In a world where data can zip around from country to country as easily as it can move across town, it's critical for global banks to ensure compliance with the customer data privacy laws enacted throughout the world.
"Data is essentially mobile now," said Dennis Behrmann, research analyst, Meridien Research, Newton, Mass. "There's a tremendous amount of power that financial institutions can capitalize on."
But the power of data has been kept in check by national and international government entities, for reasons that go beyond protecting the customer. The varying laws and regulations surrounding customer data privacy are "built on a series of political, national, and economic interests," according to a recent Meridien Research report, "Privacy Management and Compliance: The Tip of the Iceberg."
Indeed, the issue can be viewed through the prism of competitive positioning between financial institutions in the United States and the European Union. "The European Union directive was worded so that, by nature, E.U. financial institutions would have a home field advantage," said Behrmann.
According to the directive, firms holding data on E.U. consumers must provide an "adequate" level of protection to that data. U.S. banks, which under the Gramm-Leach-Bliley Act did not have to provide the same level of protection, had faced limited access to key foreign markets.
However, the U.S. government has been able to bolster the strategic positioning of its domestic financial institutions. "The U.S. Department of Commerce has assured the European Union that U.S. financial institutions largely meet the obligations put forth in the E.U. directive, and that they will enforce it," said Behrmann.
Compared to the European Union Privacy Directive, the Gramm-Leach-Bliley Act in the U.S. has a limited scope and much more limited objectives. "The E.U. directive applies to any organization that engages in commercial activity with consumers," said Behrmann. "It's among the most strict privacy legislations, globally."
Aside from regulation, the marketplace will also push banks to adopt stringent data privacy policies and procedures. Privacy has become a "competitive differentiator" for financial institutions, said Behrmann. "Consumers are now starting to choose institutions partially because those institutions meet their privacy requirements."
Although the impetus for many banks' privacy initiatives has stemmed from regulatory initiatives, that's not the main reason to zealously maintain, track and guard customer data. "For financial institutions, this is about customers and their needs," said Behrmann. "Compliance should not be the primary focus."
Still, banks face substantial risks should they fail to properly protect customer data. "If there's, for example, a $10,000 penalty per incident, that can really add up if a privacy violation occurred across a large financial institution's customer base," said Behrmann. "That's extreme but possible."
By the same token, customers whose data is either passed along to an unauthorized party or stolen from the bank's information systems may have grounds for legal action. "The institution has some obligations to protect that data," said Behrmann. "If they don't meet those obligations and the customer is damaged in any way, the customer may sue the institution."
But with or without legislation, there's still the reputational risk involved with failing to guard customer data. "Financial institutions are in the business of trust," said Behrmann. "If you become known as the bank that continually violates your customers' privacy, you're probably going to lose the business."