PwC’s Retail Banking 2020 report identified the top priorities for banks as they head into the next decade. Fourth on the list – after customer centricity, distribution optimisation and business model simplification – is ‘information advantage’. The collection, use, analysis and protection of customer and transactional data for competitive benefit is a challenging goal in itself; it is further complicated by the powerful forces currently reshaping the financial services landscape. These changes include new technological capabilities, evolving customer expectations, ever-stricter regulatory requirements and the disruptive impact of new competition in the form of software-based financial technology firms. To navigate the change and meet expectations, companies need fundamental information management policies and processes that are strong yet flexible to accommodate the very latest business needs.
The challenge of disruptive competition
There’s no getting around the fact that new market entrants are encroaching on the traditional industry with worrying speed and agility. They are offering financial services, in innovative and connected ways, at a lower cost and with fewer restrictions. Google and Amazon have launched new lending products, while PayPal, Square and Intuit are offering payroll deposit accounts, business checking, ACH wire deposit and merchant services. In this disruptive landscape, traditional banks need to fight back, and their legacy information can prove to be a vital weapon.
The value of information
Every established bank is immensely rich in data. Operational practices of collecting information about transactions, customer interactions, rate changes, risk assessment of portfolio investments and other events all generate data over and over. Historically, this amounts to a great deal of information. Most banks have implemented a solid yet scalable and responsive framework to store, organise and access the information. This should now be accompanied by clear methods for prioritising incoming data based on business goals, and of course meeting regulatory compliances. With the high volumes involved, banks should capture what they want to analyse, archive what they are required to store and delete what is not to be stored.
If managed well, information can reveal patterns in customer behaviour, allowing for the prediction and anticipation of future needs or the generation of new, value-added products and services. If not managed carefully, it can present a potential risk, missed opportunities, and compliance challenges.
Balancing fear and freedom
The intense focus on turning vast volumes of data into intelligence, coupled with the need to rebuild public trust through spotless regulatory compliance and risk mitigation is playing havoc with essential, yet rigid, risk-averse information policy frameworks. At the heart of this is a potential conflict between the need to share data for insight and the demand to keep data secure.
A robust, future-proof information management policy addresses this tension by enabling the flow of information around the business for analysis and access, with clear tracking, user accountability, understanding of cross-border restrictions, and anonymization of private information as required. The policy should have measures in place to identify which information is most valuable and where it is most vulnerable, allowing for the organisation to set restrictions accordingly. Protocols for usage need to be communicated and adhered to.
Connected customers
Another major trend in banking is customer-centricity: putting customers – whether they are consumers or other businesses – at the heart of everything the organisation does. In terms of information management, this requires the integration of many different customer touch points including paper, into a single profile that is centrally managed and updated that can be deleted on request.
Once the new European General Data Protection Regulation (GDPR) comes into force in 2018, organisations will need measures in place to comply effectively with requests to remove personal data wherever it resides, and in any format. Many banks would struggle to comply with such a request today. Building this capability into information governance policy and practice now and tracking effectiveness can prevent a reactive response later.
Risk and regulation
The regulatory environment for banking and other financial services, whether in the UK, Europe or internationally is already strict and complex and likely to become more so.
The GDPR will usher in stricter rules, including a commitment to report all data breaches. For financial institutions doing business in the US, the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act is also strengthening business conduct standards on Wall Street and instituting new reporting and recordkeeping requirements.
The penalties for failure to meet regulatory requirements have never been so severe, and the consequences are unlikely to be purely financial. The potential reputational damage on a business in an industry where customer trust has already been severely eroded could prove devastating.
To reduce risk and strengthen regulatory compliance, information management policies need to embrace the basics. This means implementing best practice for handling records throughout their lifecycle, from creation through to defensible disposition, to ensure they comply with existing and incoming legislation. As for the business goal of customer-centricity, it involves having and enforcing a rigorous and secure chain of custody and audit trail to maximise accountability and visibility of information at all stages. Ideally, it requires strong customer or client relationship management approaches. This will determine the need for the handling and deleting of data based on regulation and customer requirements.
Conclusion
Banks are on a journey shaped by technology, demographic change and regulatory complexity. Implementing the right information management policies and processes is an important step on this journey. To innovate and survive banks need to future-proof their data practices, implement them effectively and measure them frequently. While this captures the imagination of risk managers and those predominantly concerned with mitigations, future-proofing and considering best practices according to new regulatory codes can help the banks grow the business. So a tactical matter becomes strategic.
By Sue Trombley, Managing Director of Thought Leadership at Iron Mountain and ARMA Fellow, and Dr Joseph DiVanna, Managing Director of Maris Strategies Ltd and a Møller Centre Bye-Fellow of Churchill College, University of Cambridge
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.