On 4 May 2016, the European Banking Authority (EBA) released a discussion paper on innovative uses of consumer data by financial institutions. The paper looks at the ways in which financial institutions use customer data, and the associated benefits and risks.  The EBA’s aim is to decide whether the current regulatory framework is sufficient to harness the risks or requires action. 

The EBA notes that only few requirements presently exist in EU legislation specific to the financial sector that address the use of consumer data by financial institutions. Data in relation to payments is particularly highlighted as being of interest to the EBA as it provides an insight into consumers’ purchasing habits and preferences. 

What this means for you

The EBA has requested feedback by 4 August 2016 on a number of questions in line with its mandate to monitor financial innovation. 

Innovation is important but so too are the privacy law requirements related to “new use” of customer data. This will be one key risk area to consider. Financial institutions are “data controllers” of their customers’ personal data and the Data Protection Act 1998 (to be replaced in 2018 by a General Data Protection Regulation) governs what they can do with it. Payment processors will have made contractual commitments to their customers, which could well restrict new use without permissions. And if they use customer data for their own new purpose, the payment processor itself will likely be “data controller” for privacy law purposes. 

Any proposed “new use” must first be checked to ensure it is fair and lawful.  Fairness: If it is outside the reasonable expectations of customers then this means it must be notified to them in written privacy notices.  Lawfulness: If it is not strictly necessary for the legitimate interests of the financial institution or the other data controller (e.g. a payment processor making a new use) then an alternative lawful reason is needed - such as a fully informed, prior and freely given consent from the “data subject” (here, the customer).  If sensitive personal data is at issue, such as racial/ethnic origin detail of the customer, his disability or his religious or other beliefs, risks are heightened, additional rules apply and explicit consent would be necessary.  In short, a privacy impact assessment (in line with the ICO’s Code of Practice and GDPR when it comes in) should be conducted before as soon as any “new use” is proposed. The privacy implications should be factored into decision making process as early as possible in the process.