I want to start by acknowledging some things that we know. We know that we must innovate in order to move forward. We know that innovation brings risk and that this risk must be managed. But in financial services, more than any other industry, we also know that it is risk that drives return. We know too that we are regulated and that we must comply with that regulation. But while regulation helps manage the risk, we also worry that it stifles innovation. There is a delicate balance to be struck if we are not to see this cycle (see diagram below) as a vicious one.
It is commonplace to think of regulation and compliance as a burden. We have often heard clarion calls for deregulation and bonfires of red tape. We know informally that privacy departments are often known as the department for business prevention.
Regulation is a complex business. We have seen that. It is caught between devils in the detail and conflicting interpretations of high-minded principles. Innovation though moves fast, and the regulators and legislators struggle to keep up. I think it is of course tempting to think that innovation would move faster still if the regulators and legislators stopped trying. But innovation in moving fast also breaks things. This is famously being celebrated by the innovators, but often rather less so by those whose things are being broken. Reassembling what has been shattered or replacing it can be expensive and time consuming – sometimes to the point that we lose more than we gained from the innovation in the first place. So, the break that we perceived to be applied by regulation can perhaps be a useful one and the time bought by moving a little more slowly may be time spent well. The most important thing that we risk breaking, if we treat regulation as a burden and an obstacle, is trust. Counter party trust, business trust and above all consumer trust. Effective regulation is a source of confidence. It is a leveller of the playing field between parties in often deeply asymmetric relationships It is an assurance that somebody with power is looking out for our interests. We know that this is true. It is the rule of law and the effectiveness of regulation that brings inward investment and supports capital raising. It is government guarantees, increased capital adequacy requirements and demanding stress tests that give depositors confidence in banks. It is as we saw so memorably last year, prudence, restraint and control that are the foundations of an economy’s international reputation.
Yet, still in privacy at least regulation, seems more resented than revered. Seeing data rules as an obstacle means that not only do we miss the points of the lessons learned in other regulatory spheres but that we are also missing out on a critical competitive advantage.
In their marketing, financial services firms make great play of their prudence and the balance sheet strengths that results from it. They understand both intuitively and rationally the primacy of trust in their relationships with their customers. Firms lean into prudential regulation holding more tier one capital than they are strictly required to. They lean into conduct regulation offering better fraud protection and improvements in product and customer service. They do this to build customer trust, retaining existing customers and attracting new ones and they manage it while still innovating and balancing the risks that drives returns. So why don’t we lean into data privacy and data protection and put it at the heart of our innovation? Since, as an industry, you know better than any other the value of trust, why not invest in earning it here also?
At Securys in our Privacy Made Positive® research programme, we have learned that everywhere we run surveys which is all across Europe and all across the US, consumers consider privacy to be a critical element in brand trust. We have also learned that they act on those concerns with more than two thirds of them actively seeking products and services on the basis of privacy and the same proportion actively refusing to buy products and services where they have lost that trust.
If you doubt the value of privacy and the opportunity offered by treating it as a competitive advantage, let me ask you a difficult question? Ask yourself why we fear and admire Apple in such measure as we watch them patiently and inexorably moving into financial services and worry about them eating our lunch. We should recall that they built their ecosystem fundamentally on being trusted with their customers’ data. They have walls in their walled garden and they are high walls that are effective at keeping out predators and their promises about the security that offers have been on building high billboards as you might recall. At the same time, they have worked to associate their brand with responsible use of the data inside the walled garden so that their customers become more comfortable with sharing more data with them.
At the heart of all this is this principle of the willing buyer and the willing seller. Every time we extract data with menaces, obtain it by deception or abuse it once we have got it, we bleed away a little of that inestimably valuable trust. But by the same token, anything that we do wholeheartedly and truthfully to use data in ways that we can demonstrate are for the benefit of our customers, not only rebuilds their trust but increases their inclination to share their data with us. Compliance with data protection regulation should be seen as a launch pad not a hurdle and it should be a natural outcome of our core values and our behaviour towards our customers, not a reluctant bolt on.
The industry is of course a servant of several masters not merely data protection regulation. There has been and will be extensive debates about tensions between financial services regulation particularly in areas like KYC and AML and data protection rules on the other hand. These tensions are real and much remains to do by way of regulatory co-operation and alignment. But the fundamental principle of treating customers fairly, lawfully and transparently are intrinsic to both regimes. It is not for nothing that the FCA has introduced Principle 12 afterall; the pursuit of good consumer outcomes. We must not only earn customer trust, we must also trust that in doing so, we will improve our own long-term outcomes. This is the heart of the willing buyer willing seller relationship.
This morning’s discussion has been extensively about artificial intelligence and never perhaps of the tensions between innovation, risk and compliance been writ larger. Never has the opportunity to benefit mankind been greater, not have the dangers inherent in moving faster and breaking things, been more pronounced. If we treat regulation as an after thought and an obstacle, we will fail. Indeed if we treat regulation as the sole answer, we will fail. We must recognise that the principles of privacy, along with the principles of good outcomes and fairness as natural justice, can be our guiding lights in steering towards mutual advantage without being crushed by the rocks to either side in our difficult passage. This is not a simple course to steer. Fortunately, with a slightly classical illusion you have data privacy and your privacy teams as your ‘Athena’ helping to push the rocks out of the way and help guide your ship through the passage. Data protection has a clarifying focus protecting the rights of and assessing the benefits to the data subject. That focus cuts through some of the complexity and it reminds everyone that everyone involved in all of this process that somewhere, at the bottom this technology stack, swimming around a data lake and hiding behind a profile, a risk decision, a pricing algorithm is an actual living, breathing human being. That is what our data subjects are. If we forget their humanity and treat them either as a resource to be mined or perhaps drilled into if data is the new oil, or a problem to be solved, we will lose their trust and with it we will lose their custom. On the other hand, if we serve them well and we protect them from harm and we deliver them benefit, they will in turn buy from us, recommend us to others and remain loyal. So, my plea to you is not to treat your privacy team as outsiders, as obstacles, as hindrances to growth. Bring your challenges to them early and wholeheartedly, embrace them as part of your innovation process, recognise that they too understand the balance between risk and reward and let them help you build trust and deliver competitive advantage.
