The Internet of Things is going to change the models of business of the financial services sector, unveiling new legal issues.
The new models of business of the Internet of Things (IoT) are going to be disruptive, placing companies in front of legal problems that they had never experienced before. And the same rule is valid with reference to financial service sector.
The new models of business of the Internet of Things in the financial services sector
According to an estimate of BI Intelligence, there are at the moment 7 billion IoT devices, but the number is going to quickly climb to 22.5 billion by 2021. I don’t like this kind of estimates, but there is no doubt that according to analysts Internet of Things devices (i.e. connected technologies) will be anywhere around us, in any business, in any device, in any network and even on any individual.
This scenario is expected to create the so called “Bank of Things” that relies on the collection customers’ data from any of their devices in order to offer different services to them.
The main data flows and services that can be offered by banks as well as the modalities in which banks can exploit collected data are the following:
- Banks can collect data from any device/machine. This includes both personal data from devices used by their customers (e.g. smartphones, but also wearable technologies) and M2M data collected directly from devices as it happens in the case of sensors installed in their industrial plants;
- Such data can be used to
- not only provide services their customers that are better tailored on their needs, but also to grant them benefits linked to their behaviour or for instance on the basis of the maintenance status of their industrial plant, as in the case of better pricing options linked to the specific scenario applicable to them, rather than being based on merely static data. The matter will become even more relevant with the coming into force of the Payment Services Directive 2 (PSD2) that, as covered in more detail in this blog post, will turn banks into “platforms” where third party suppliers will be able to plug in their services. The increase of number of service providers will inevitably increase the volume of data that can be collected, but the actual ability to exploit such data will depend also on the contractual arrangements with such third parties;
- gain savings since the analysis of data can enable banks to adjust their business to its actual needs. For instance based on data collected from ATMs, it is possible to understand which areas need more ATMs than others and therefore change their location or change the number of branches that are open in a specific district; and
- create a marketplace of data to be exploited by third parties. This is the most interesting (and less explored at the moment) line of business. If sensors are embedded on any device/machine/plant, banks would obtain a massive amount of data that can be a very valuable resource for their business clients which are interested to run any type of business.
New models of business = new legal issues
As it happens with almost any change in the way businesses are run, this leads to new legal issues that can be summarised as follow:
1. Privacy issues become bigger
Banks have always processed large amounts of data and had to face privacy issues. However, Internet of Things technologies will increase the size of the issue since
- data will no longer be collected only from bank accounts, home banking technologies, branches etc., but from any device, car, plant and
- will be used not only to ensure the proper performance of financial transactions, but to provide services, gain savings and share data with third parties.
This change takes place with the wrong timing because of the upcoming EU General Data Protection Regulation, which, among others, will
- increase fines up to 4% of the global turnover of the breaching entity;
- lead to higher risks of claims from customers, since it introduces the principle of accountability which places the burden of proving privacy compliance on the investigated party;
- generate a higher risk of claims from shareholders because of the size of potential fines and claims; and
- keep the existing criminal sanctions and orders of deletion of data.
Also, the current draft of the ePrivacy Regulation extends its scope also to M2M communications and therefore the perimeter of privacy rules might apply also in case of processing of non-personal data.
Privacy compliance will no longer rely just on the proper arrangement of documents, but will depend on
- the ability to map and control data;
- the implementation of organisational procedures that can ensure the proper processing of personal data both internally and with reference to third party suppliers/agents; and
- the adoption of technologies able to minimise the risk on illegal access to data and identify unlawful treatments in order to timely react to them.
2. Cyberthreat gets more serious
A larger amount of data collected from different sources inevitably causes also an increased cyber risk.
Companies need to put in place the measures to limit the risk of cyber attacks and in case of their occurrence being able to prove their compliance with principles of ordinary diligence. This measures include, among others,
- the adoption of a cyber risk policy, inclusive of a procedure to handle a data breach;
- the subscription of a cyber risk insurance policy;
- the implementation of a security and privacy by design approach;
- the appointment of a data protection officer.
3. Agreements with third parties need to be “adequately” managed
Given the size of privacy and cyber risks, agreements with third parties that provide services as well as with those that intend to exploit data shall be drafted in a way that
- ensures the minimisation of risks deriving from third parties, but at the same time
- guarantees that in case of data breach or unlawful processing of personal data, uncapped indemnity claims can be brought against banks.
4. Different legal basis shall be considered to ensure data ownership
The European Commission is currently considering different options in order to ensure ownership of IoT data, but the current viable routes are the following:
- data is linked to the device. This is more a factual status than a legal basis, but technology providers tend to structure their platforms/devices so that they keep control on processed data;
- data can be protected under copyright law, but this would require an “intellectual effort” in their collection/organization/analysis;
- data can rely on the European database sui generis right that is broader than copyright;
- data can be considered trade secrets or can be protected under antitrust regulations, making its exploitation an unfair competition conduct.
The European Commission is considering to introduce new rights to protect IoT data, but the above are the most frequent available options.
5. Data can be “stolen” through the data portability right
The new data portability right introduced by the EU General Data Protection Regulation is both a resource and a risk for a business. I thoroughly covered the issue in this blog post.
6. Data needs to be used
It seems obvious, but currently a number of companies are collecting data without actually using it, just to create their own database. Such conduct would not only be in breach of privacy regulations, but also might lead to misleading advertising if an expectation of getting an actual benefit from the provision of data is created in customers.
Interesting opportunities for the financial services through Internet of Things technologies, the challenge will be to properly exploit them in order to avoid to lose market share…