Category Archives: Data Governance

Open Banking and the Consumer Data Right

Posted on by
Reply

While most of Australia has been preoccupied by things such as Covid-19 lock-downs, border closures, which contestant got eliminated from Big Brother/Masterchef, and which federal politician went to an NRL game (and depending on which State you live in), the ACCC has implemented the first phase of the Consumer Data Right regime (aka Open Banking).

The TLDR on this new regulation, which has been several years in the making, can be distilled as follows:

Banks can no longer deny customers the right to share their own customer data with third parties.

So, in essence, if I am a customer of Bank A, and I want to transfer my business to Bank B, I have the right to request Bank A to share relevant information about my account to Bank B – Bank A can no longer hold on to or refuse to share that information.

Why does this matter? Well, a major obstacle to competition, customer choice and product innovation has been the past refusal by banks to allow customers to share their own account information with third party providers – i.e., it has been an impediment to  customer switching (and therefore anti-competitive), and a barrier to entry for new market entrants (and therefore a drag on innovation).

Of course, there are some caveats. Data can only be shared with an accredited data recipient, as a means to protect banking security and preserve data privacy. And at first, the CDR will only apply to debit and credit cards, transaction accounts and deposit accounts. But personal loans and mortgages will follow in a few months. (And the CDR is due to be extended to utilities, telcos and insurance in coming years – going further than even the similar UK Open Banking scheme.)

Although I welcome this new provision, it still feels very limited in application and scope. Even one of the Four Pillar banks couldn’t really articulate what it will actually mean for consumers. They also revealed something of a self-serving and defensive tone in a recent opinion piece:

“Based on experience in other markets, initial take up by consumers is likely to be low due to limited awareness and broader sensitivities around data use.”

Despite our fondness for bank-bashing (and the revelations from the recent Royal Commission), Australians are generally seen as being reluctant to switch providers. Either because it’s too hard (something that the CDR is designed to address), or customers are lazy/complacent. In fact, recent evidence suggests existing customers of the big four banks are even more likely to recommend them.

For FinTechs and challenger brands, the costs of complying with some aspects of the CDR are seen as too onerous, and as such, act as another impediment to competition and innovation. Therefore, we will likely see a number of “trusted” intermediaries who will receive customer data on behalf of third party providers – which will no doubt incur other (hidden?) costs for the consumer.

Full competition will come when consumers can simply instruct their existing bank to plug their data into a product or price comparison service, to identify the best offers out there for similar products. (Better still, why not mandate incumbents to notify their existing customers when they have a better or cheaper product available? A number of times I have queried the rate on an existing product, only to be offered a better deal when I suggested I might take my business elsewhere.)

Recently, my bank unilaterally decided to change the brand of my credit card. Instead of showing initiative by offering to transfer my existing subscriptions and direct debits to the new card, the bank simply told me to notify vendors and service providers myself. If I didn’t request the change of card, why am I being put to the inconvenience of updating all my standing orders?

For real innovation, we need banks and other providers to maintain a unified and single view of customer (not a profile organised by individual products or accounts). Moreover, we need a fully self-sovereign digital ID solution, that truly puts the customer in charge and in control of their own data – by enabling customers to decide who, what, when, why and for how long they share data with third parties. For example, why do I still need 100 points of identity with Bank B if I’m already a client of Bank A?

Finally, rather than simply trying to make money from managing our financial assets, banks and others have an opportunity to ensure we are managing our financial data in a more efficient and customer-centric way.

Next week: Counting the cost of Covid19

 

 

 

Big Data – Panacea or Pandemic?

Posted on by
1

You’ve probably heard that “data is the new oil” (but you just need to know where to drill?). Or alternatively, that the growing lakes of “Big Data” hold all the answers, but they don’t necessarily tell us which questions to ask. It feels like Big Data is the cure for everything, yet far from solving our problems, it is simply adding to our confusion.

Cartoon by Thierry Gregorious (Sourced from Flickr under Creative Commons – Some Rights Reserved)

There’s no doubt that customer, transaction, behavioral, geographic and demographic data points can be valuable for analysis and forecasting. When used appropriately, and in conjunction with relevant tools, this data can even throw up new insights. And when combined with contextual and psychometric analysis can give rise to whole new data-driven businesses.

Of course, we often use simple trend analysis to reveal underlying patterns and changes in behaviour. (“If you can’t measure it, you can’t manage it”). But the core issue is, what is this data actually telling us? For example, if the busiest time for online banking is during commuting hourswhat opportunities does this present? (Rather than, “how much more data can we generate from even more frequent data capture….”)

I get that companies want to know more about their customers so they can “understand” them, and anticipate their needs. Companies are putting more and more effort into analysing the data they already have, as well as tapping into even more sources of data, to create even more granular data models, all with the goal of improving customer experience. It’s just a shame that few companies have a really good single view of their customers, because often, data still sits in siloed operations and legacy business information systems.

There is also a risk, that by trying to enhance and further personalise the user experience, companies are raising their customers’ expectations to a level that cannot be fulfilled. Full customisation would ultimately mean creating products with a customer base of one. Plus customers will expect companies to really “know” them, to treat them as unique individuals with their own specific needs and preferences. Totally unrealistic, of course, because such solutions are mostly impossible to scale, and are largely unsustainable.

Next week: Startup Governance

 

Assessing Counterparty Risk post-GFC – some lessons for #FinTech

Posted on by
Reply

At the height of the GFC, banks, governments, regulators, investors and corporations were all struggling to assess the amount of credit risk that Lehman Brothers represented to global capital markets and financial systems. One of the key lessons learnt from the Lehman collapse was the need to take a very different approach to identifying, understanding and managing counterparty risk – a lesson which fintech startups would be well-advised to heed, but one which should also present new opportunities.

In Lehman’s case, the credit risk was not confined to the investment bank’s ability to meet its immediate and direct financial obligations. It extended to transactions, deals and businesses where Lehman and its myriad of subsidiaries in multiple jurisdictions provided a range of financial services – from liquidity support to asset management; from brokerage to clearing and settlement; from commodities trading to securities lending. The contagion risk represented by Lehman was therefore not just the value of debt and other obligations it issued in its own name, but also the exposures represented by the extensive network of transactions where Lehman was a counterparty – such as acting as guarantor, underwriter, credit insurer, collateral provider or reference entity.

Before the GFC

Counterparty risk was seen purely as a form of bilateral risk. It related to single transactions or exposures. It was mainly limited to hedging and derivative positions. It was confined to banks, brokers and OTC market participants. In particular, the use of credit default swaps (CDS) to insure against the risk of an obiligor (borrower or bond issuer) failing to meet its obligations in full and on time.

The problem is that there is no limit to the amount of credit “protection” policies that can be written against a single default, much like the value of stock futures and options contracts being written in the derivatives markets can outstrip the value of the underlying equities. This results in what is euphemistically called market “overhang”, where the total face value of derivative instruments trading in the market far exceeds the value of the underlying securities.

As a consequence of the GFC, global markets and regulators undertook a delicate process of “compression”, to unwind the outstanding CDS positions back to their core underlying obligations, thereby averting a further credit squeeze as liquidity is released back into the market.

Post-GFC

Counterparty risk is now multi-dimensional. Exposures are complex and inter-related. It can apply to any credit-related obligation (loans, stored value cards, trade finance, supply chains etc.). It is not just a problem for banks, brokers and intermediaries. Corporate treasurers and CFOs are having to develop counterparty risk policies and procedures (e.g., managing individual bank lines of credit or reconciling supplier/customer trading terms).

It has also drawn attention to other factors for determining counterparty credit risk, beyond the nature and amount of the financial exposure, including:

  • Bank counterparty risk – borrowers and depositors both need to be reassured that their banks can continue to operate if there is any sort of credit event or market disruption. (During the GFC, some customers distributed their deposits among several banks – to diversify their bank risk, and to bring individual deposits within the scope of government-backed deposit guarantees)
  • Shareholder risk – companies like to diversify their share registry, by having a broad investor base; but, if stock markets are volatile, some shareholders are more likely to sell off their shares (e.g., overseas investors and retail investors) which impacts the market cap value when share prices fall
  • Concentration risk – in the past, concentration risk was mostly viewed from a portfolio perspective, and with reference to single name or sector exposures. Now, concentration risk has to be managed across a combination of attributes (geographic, industry, supply chain etc.)

Implications for Counterparty Risk Management

Since the GFC, market participants need to have better access to more appropriate data, and the ability to interrogate and interpret the data, for “hidden” or indirect exposures. For example, if your company is exporting to, say Greece, and you are relying on your customers’ local banks to provide credit guarantees, how confidant are you that the overseas bank will be able to step in if your client defaults on the payment?

Counterparty data is not always configured to easily uncover potential or actual risks, because the data is held in silos (by transactions, products, clients etc.) and not organized holistically (e.g., a single view of a customer by accounts, products and transactions, and their related parties such as subsidiaries, parent companies or even their banks).

Business transformation projects designed to improve processes and reduce risk tend to be led by IT or Change Management teams, where data is often an afterthought. Even where there is a focus on data management, the data governance is not rigorous and lacks structure, standards, stewardship and QA.

Typical vendor solutions for managing counterparty risk tend to be disproportionately expensive or take an “all or nothing” approach (i.e., enterprise solutions that favour a one-size-fits-all solution). Opportunities to secure incremental improvements are overlooked in favour of “big bang” outcomes.

Finally, solutions may already exist in-house, but it requires better deployment of available data and systems to realize the benefits (e.g., by getting the CRM to “talk to” the loan portfolio).

Opportunities for Fintech

The key lesson for fintech in managing counterparty risk is that more data, and more transparent data, should make it easier to identify potential problems. Since many fintech startups are taking advantage of better access to, and improved availability of, customer and transactional data to develop their risk-calculation algorithms, this should help them flag issues such as possible credit events before they arise.

Fintech startups are less hamstrung by legacy systems (e.g., some banks still run COBOL on their core systems), and can develop more flexible solutions that are better suited to the way customers interact with their banks. As an example, the proportion of customers who only transact via mobile banking is rapidly growing, which places different demands on banking infrastructure. More customers are expected to conduct all their other financial business (insurance, investing, financial planning, wealth management, superannuation) via mobile solutions that give them a consolidated view of their finances within a single point of access.

However, while all the additional “big data” coming from e-commerce, mobile banking, payment apps and digital wallets represents a valuable resource, if not used wisely, it’s just another data lake that is hard to fathom. The transactional and customer data still needs to be structured, tagged and identified so that it can be interpreted and analysed effectively.

The role of Legal Entity Identifiers in Counterparty Risk

In the case of Lehman Brothers, the challenge in working out which subsidiary was responsible for a specific debt in a particular jurisdiction was mainly due to the lack of formal identification of each legal entity that was party to a transaction. Simply knowing the counterparty was “Lehman” was not precise or accurate enough.

As a result of the GFC, financial markets and regulators agreed on the need for a standard system of unique identifiers for each and every market participant, regardless of their market roles. Hence the assignment of Legal Entity Identifiers (LEI) to all entities that engage in financial transactions, especially cross-border.

To date, nearly 400,000 LEIs have been issued globally by the national and regional Local Operating Units (LOU – for Australia, this is APIR). There is still a long way to go to assign LEIs to every legal entity that conducts any sort of financial transaction, because the use of LEIs has not yet been universally mandated, and is only a requirement for certain financial reporting purposes (for example, in Australia, in theory the identifier would be extended to all self-managed superannuation funds because they buy and sell securities, and they are subject to regulation and reporting requirements by the ATO).

The irony is that while LEIs are not yet universal, financial institutions are having to conduct more intensive and more frequent KYC, AML and CTF checks – something that would no doubt be a lot easier and a lot cheaper by reference to a standard counterparty identifier such as the LEI. Hopefully, an enterprising fintech startup is on the case.

Next week: Sharing the love – tips from #startup founders

Personal vs Public: Rethinking Privacy

Posted on by
Reply

An incident I recently witnessed in my neighbourhood has caused to me to rethink how we should be defining “privacy”. Data protection is one thing, but when our privacy can be compromised via the direct connection between the digital and analog worlds, all the cyber security in the world doesn’t protect us against unwanted nuisance, intrusion or even invasion of our personal space.

Pressefotografen mit KamerasScenario

As I was walking along the street, I saw another pedestrian stop outside a house, and from the pavement, use her smart phone to take a photograph through the open bedroom window. Regardless of who was inside, and irrespective of what they were doing (assuming nothing illegal was occurring), I would consider this to be an invasion of privacy.

For example, it would be very easy to share the picture via social media, along with date and location data. From there, it could be possible to search land registries and other public records to ascertain the identity of the owners and/or occupants. And with a little more effort, you might have enough information to stalk or even cyber-bully them.

Privacy Law

Photographing people on private property (e.g., in their home) from public property (e.g., on the street outside) is not an offence, although photographers must not cause a nuisance nor interfere with the occupants’ right of quiet enjoyment. Our current privacy laws largely exclude this breach of privacy (unless it relates to disclosure of personal data by a regulated entity). Even rules about the use of drones are driven by safety rather than privacy concerns.

Since the late 1990’s, and the advent of spam and internet hacking, there have been court decisions that update the law of trespass to include what could be defined as “digital trespass”, although some judges have since tried to limit such actions to instances where actual harm or damage has been inflicted on the plaintiff. (Interestingly, in Australia, an act of trespass does not have to be “intentional”, merely “negligent”.)

Apart from economic and financial loss that can arise from internet fraud and identity theft, invasion of privacy via public disclosure of personal data could lead to personal embarrassment, damage to reputation or even ostracism. (In legal terms emotional stress falls within “pain and suffering”).

Data Protection Law

The Australian Privacy Principles contained within the 1988 Privacy Act apply to government agencies, private companies with annual turnover of $3m or more, and any organisations trading in personal data, dealing with credit information or providing health services. There are specific provisions relating to the use and misuse of government-derived identifiers such as medical records and tax file numbers.

The main purpose of the privacy legislation is to protect “sensitive” information, and to prevent such data being used unlawfully to identify specific individuals. At a minimum, this means keeping personal data such as dates of birth, financial records or hospital files in a secure format.

Some Practical Definitions

The following are not legal definitions, but hopefully offer a practical framework to understand how we might categorise such data, and manage our obligations towards it:

“Confidential”

Secret information that must not be disclosed to anyone unless there is a legal obligation or permission to do so. (There are also specific issues and exceptions relating to “classified information”, public interest matters, whistleblower protection and Freedom of Information requests.)

“Private”

Information which is not for public or general consumption, although the data itself may not be “confidential”. May still be subject to legal protection or rights, such as the right of adopted children to discover the identity of their birth parents, or the right of someone not to be identified as a lottery winner.

“Personal”

Data that relates to, or can specifically identify a particular individual. An increasing issue for Big Data, because data that otherwise resides in separate locations can now be re-connected using triangulation techniques – scrape enough websites and drill down into enough databases, and you could probably find my shoe size.

“Public”

Anything that has been published, or easily discoverable through open search or public database retrieval (but, for example, does not include my past transactions on eBay unless I have chosen to disclose them to other users). My date of birth may be a matter of record, but unless you have authorised access to the relevant database or registry, you won’t be able to discover it and you certainly shouldn’t disclose it without my permission.

Copyright Law

One further dimension to the debate is copyright law – the ownership and related rights associated with any creative works, including photographs. All original content is copyright (except those works deemed to be in the “public domain”), and nearly all copyright vests with the person who created the work (unless they have legally assigned their copyright, or the material was created in the course of their employment).

In the scenario described above, the photographer would hold copyright in the picture they took. However, if the photograph included the image of an artwork or even a framed letter hanging on the wall, they could not reproduce the photograph without the permission of the person who owned the copyright in those original works. In some (limited) situations, a photograph of a building may be subject to the architect’s copyright in the design.

Curiosity is not enough justification to share

My personal view on all this is that unless there is a compelling reason to make something public, protecting our personal privacy takes precedent over the need to post, share or upload pictures of other people in their private residence, especially any images taken without the occupants’ knowledge or permission.

Just to clarify, I’m not referring to surveillance and monitoring by the security services and law enforcement agencies, for which there are understandable motives (and appropriate safeguards).

I’m saying that if we showed a little more respect for each others’ personal space and privacy (particularly within our homes, not just in cyberspace) then we might show a little more consideration to our neighbours and fellow citizens.

Next week: It’s OK to say “I don’t know”