Customer Control over Financial Data Comes at a Cost 

Consumers may not understand where banks’ duty of care begins and end

Over the next two years an obscure piece of EU legislation, the Payment Services Directive II, is going to force banks to open up their personal data vaults to whomever customers desire.

The ultimate aim of the PSDII is to break the banking monopoly on data in the hope of encouraging new entrants into the market with fresh product ideas and services. Many of these new entrants will not be banks or regulated entities.

The law specifies that banks should share their data by way of mandated application programming interfaces, “APIs” in the jargon. Through these standardised protocols, it is envisaged, third parties will be able to download data with ease as soon as customers give them permission to do so.

But, while the goal is admirable, it is not without risk. Critically, the legislation neglects to address how differently data are treated in the market by non-bank institutions.

Banks have learnt the hard way — through crises, panics and regulatory penalties — that their vast depositories of personal data behave more like liabilities than assets. They have dealt with this challenge by prioritising the protection of customer data and privacy above all else and turning it into a competitive differentiator. As economist Gary Gorton and colleagues have argued, banking is, to a large extent, the business of keeping secrets.

Combine that with the fear of being fined for using customers’ data against them, and one begins to appreciate why banks have been slow to leverage this trove for their own benefit beyond making credit decisions.

The same, however, cannot be said of the commercial technology sector. Here the mining of customer data is de rigueur, with corporate valuations often directly linked to the size and potential of such reserves.

Advocates of PSDII say the legislation will help customers take control of their information. Without fear of being locked into a particular provider they will be able to move their data — and their deposits — wherever the best deals are offered.

But consumers may not understand where the boundaries of a bank’s duty of care begin and end under the new framework. If an unregulated third party misuses the data a customer consented to share, who will that customer blame? The third party or the bank? And where does the liability lie?

Furthermore, if customers are free to move their deposits at the drop of a hat, there is a good chance that financial panics, if and when they occur, may be exacerbated.

Some critics note that customer control is relative and consent can always be gamed. The payment protection insurance (PPI) mis-selling scandal gives us an insight into how things might go wrong. Millions of customers were duped into buying products they did not understand or want through the leveraging of their unwitting consent.

In the tech world, of course, the use of impossibly complicated terms and conditions stealthily to elicit customer consent is deemed a bona fide business strategy. In banking, it potentially turns API into a new PPI-style scandal in the making.

This is not the only conflict. Another bit of EU legislation, the General Data Protection Regulation, which aims to impose penalties on companies that fail to safeguard personal data, could jar with the core tenets of PSDII, despite the two being deemed complementary by legislators. This law, which also requires corporates to gain appropriate consent for data use and to comply with data deletion requests, is likely to turn data into a liability risk for everyone.

If and when that happens, any competitive advantage scrupulous tech companies have over banks might be extinguished, leaving only those with fewer scruples, or a much riskier attitude to data management, for customers to choose from. izabella.kaminska@ft.com

Written by Izabella Kaminska