Beyond regulations: banks’ commitment to data security

'Banks have outperformed other industries when it comes to protecting data,' the report, entitled, 'Safeguarding Customer Data in the Financial System ', says. The study analyzes why the financial industry has historically acted as a 'guardian' not only of their customers' money but also the information gathered in the transmission and processing of financial assets, including sensitive customer personal data.

'While the landscape for data management and usage is rapidly changing, one constant is that banks have always been committed to elevated standards in this area,' the study says.

For the IIF, it is primordial that all players (both established and newcomers) in the financial ecosystem match the standards of banks when it comes to handling and protecting user data. 'These should be essential prerequisites for any other entity wanting to handle customer data'. This is particularly important with the emergence of open banking, which allows third parties access to customer data, generally through APIs.

While initiatives such as the recent introduction of GDPR mark 'significant milestones', the report says, the strengths of banks as guardians of customer data go 'beyond the mere privacy of the individual and the mere compliance with such standards.'

There are three main reasons that explain the rigor applied by banks when handling their customers' information both in the past and at present: sound regulations and demanding standards in the industry; the active and constant supervision of the sector and the need for the industry itself to maintain the trust of customers as 'their single greatest asset'.

The principles of banks in protecting money

Banks have oriented their activity around a series of deeply-rooted principles:

• Security: financial institutions have assigned large amounts of resources to maintaining and updating their technological systems to ensure they meet the 'increasing IT needs of digital financial services'.
• Confidentiality: banks not only protect the personal information of their customers but also all types of financial data.
• Market integrity: the handling of sensitive information is a basic pillar of banking operations. It is the responsibility of institutions to guarantee that no individual or institution obtains any type of unfair advantage through inside market information.
• Transparency: maintaining the trust of customers also mains informing them in a concise, intelligible and easily accessible manner on how their financial data is used.

An example of good practices

Lastly, the sector can draw on a series of practices that have been honed over time (with concrete norms and mechanisms of internal control as well as continuous, external supervision) that allow them to give shape to these principles in handling their customers' information on a day-to-day basis.

Financial institutions, therefore, 'go beyond regulatory requirements', according to the authors of the report and reflect 'the best practices' of the industry. This, backed by robust regulations, 'allows customers to trust that their assets are safe'. According to the IIF, this means that customers can choose their banking institutions on the basis of their performance and economic attractiveness rather than their ability to protect their information, which should be taken for granted.

The IIF believes it is critically important that regulators extend these policies and principles, governance mechanisms and procedures to all firms taking part in the financial ecosystem. 'The fundamental principles for safeguarding customers' data should nevertheless apply regardless of the size, scope or type of operation.'

In the absence of this, the report warns of the 'disastrous consequences' that a loss of trust will have for both newcomers as well as established players. 'If incumbents, newcomers and regulators actively and constructively cooperate to ensure customer data safety, this will help grow the open banking ecosystem, create more opportunities and ultimately benefit the customer.'