Author: Sue Lewis, Chair, Financial Service Consumer Panel
In the final comment piece for the Observatory's Data Fortnight, Sue Lewis, Chair of the Financial Service Consumer Panel, presents the findings of their recent research on how consumers consent to sharing financial data with a third party. She also provides recommendations for government and businesses to avoid consumer harm.
Changes in financial services regulation – ‘Open Banking’ and the EU’s Payment Services Directive 2 – open up new opportunities for consumers. The unprecedented access to individuals’ banking transactions paves the way for new, innovative and more secure services such as money management apps or faster, more convenient ways of making payments.
There are risks, too. There have been increasing reports of the misuse of consumers’ personal data. Online fraud and scams are all too common. The Panel wanted to find out how well consumers were prepared for the new world of data sharing, and what changes might be needed to help them get the most out of it. Did they understand what it meant to share their data with third parties, or the value of their financial information?
The research we commissioned was also timely ahead of another important regulatory development, the General Data Protection Regulation (GDPR). The GDPR sets a high standard for consent – it should be ‘freely given, unambiguous and informed’. The concept of ‘genuine consent’ as introduced by the GDPR has not yet been tested in practice, but it is clearly a step-change in approach and should, if supervised and enforced robustly, give people real choice and control over their data.
The research also found that, although people expressed some concerns about sharing their data, they valued speed and convenience so highly they were willing to take the risk. People read online reviews, relying on the ‘wisdom of the crowd’. Most also thought that they were protected by the law, although were vague about the specifics. For most people, the T&Cs were not relevant to their decision to sign up to a service, hardly surprising as T&Cs are non-negotiable contracts which the consumer must accept in their entirety to get what they want. This not only goes against the ‘genuine consent’ principle introduced by the GDPR but also means that if people can’t give informed consent, then they are not being treated fairly. They are giving up their data, but have no way of telling whether this is a good deal or not. With increasingly complex chains of providers there are limited tools available to help people understand how their data can be used – and monetised – by third parties, and how to keep it safe.
The recent Government Consumer Green Paper recognises that consumers’ data are commonly collected by online companies in exchange for ‘free’ goods and services. In this world, consumers need to understand what they have agreed to when accepting a contract or privacy notice. The Government’s intention to improve the clarity of online T&Cs is a step in the right direction, but it needs to recognise that T&Cs are there to protect the provider, not to enlighten the consumer. T&Cs must be fit for a digital age, and take account of behavioural biases, especially consumers’ strong revealed preference for speed and convenience.
For the opportunities of data sharing to be realised, it will also be necessary to ensure that firms that use poor or exploitative practices are excluded from the market, and other steps taken to avoid consumer harm. The Information Commissioner’s Office (which will have overall responsibility for supervising and enforcing the GDPR) and the FCA recently published a joint statement which said both organisations would be working closely to ensure GDPR is enforced properly. While this is welcome, more is needed.
The Government needs to take a bold approach and put the interests of consumers and society at the heart of the data-driven economy. This will require a concerted effort across relevant Government departments and regulatory authorities and the right infrastructure will need to be established. Following our research, we recommended the introduction of a Data Ombudsman Service. This would give consumers access to individual redress for misuse of their data, and may help deter poor practice among providers.
In the financial services sector, significant work will be needed to inform consumers about the new world of data sharing. Without genuine informed consent, there is a risk that the large information asymmetries that currently exist between incumbent providers and consumers will simply be transferred to other companies or new intermediaries rather than boost competition and act as catalyst for innovative services that truly benefit consumers. So far, no organisation has taken the lead in raising awareness about the risks and opportunities of data sharing in financial services. This could undermine trust in the new world, or worse, lead to consumer detriment.
Clearly, industry will also have a critical role to play. The Panel would encourage firms to see GDPR as an opportunity to demonstrate a new level of transparency and trust. They should begin by introducing Ethics Committees that report to their boards on how they are managing people’s data and communicating effectively with consumers. By combining this with the advances in innovation brought about by Open Banking, there are real commercial benefits to be reaped for those who embrace the change and rethink their approach to data and the enhanced customer relationships and experiences it allows.
Our full list of recommendations to the regulator, Government and other stakeholders can be accessed here.