Data Privacy & User Protection in Banking & Finance

Using Personal Data for common good

Swapna M
Swapna M
Feb 21, 2019 · 6 min read

Banks and Financial institutions operate in a highly regulated industry. Right at the ideation stage of a product or a project, banks need to keep the risk, compliance, legal, info-security teams in alignment of what they’re trying to achieve. Usually, there are processes in place in banks and FIs that vet each product or service before launch; however, in today's world, it’s highly critical to pay special attention to checks regarding user data and privacy.

Banks are viewed as the most trusted provider of data security. In a survey by A.T. Kearney, 62 percent of customers reported banks as the most trusted firm to ensure the security of customers’ personal information, in comparison to other firms, such as Google, Amazon, PayPal, and Apple.

Clients inherently trust banks, and thus it puts a tremendous onus on the banks to be trustworthy — to follow the rules to a T and protect their client's interests. When it comes to accountability, banks also bear the largest obligation.

One of the major themes that any bank or financial institution can follow is customer awareness. One of the simplest ways to protect your customers and their data is to keep them informed. It becomes ever more pertinent to actively provide education and promote awareness on how we as banks collect and use customer data.

Why do privacy and data ethics matter to organizations in a data-driven economy?

Data is the new oil. In this world of data 3.0, Data is at the heart of business. Data is driving innovation, driving digital transformation, driving core business activities and new business opportunities. Data is making companies relevant and advantageous to customers in their market.

Organizations and startups are built around data. Companies have huge amounts of data on users along with an understanding of new types of user profiles.

And hence in this data-driven economy, where a company might have a ton of data around you which it can use in a myriad of ways, it becomes ever more important for organizations to use this power wisely. As they say,

Today, banks are trying to be the client’s CFO — Chief Financial officer. They just don’t want to sell you more products, but want to understand what motivates and drives you, what life events are happening in your life in which they can help you in the most relevant manner. And if banks have this data around you, it puts a great onus on them to use this data wisely.

It again comes down to trust. If we don’t value our clients, then our clients are not going to value us; they’re not going to trust us. Companies need to provide tangible value to users if at all they’re going to use their data inside the product or share it with third parties.

If I as a user know perfectly well how my data is going to be used, where is it going to be used, what type of data is going to be used and I have the mechanisms to withdraw my partial or full consent at any point in time, without sacrificing too much on the value provided to me, I’d know I’m in good hands.

Technology to combat Data Privacy

Along with technological solutions and security features, good practices can be enforced to provide user and data protection :

  • Strong customer authentication & identification eg. two-factor verification
  • Having key pieces of information or products stored inside a secure platform/infrastructure
  • Using trusted identities for user verification
  • Providing unsubscribe mechanisms to clients — from emails, from parts of the product etc.
  • APIs is another way where we can bolster security, data transparency, and control for our users
  • Real-time masking (e.g. masking credit card information)
  • Data encryption (database — protecting the data at rest)
  • Permanent masking (securing strategic assets)
  • Creating a Data perimeter (identifying sensitive data at a granular level and monitor that, put specific protections on that) eg. credit card information
  • Withdrawal of consent — Systems should be updated to reflect the customer’s request and immediately block access to this data.
  • Downloadable and accessible consents
  • Expunging of data due to user inactivity or withdrawal
  • Trusted secure third-party services
  • Re-triggering of consents each year, to make sure users understand what they’ve consented to OR re-triggering consent every time consent language has been updated
  • Making data collected on individuals anonymous to prevent identification
  • Notifying of any breaches of consumer information and being explicit about data breaches — within 72 hours — how did the breach happen, what was compromised, who was affected etc.
  • Restricting access to certain data to select employees
  • Using unsecured networks for passing financial transactions should be considered unacceptable at any banking or financial institution.
  • Performing periodic audits of their security practices and how well they’re being enforced.
  • Building audit trails and keeping proof of each step, major decisions, and supporting material.

Transparency & User value

Data can be used ethically if organizations provide users with three main things —

  • Control over their data — users need to have more control and say around how their own data is being used
  • Data Transparency — being transparent of the data elements being collecting. Being crystal clear about what kind of data is being used, how the data is used, why is it used, where is it used.
  • Explicit & tangible user value — Is there any customer value exchange? User data and its sharing have to be advantageous to the users themselves.

Consents & disclaimers are used to make sure users and companies alike are protected against any potentials risks and gaps. But we also need to make sure our consents & disclaimers are —

  • clear and concise enough for the users to be able to understand them
  • readable and digestible without any technical jargon
  • easy to access and download
  • broken down into components or modularized /layered for easy distinction between different categories/levels of consent
  • enforced and explicitly stated if there’s any possibility of the data being accessed by a third party or sent across the borders of their current country
  • just-in-time granular consents at different points in the user's journey to remind the user to read and understand the value they’ll obtain from providing this particular consent and what they need to give up in return

Collaboration between Business & Privacy/Compliance/Legal partners

  • Take the risk, compliance, info-security, privacy, legal partners along the business/product journey right from the start. This helps them understand the business objectives and product vision, thus starting a mutually collaborative relationship.
  • Gather preliminary thoughts on the solution and work with the RCL partners to tweak the product offering — be agile in the legal–product collaboration.
  • Keep users at the forefront, make product tweaks, take it back to the RCL partners, get feedback, work together collaboratively.
  • Keep a tight balance between user experience and user privacy/compliance. It’s like working with any other team — there would be challenges and disagreements, but the non-negotiable aspects need to be worked upon in priority.


1/ Provide value to the end users if your intention is to use their data

2/ Make consents and privacy language crystal clear explicit/transparent and make sure your users understand what they’re getting into

3/ Be compliant with existing and new regulations with your data and user privacy

4/ Be transparent with your users and provide them value in return. This helps build trust and customer loyalty.

5/ Be accountable for data governance and privacy

6/ It’s better to add some friction into the user experience in order to make the users stop and think about what they’re consenting to.

7/ Provide more control to the users — right to erasure & withdrawal of consent. Users right to request the deletion of their personal data or the withdrawal of all or particular categories of data.

Data Driven Investor

from confusion to clarity, not insanity

Swapna M

Written by

Swapna M

Product Lead @Royal Bank of Canada | #AI #Blockchain #DigitalIdentity | Previously Head of Product @Klood, @Scholastic, @Accenture

Data Driven Investor

from confusion to clarity, not insanity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade