy
management tools to provide transparency and greater
control to customers on how data about them is
collected, used and shared.

Data security
Challengers face distinct obstacles in protecting
sensitive customer financial data. Smaller fintech firms
often have limited resources to devote to cybersecurity,
while frequent business model changes can lead them to
store larger amounts of customer data that may be useful in
the future. Larger technology companies often have greater
cybersecurity resources but may have less experience with
customer financial data than incumbents.
Customer data security should be considered in the
design of new products and services. Data protection
by design is both less expensive and less difficult
technically than upgrading protections after a data breach.
Increased partnerships between incumbents, fintech
companies and larger technology firms can also clarify
best practices and increase the collective security of the
financial services ecosystem.
Status: Efforts are under way to improve data security

but more are needed as new firms continue to expand
into financial services. The World Economic Forum
has recently launched a cyber-consortium including
incumbents, fintech firms and large technology
companies. The group plans to develop a cybersecurity
assessment for fintech firms and data aggregators,
building on solutions identified in the Forum’s recently
published White Paper “Innovation-Driven Cyber-Risk to
Customer Data in Financial Services”.
Next steps: As new firms expand into financial services,

they will need to act to protect financial services data
and thus ensure customer trust. Actions may include the
adoption of cybersecurity best practices to build trust
and increase opportunities to partner with incumbents.
Challengers should also consider the data stewardship
implications they share with incumbents.

Conclusion
The opportunities for customer data to create value for

businesses and customers are enormous. Technology-
driven innovation is enabling customized products and
services that can better meet customer needs and that
allow companies to expand to new markets. However, to
fully realize the benefits of customer data, greater consensus
is needed across regions and industries on how data should
be used appropriately.
The first step is to pursue agreement on a broad set of
global principles for the appropriate use of customer
data in financial services. The principles identified by the
FSIEG stakeholder group in discussions with more than
100 stakeholders – namely, those of control, portability,
personalization, advanced analytics and security – offer a
way to balance the opportunities and risks in customer data.
This balance is critical because too much regulation can
stifle innovation, while too little customer protection risks the
misuse of data, fraud, cyberattacks and possibly instability
from loss of trust in financial institutions.
The stakeholder group has also identified a series
of considerations by governments, incumbents and
challengers facing the hurdles of practical regulation
and implementation. By moving into greater alignment with
the principles, these stakeholders can address important
challenges, such as how to harmonize customer data
regulations, share best practices and strengthen trust
with customers. Managing these challenges is essential
to take advantage of the opportunities for customer data
and, ultimately, to balance financial stability, innovation and
economic growth.

References
Accenture, 2016. Building digital trust: The role of data ethics in the digital age
Accenture, 2016. Seizing the Opportunities Unlocked by the EU’s Revised Payment Services Directive PSD2: A Catalyst for
New Growth Strategies in Payments and Digital Banking
Allen & Overy, 2018. Preparing for the General Data Protection Regulation
Association for Data-driven Marketing and Advertising (ADMA), 2017. World of Privacy
Bellman, S.; Johnson, E.; Kobrin, S. and Lohse, G., 2004. “International Differences in Information Privacy Concerns: A Global
Survey of Consumers”, The Information Society, Columbia Business School
Bowcott, O., 2017. “UK counter-terror laws most Orwellian in Europe, says Amnesty”, The Guardian, 17 January
Cary, C.; Wen, J. and Mahatanankoon, P., 2003. “Data mining: Consumer privacy, ethical policy, and systems development
practices”, Human Systems Management, vol. 22, no. 4, pp. 157-168
CIPP Guide, 2010. “Comparing the Co-Regulatory Model, Comprehensive Laws and the Sectoral Approach”
CitiBank, 2017. ePrivacy and Data Protection: Who Watches the Watchers? – How Regulation Could Alter The Path of
Innovation, Citi GPS: Global Perspectives & Solutions
Cooper, T. and LaSalle, R., 2016. Guarding and growing personal data value, Accenture
Corey, N., 2017. Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?, Information Technology &
Innovation Foundation
DLA Piper, 2017. Data protection laws of the world: Full handbook
European Commission, 2015. “Special Eurobarometer 431: Data protection”, Survey of European consumers and report
European Union Agency for Fundamental Rights, 2017. GDPR text, information society, privacy and data protection
Forrester, 2016. Oliver Forrester’s 2016 Data Privacy Heatmap
Hogan Lovells, 2017. Asia Pacific Data Protection and Cyber Security Guide 2017: Shifting landscapes across the Asia-
Pacific region
Ivell, T.; Wilkinson, B. and Helps, B., 2017. Future Proofing Privacy: GDPR Compliance in a Networked Banking System,
Oliver Wyman
Jolly, I., 2017. “Data protection in the United States: overview”, Thomson Reuters Practical Law
King, N.J. and Raja, V.T., 2013. “What Do They Really Know About Me in the Cloud? A Comparative Law Perspective on
Protecting Privacy and Security of Sensitive Consumer Data”, American Business Law Journal, vol. 50, issue 2, pp. 413-482
KPMG, 2017. Crossing the line: Staying on the right side of consumer privacy
Kshetri, N., 2014. “Big data’s impact on privacy, security and consumer welfare”, Telecommunications Policy, vol. 38, issue
11, pp. 1134-1145
Madden, M. and Rainie, L., 2015. American’s Views About Data Collection and Security, Pew Research Center
Milberg, S.; Burke, S.; Smith, H. and Kallman, E., 1995. “Values, personal information privacy, and regulatory approaches”,
Communications of the ACM, vol. 38, issue 12, pp. 65-74
Morey, T.; Forbath, T. and Schoop, A., 2015. “Customer Data: Designing for Transparency and Trust”, Harvard Business
Review, May
Newman, N. “How Big Data Enables Economic Harm to Consumers, Especially to Low-Income and Other Vulnerable Sectors
of the Population”, adapted from Newman, N., 2014. “The Costs of Lost Privacy: Consumer Harm and Rising Economic
Inequality in the Age of Google”, William Mitchell Law Review, vol. 40, issue 2
Quint, M. and Rogers, D., 2015. What Is the Future of Data Sharing? Consumer Mindsets and the Power of Brands, Research
report, Columbia Business School and Aimia
Raul, A. (ed.), 2016. The Privacy, Data Protection and Cybersecurity Law Review, Third Edition, Law Business Research Ltd
Reinsel, D.; Gantz, J. and Rydning, J., 2017. Data Age 2025: The Evolution of Data to Life-Critical (Don’t Focus on Big Data;
Focus on the Data That’s Big), White Paper, International Data Corporation (IDC)
Rieke, A.; Yu, H.; Robinson, D. and von Hoboken, J., 2016. Data Brokers in an Open Society, Upturn/published by Open
Society Foundation
United Nations Conference on Trade and Development, 2016. Data protection regulations and international data flows:
Implications for trade and development
Wintermeyer, L., 2017. “Open banking contagion in the UK”, Forbes, 7 April
World Economic Forum, 2012. Rethinking Personal Data: Strengthening Trust
World Economic Forum, 2016. “Internet Fragmentation: An Overview”
World Economic Forum, 2017. “Balancing Financial Stability, Innovation, and Economic Growth”
Acknowledgements
Stewards of the System Initiative on Shaping the Future of Financial and
Monetary Systems
The project team offers its special gratitude to the Stewards of the System Initiative on Shaping the Future of Financial and
Monetary Systems for their oversight of the Balancing Financial Stability, Innovation and Economic Growth initiative.
Stewards
Oliver Bäte, Chief Executive Officer, Allianz, Germany
Eric Jing, Chief Executive Officer, Ant Financial Services Group, People’s Republic of China
Carlos Torres Vila, Chief Executive Officer, Banco Bilbao Vizcaya Argentaria (BBVA), Spain
Ana Botín, Group Executive Chairman, Banco Santander, Spain
Brian T. Moynihan, Chairman and Chief Executive Officer, Bank of America Corporation, USA
Stephen S. Poloz, Governor of the Bank of Canada
Mark Carney, Governor of the Bank of England
Haruhiko Kuroda, Governor of the Bank of Japan
Laurence D. Fink, Chairman and Chief Executive Officer, BlackRock, USA
Patrick Njoroge, Governor of the Central Bank of Kenya
Elvira Nabiullina, Governor of the Central Bank of the Russian Federation
Mauricio Cardenas, Minister of Finance and Public Credit of Colombia
Tidjane Thiam, Chief Executive Officer, Credit Suisse, Switzerland
Michael C. Bodson, President and Chief Executive Officer, Depository Trust & Clearing Corporation (DTCC), USA
John Flint, Chief Executive Officer, HSBC Holdings, United Kingdom
Ralph Hamers, Chief Executive Officer, ING Group, Netherlands
Liu Mingkang, BCT Distinguished Research Fellow, Institute of Global Economics and Finance, Chinese University of Hong
Kong, Hong Kong SAR
David Lipton, First Deputy Managing Director, International Monetary Fund (IMF), Washington DC
Daniel Glaser, President and Chief Executive Officer, Marsh & McLennan Companies, USA
Ajay S. Banga, President and Chief Executive Officer, Mastercard, USA
José Antonio González Anaya, Secretary of Finance and Public Credit of Mexico
John Rwangombwa, Governor of the National Bank of Rwanda
Min Zhu, Chairman, National Institute of Financial Research, People’s Republic of China
Dan Schulman, President and Chief Executive Officer, PayPal, USA
José Viñals, Chairman, Standard Chartered Bank, United Kingdom
Makoto Takashima, President and Chief Executive Officer, Sumitomo Mitsui Banking Corporation, Japan
Axel A. Weber, Chairman of the Board of Directors, UBS, Switzerland
H.M. Queen Máxima of the Netherlands, United Nations Secretary-General’s Special Advocate for Inclusive Finance for
Development (UNSGSA), New York
Alfred F. Kelly, Chief Executive Officer, Visa, USA
Joaquim Levy, Chief Financial Officer, World Bank Group, Washington DC
Steering Committee
The project team thanks the members of the multistakeholder Steering Committee for their leadership of the Balancing
Financial Stability, Innovation and Economic Growth initiative.
Members
Stefano Aversa, Global Vice-Chairman and Chairman, Europe, Middle East and Africa, AlixPartners, United Kingdom
Sanjiv Bajaj, Managing Director, Bajaj Finserv, India
Thong Nguyen, President, Retail Banking; Co-Head, Consumer Banking, Bank of America, USA
Kevin Lynch, Vice-Chairman, BMO Financial Group, Canada
Barbara Novick, Vice-Chairman, BlackRock, USA
Bertrand Badré, Chief Executive Officer, BlueOrange Capital, USA
Ashish Gupta, President, United Kingdom; President, Global Banking and Financial Services, BT, United Kingdom
Elvira Nabiullina, Governor of the Central Bank of the Russian Federation
Malcolm Sweeting, Senior Partner, Clifford Chance, United Kingdom
Benoît Coeuré, Member of the Executive Board, European Central Bank, Frankfurt

Domingo Sugranyes Bickel, Chairman, Fondazione Centesimus Annus Pro Pontifice, Vatican City State
Matthew Gamser, Chief Executive Officer, Small and Medium Enterprise Finance Forum, International Finance Corporation
(IFC), Washington DC
Paul Andrews, Secretary-General, International Organization of Securities Commissions (IOSCO), Australia
Richard Eldridge, Chief Executive Officer, Lenddo, Singapore
Jeff Stewart, Founder and Chairman, Lenddo, Hong Kong SAR
Erik Berglöf, Professor and Director, Institute for Global Affairs, London School of Economics and Political Science, United
Kingdom
Kush Saxena, Chief Technology Officer, Markets and Transformation, Mastercard, USA
Alain Demarolle, Chairman, My Money Bank, France
Greg Medcraft, Director, Organisation for Economic Co-operation and Development (OECD), Paris
Jonathan Auerbach, Executive Vice-President, Chief Strategy and Growth Officer, PayPal, USA
David McKay, President and Chief Executive Officer, RBC (Royal Bank of Canada), Canada
Mark Hawkins, President and Chief Financial Officer, Salesforce.com, USA
Masahiko Oshima, Director, Member of the Board and Senior Managing Executive Officer, Sumitomo Mitsui Banking
Corporation, Japan
Cecilia Skingsley, Deputy Governor of the Swedish Central Bank (Sveriges Riksbank), Sweden
Thomas Moser, Alternate Member of the Governing Board, Swiss National Bank, Switzerland
Eric Duflos, Director, United Nations Secretary-General’s Special Advocate for Inclusive Finance for Development
(UNSGSA), New York
Michael Budolfsen, President, UNI Europa Finance, UNI Global Union, Switzerland
Randall Kroszner, Norman R. Bobins Professor of Economics, University of Chicago, USA
Ellen Richey, Vice-Chairman and Chief Risk Officer, Visa, USA
Kapil Wadhawan, Chairman, Wadhawan Group, India
Cahit Erdogan, Head, ITC and Operations, Yapi Kredi Bank, Turkey
Data Working Group

The project team also thanks the Data Working Group for its contributions to the Balancing Financial Stability, Innovation
and Economic Growth initiative.
Members
Au Chong Wai, Deputy Group Head Legal, AirAsia, Malaysia
Tao Sun, Senior Economist, Ant Financial Services Group, People’s Republic of China
Long Chen, President, Alibaba Digital Economy Institute, People’s Republic of China
Rosie Thomas, Executive Officer, Australian Securities and Investment Commission (ASIC), Australia
Chloe Youl, Senior Manager, Australian Securities and Investment Commission (ASIC) Australia
Neil Munroe, President, Management Board, Association of Consumer Credit Information Suppliers, Belgium
Rakesh Bhatt, Chief Operating Officer, Bajaj Finance, India
Alvaro Martin Enriquez, Lead Economist, Banco Bilbao Vizcaya Argentaria (BBVA), Hong Kong SAR
Cristina San José Brosa, Chief Data Strategist, Banco Santander, Spain
Ezequiel Szafir, Chief Executive Officer, Openbank, Banco Santander, Spain
Jim Catlin, Analytics and Information Executive, Bank of America, USA
Darcy Bowman, Senior Legal Counsel, Bank of Canada, Canada
David Wu, Chief Strategy Officer, Business Big Data, People’s Republic of China
Kaitlin Asrow, Manager, Center for Financial Services Innovation, USA
Beth Brockland, Director, Center for Financial Services Innovation, USA
Konstantin Trusevich, Consultant, Department of Financial Technology, Central Bank of the Russian Federation,
Russian Federation
Olivier Crespin, Senior Managing Director, Chief Fintech Officer, CIMB Group Holdings, Malaysia
Andres Wolberg-Stok, Global Head of Policy, Citi FinTech, Citi, USA
Paul Landless, Partner, Clifford Chance, Singapore
Lamberto Barbieri, Managing Director, Asia, CRIF, Singapore
Luisa Monti, Director, Regulatory Developments and Innovation Support, CRIF, France
Corey Stone, Senior Advisor, Consumer Financial Protection Bureau, USA
Malte Beyer-Katzenberger, Policy Officer, European Commission/Eurostat, Luxembourg
Tony Hadley, Senior Vice-President, Government Affairs and Public Policy, Experian, USA
Robert Tann, Investment Specialist, Financial Sector, Fondazione Centesimus Annus Pro Pontifice, Vatican City State
Timothy Morey, Vice-President, Innovation Strategy, frog design, USA
Richard Tyson, Principal Strategy Director, Gensler, USA
Simon Burns, Partner, TMT, Gilbert & Tobin, Australia
Michel Cueilhes, Head, Risk and Compliance, GrabPay, Singapore
Rakshit Kapoor, Group Chief Data Officer, HSBC, United Kingdom
Rebecca McCaughrin, Senior Economist, Global Markets, International Monetary Fund (IMF), Washington DC
Sam Taussig, Head, Global Policy and Community Banking, Kabbage, USA
Jaxon Klein, Chief Executive Officer, Co-Founder, Keyo, United Kingdom
Scott Farrell, Partner, King & Wood Mallesons, Australia
JoAnn Stonier, Chief Data Officer, Mastercard, USA
Erika Brown Lee, Senior Vice-President and Assistant General Counsel, Mastercard, USA
Jean Pierre Nelissen, Chief Information Officer, My Money Bank, France
Pranav Seth, Head, E-Business, Business Transformation and Fintech, Oversea-Chinese Banking Corp. (OCBC),
Singapore
Richard Nash, Vice-President, Global Government Relations, PayPal, USA
Tyler Spalding, Senior Manager, Corporate Affairs, PayPal, USA
Kevin Moss, Chief Risk Officer, Social Finance US, USA
Suzan Van De Kerk, Head of Operations, APAC, Swiss Re, Singapore
Christophe Tummers, Managing Director and Head, Data and Analytics, UBS, Switzerland
Thomas Pohl, Managing Director, Group Governmental Affairs, UBS, Switzerland
Jayasri Priyalal, Regional Director, UNI Apro Finance, UNI Global Union, Singapore
Rachel Botsman, Visiting Academic and Lecturer, Said Business School, University of Oxford, United Kingdom
Scott David, Director, Policy, Center for Information Assurance and Cybersecurity, University of Washington, USA
David Symington, Policy Specialist, Office of the United Nations Secretary-General’s Special Advocate for Inclusive
Finance for Development (UNSGSA), New York
Todd Fox, Vice-President, Global Government Relations, Visa, USA
Theodore Waddelow, Director, Strategy and Operations, Global Government Relations, Visa, USA
Bora Uzum, Head, Data Governance, Yapi Kredi Bank, Turkey
Project Team
The development of this White Paper was supported by the project team:
Members
Matthew Blake, Head of the System Initiative on Shaping the Future of Financial and Monetary Systems, Member of the
Executive Committee, World Economic Forum LLC
Kai Keller, Project Lead, Balancing Financial Stability, Innovation and Economic Growth Initiative, World Economic Forum LLC
Ted Moynihan, Managing Partner and Global Head, Financial Services, Oliver Wyman (MMC), United Kingdom
Douglas Elliott, Partner, Financial Services, Oliver Wyman (MMC), USA
Alina Lantsberg, Partner, Financial Services, Oliver Wyman (MMC), USA
Alison Flint, Associate, Financial Services, Oliver Wyman (MMC), USA
Ryan Singel, Associate, Financial Services, Oliver Wyman (MMC), USA

The World Economic Forum,
committed to improving
the state of the world, is the
International Organization for
Public-Private Cooperation.
The Forum engages the

foremost political, business
and other leaders of society
to shape global, regional
and industry agendas.
World Economic Forum

91–93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0) 22 869 1212

Fax: +41 (0) 22 786 2744
contact@weforum.org
www.weforum.org

WEF White Paper Appropriate Use of Customer Data

Uploaded by

Copyright:

Available Formats

WEF White Paper Appropriate Use of Customer Data

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WEF White Paper Appropriate Use of Customer Data

Uploaded by

Copyright:

Available Formats

White Paper

The Appropriate Use of

Prepared in collaboration with Oliver Wyman

Opportunities and risks 7

Customer data challenges 8

World Economic Forum®

The Appropriate Use of Customer Data in Financial Services 3

2 Stakeholder discussions identified five challenges to reach consensus on the appropriate

Challenge 1: Challenge 2: Challenge 3:

Governments Incumbents Challengers

1. Enable global coordination on 5. Strengthen trust with 8. Meet or exceed

Source: World Economic Forum and Oliver Wyman

4 The Appropriate Use of Customer Data in Financial Services

What is meant by control? What conditions are required to be effective in practice?

What is meant by security? What conditions are required to be effective in practice?

“Companies should be able to create individual customer-level profiles that

What is meant by personalization? What conditions are required to be effective in practice?

Advanced “Companies should be able to comprehensively test, validate and explain

“Companies should, where appropriate, allow customers to access,

What is meant by portability? What conditions are required to be effective in practice?

Source: World Economic Forum and Oliver Wyman

The Appropriate Use of Customer Data in Financial Services 5

Data volume (zettabytes)

Technological innovations have improved the ability of 40

Figure 2: Impact of technological innovations on customer data

Source: World Economic Forum and Oliver Wyman

6 The Appropriate Use of Customer Data in Financial Services

Figure 3: Customer data opportunities and risks

The Appropriate Use of Customer Data in Financial Services 7

Figure 4: Customer data challenges

Challenges Common questions

How should governments consider regional differences as they develop

How should governments and businesses define and categorize different

What customer data types, collection approaches and uses should

Who should be accountable for security breaches or misuse

Should there be limits on certain customer data types, collection

approaches and uses by businesses?

What should customers be able to view or know about how customer

Based on their respective objectives, what steps should governments

How should governments evaluate the costs and benefits of customer

What types of infrastructure or common standards and protocols may

Source: World Economic Forum and Oliver Wyman

8 The Appropriate Use of Customer Data in Financial Services

Figure 5: Customer data stakeholders

Source: World Economic Forum and Oliver Wyman

The Appropriate Use of Customer Data in Financial Services 9

10 The Appropriate Use of Customer Data in Financial Services

Figure 7: Europe and the implications of GDPR

GDPR data principles1 Key implications of GDPR

The Appropriate Use of Customer Data in Financial Services 11

Figure 8: US federal legislation on customer data

Financial institutions Credit reporting

12 The Appropriate Use of Customer Data in Financial Services

Media Web browsing

Source: World Economic Forum and Oliver Wyman

The Appropriate Use of Customer Data in Financial Services 13

Figure 12: Illustrative simplified data governance framework (not prescriptive)

Requires least Requires most Sensitive data types requiring

Sell to third parties

Data collection approach