Security and Trust Fundamental to Unlocking the Power of Data
By Ian Hermon
The first payments and data event in the UK, Unlocking the Power of Data: The future of smarter payments provided a wealth of new thinking and insight. It explored how trusted third parties could offer consumers a much broader and innovative range of payment and account information services than they have today through their high street bank. You may be surprised to hear that all of this is being actively encouraged by HM Treasury and the financial regulator who were among the presenters and panelists at the event!
A big thank you to Payments UK and techUK for organising the conference and bringing together a diverse range of speakers, including government regulators, banks, businesses, consumer groups, academics, consultants and technology companies. The timing of the event could not have been more appropriate with major regulation due to hit the UK and Europe next year – PSD2 and GDPR being some of the most important and challenging to implement. Almost every speaker made some reference to GDPR, probably a first for a payment industry conference!
How times have changed at payments events – for years all you heard about were initiatives to make plastic cards more secure and the associated security standards being updated for ATM cash machines and POS terminals in retail stores. The payments industry in this era was tightly controlled by the card schemes and the banks and as a consequence consumers were tied to the services supported by the payment card and the underlying bank account behind it. Conferences were marked by back-to-back PowerPoint presentations – and it was clear that the emphasis was on how to make money from payments while managing fraud risk. Little thought was given to how to deliver extra value to the consumer.
PSD2 is due to change all that with the expected launch of a wide range of new services from trusted third parties (often fintechs or service providers who do not need to hold a banking license) known as PISPs (payment initiation service providers) and AISPs (account information service providers). Regulators and governments in Europe are seeking to put the consumer first, protect their rights and make sure that the payments industry innovates around the vast amount of data that is available, but to date has largely not been leveraged effectively. A common theme throughout the conference was that the future of financial services will be all about the data and the corresponding privacy, trust and consent implications.
The conference was extremely interactive with the use of the Wisembly communications platform to facilitate dynamic real-time questions and feedback, enabling the audience to guide the panel towards the areas which are most important and for which their practical insight was sought. It is clear that the innovators are gearing up to provide some valuable new services to consumers including sophisticated financial dashboards, proactive assistance with managing spending, easy access to the best deals and a complete pension view. Many speakers stressed that the types of data breaches we see today in the card payment world are not present in this new data sharing and service world. After all, lack of confidence in data security by the consumer could cause this new market to stall before it even gets going properly.
Banks have the opportunity to play a big role in developing a proactive and collaborative compliance mindset. The vast amounts of data that are created and stored need to be secured to avoid the fines. While banks historically have a strong track record in protecting the consumer’s money, can they collaborate effectively with others to help secure shared data? A representative of a leading UK bank on one of the panels stated that “we want to get customers to trust us with their data as they do today with their money”. Banks recognise that data is the new currency and that trust and transparency are fundamental. Consumers need to be confident about who is accessing their data and why that access is being granted.
GPDR has serious and immediate implications for business who fail to protect consumer data. One speaker mentioned the PCI SSC estimate that UK business could be fined £122bn in 2018 alone due to non-compliance with the new regulation. When we compare this to the UK total fine of £1.4bn in 2015 from existing regulation, it is obvious that GDPR should be a big enough incentive for businesses to get their houses in order now.
In Europe, regulators are effectively forcing innovation to take place in the payments market primarily through PSD2 and underpinned by the secure data protection requirements of GDPR. Protecting data at rest, in motion or in use has never been more critical.