Jade Software Fri, Oct 12, '18 8 min read

What can NZ learn from UK data protection laws?

The GDPR (General Data Protection Regulation) launched a few months ago has impacted the UK financial services industry significantly. One of the biggest results has been the need for businesses to commit to an ongoing programme of work to make sure they don’t breach data protection laws and get hit with large fines.

Jade Software board member, Henry Varney, explained to business leaders at a roundtable event recently what the key considerations are in dealing with the new GDPR regulations. Drawing on his experience as COO of UK’s Skipton Building Society – which owns Jade – he said Skipton was investing millions of pounds each year in compliance activities.

“Fines for breaching regulations have increased from a maximum of $1m under the old Data Protection Act (DPA) to $40m, or 40 percent of group turnover,” he said. He quoted the example of credit rating agency, Equifax, who were recently fined £500,000 by the UK’s data protection agency for failing to protect customers’ personal data.

“They were fined the maximum under the DPA,” he said. “If the breach had occurred under new GDPR laws the amount would have been significantly higher.”

Highlighting the UK experience, Henry encouraged business leaders at the roundtable to engage in an ongoing programme of work, rather than wait until they were forced to act – at which point cumulative costs could be prohibitive and regulator pressure significant.

He also pointed to the need to understand how and where shared customer data was being used further down the supply chain. “Which suppliers are you sharing your data with, where does your data go and what consent was given when it was collected?” he asked. “Even though you can push contractual risk to your suppliers, in the UK we are still responsible to the regulator.”


Quality of data consents in marketing is critical

The third area he focussed on was data protection in the marketing environment, saying that the quality of data consents is critical. Regulations in the UK – and many countries around the world – now specify that consent wording must be crystal-clear. Henry explained that Skipton had to go back to around 15 percent of its customer base to obtain re-consents, as the existing process didn’t meet requirements.

This resulted in a significant drop off in marketing opt-in consents, which is common to the financial services industry around the world, including New Zealand.

His learnings of the GDPR experience in the UK is that it is a “nightmare” and he questioned whether it offered consumers much more protection than existed before. He said the cost associated with compliance is nowhere near worth the value of that protection. “However, it is the cost of doing business today,” he said, “and it’s something that businesses around the world have to come to terms with.”

Turning to the subject of open banking, Henry explained that new laws introduced in the UK in January this year are starting to have an impact on the marketplace. “The biggest question is, is this just an evolution of business that we slowly need to adapt to, or is this a Kodak moment, a tipping point, a revolution in the banking models of today?”

Open banking is still a new concept in New Zealand, but interest is growing as it gains momentum in the UK and Australia. Under an open banking regime, banks are required to share their customers’ transactional account data with third parties if their client requests.

While UK banks have been told to allow third parties to access their systems through APIs (application programming interfaces), the NZ Government is currently giving banks a chance to self-regulate and open up their systems of their own accord.


Open banking aggregates financial data in one place

Payments NZ, which manages New Zealand's core payment systems, launched an open banking pilot in March this year in an attempt to make transferring money easier. And an open-banking start-up, Jude, is designed to amalgamate all of a person’s data to ensure bills are paid on time.

Jude founder, Ben Lynch, said on Radio NZ recently that one day it would work as a private banker in your pocket. “You might have 50 different apps on your phone, your banks, telcos, Trade Me. This is like a dashboard for all that stuff in one place.

“All that data is yours, so I thought if you could aggregate it into one place you'd have a much better experience.” Ben started Jude in response to his own frustrations with bank fees, and multiple passwords and payment portals he had to negotiate just to keep on top of day-to-day expenditure.

Another Jade board member and Skipton Group Commercial Director, Alex Robinson, explained that even with the introduction of legislation governing open banking, the practicalities of accessing many disparate systems are challenging. “The big banks are only now starting to understand their own data,” he said.

Open banking is allowing agile start-up fintechs to play an increasing role in the financial services industry Alex explained. “This is leading to big banks investing in them and watching to see what role they play as the market develops.”

He also touched on various ways that financial institutions could mitigate the increased risks that accompany open banking, including identity theft. “It’s possible to use machine learning and AI to check the age of website and photograph information and track the movement patterns of money,” he explained. This is core functionality in AML products like Jade Software’s product ThirdEye.

Talk to us about making data meaningful