Towards a new age of economic enlightenment - Sipotra
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Towards a new age of economic enlightenment
2 Data: Towards a new age of economic enlightenment Official Monetary and Financial Institutions Forum meta.com 6-9 Snow Hill, London, EC1A 2AY, T: +44 (0)20 700 27898 omfif.org @omfif.org About OMFIF With a presence in London, Singapore, Washington and New York, OMFIF is an independent forum for central banking, economic policy and public investment — a neutral platform for best practice in worldwide public-private sector exchanges. For more information visit omfif.org or email enquiries@omfif.org Phil Moore Contributing Editor Mausi Owolabani Policy Analyst Clive Horwood Managing Editor and Deputy Chief Executive Officer Simon Hadley Director, Production Fergus McKeown Subeditor Sarah Moloney Subeditor William Coningsby-Brown Production Manager Kat Usita Managing Director, Research Acknowledgments OMFIF thanks the many associates and colleagues from co-operating institutions for their assistance and guidance in helping creating this report. © 2021 OMFIF Limited. All Rights Reserved. Strictly no photocopying is permitted. It is illegal to reproduce, store in a central retrieval system or transmit, electronically or otherwise, any of the content of this publication without the prior consent of the publisher. While every care is taken to provide accurate information, the publisher cannot accept liability for any errors or omissions. No responsibility will be accepted for any loss occurred by any individual due to acting or not acting as a result of any content in this publication. On any specific matter reference should be made to an appropriate adviser. Company Number: 7032533. ISSN: 2398-4236
omfif.org 3
Contents
Foreword 30
Let’s have a dispassionate
debate about data
By John Orchard, CEO OMFIF
Chapter 3
Data and digitalisation can
5 drive SME growth
40
Introduction Chapter 4
Data: Towards a new era of How data can address policy
economic enlightenment challenges
8 56
Chapter 1 Chapter 5
Regulators grapple with the Ensuring safety in data
role of data
16 66
Chapter 2 Chapter 6
The fundamental role of Data flows in a digital economy
data – policy considerations
4 Data: Towards a new age of economic enlightenment
Foreword
Let’s have a dispassionate
debate about data
Public and private sectors need to engage constructively to deliver
the undoubted benefits of appropriate data usage. By John Orchard,
CEO, OMFIF
OMFIF sets out to be the place where public the room for failure, especially in the realm
and private sectors meet to shape finance of sovereign money is very small. There are
and economics. Nowhere is that more no easy answers to any of these challenges,
complex, fast-moving and impactful than the though technology itself may generate some
intersection of technology and money. of the best.
OMFIF has had some of its liveliest This reports aims to set a neutral course
discussions in the last 18 months about digital through what is often a polarised and
currency. The technology itself is a subject for emotional debate about the use of data. But
wide-ranging discussion, the policies it obliges it also unashamedly looks at areas where
us to reconsider even more so. appropriate application of data has provided –
Collecting and applying data is at the heart or could provide – enormous benefits, not just
of that discussion. Regulators are working in the financial sector but also in other sectors
out how to reconcile the competing needs such as healthcare.
of supervision and privacy. They know that The official sector, regulators and
technological and data-driven innovation technology companies are in the process
can potentially bring enormous benefits and of understanding one another better and
efficiencies to businesses, financial institutions evolving with their respective needs and
and most of all citizens, but not without risks. competencies in mind. The application of data
They also need to consider resilience. As to the world of money and business is still
a central banker recently pointed out to us, relatively new, but, with appropriate checks
and balances, it offers
increasing levels of
productivity, capital
efficiency and financial
The application of data to the world of inclusion, among other
money and business is still relatively benefits.
new, but, with appropriate checks and The benefits to people,
businesses, societies
balances, it offers increasing levels and economies could be
of productivity, capital efficiency and transformational. OMFIF
financial inclusion, among other benefits. is pleased to convene this
discussion 
omfif.org 5
Introduction
Data: Towards a new age
of economic enlightenment
Data have the potential to bring transformational benefits to public policy, societies
and economies. This will require a diverse group of regulators to work closely with
businesses which collect and disseminate data.
‘FINANCIAL inclusion is a significant pervades our lives, our businesses and it would be portable across platforms
catalyst for economic development. our economies can be used to enhance and jurisdictions. Would this assuage
However, more than one-third of our collective wellbeing, this plea would competition concerns? What guardrails
adults in our country remain unbanked. serve it well. would need to be in place to allow for
Because of this deplorable state of An African data regulator told data portability? How would security
financial services, unbanked individuals OMFIF: ‘Financial inclusion is one of and privacy standards adapt?
miss out on the opportunities brought our government’s main objectives. Relying on data to facilitate a
about by convenient digital payments. However, one of the main barriers is greater number of the unbanked
More importantly, because of the the lack of proper identity. Means of and underbanked gaining access to
high unbanked rate, opportunities to identifying unbanked persons which financial services is just one area where
distribute social benefits in a more are innovative and respect privacy data could be used to improve policy
efficient way cannot be achieved by would enhance the rate of financial decisions to meet policy objectives.
the government. This is the reason inclusion and reduce poverty.’ The collection and use of data
why the government has intensified its There’s little doubt that digital should be enabled and celebrated
campaign for financial inclusion.’ transformation could turbocharge as a means to help tackle our
‘Financial inclusion cannot mass inclusion. But that can’t be biggest societal issues. Instead, it is
be achieved without necessarily achieved if the ability to verify increasingly weaponised. The earlier
collecting, processing and sharing your identity because of a lack of part of this century had a big focus on
personal data to comply with our documentation remains out of reach. how data can be a force for good. In
central bank’s policy on customer due Could a social identification be the recent years, discussion around data
diligence.’ solution? It could complement digital has coalesced around methods for
So said a senior data regulator for or biometric IDs and use social activity guarding and limiting collection and
one of Asia Pacific’s most populous to establish identity and verify patterns use of personal data and the potential
countries. If ever there was a call to that enhance a user’s profile. Each harm that the abuse of data collected
arms to ensure that the data that individual would own their social ID, but on individuals can cause. Big data has
6 Data: Towards a new age of economic enlightenment
between privacy common framework will be extremely
This report sets out to present a view
concerns and the difficult, for all that many regulators
of the positive use cases for data, and appropriate use of see the European Union’s general
how they could be used for greater aggregated and data protection regulation as a gold
economic benefit, while complying anonymised data standard. That’s at least in part
with the essential need to protect the by both the public because how data are regulated, where
individual and prevent the illegal. and private sectors, the mandate for regulation resides
and have yet to and what powers those regulators
solve them. A small have differ markedly from country to
become synonymous with bad data. number actively embrace the use of country.
At the centre of this dialogue are data – appropriately monitored – for Some jurisdictions have adopted a
the myriad regulators trying to plot a economic benefit. centralised approach in regulating the
path through a fast-changing, hard-to- In the latter case look – as is use of data. In these cases, one agency
understand, difficult-to-reconcile set often the case in digital matters – usually a data privacy commission
of requirements and responsibilities – to Singapore for an example. – has the overarching responsibility
around data. Technological advances The country recently amended its for data protection regardless of the
and Covid-19 have demonstrated that Personal Data Protection Act to sector in which the data is being used,
data can unlock key understandings to update the list of legitimate purposes whether it be financial services, health,
help with the world’s biggest problems for which businesses may collect, social welfare or others. In other cases,
and that this can be done in a way that use or disclose personal data. These countries have adopted a more sector-
protects people’s fundamental right to include the following: if it is in the specific approach, with different
privacy. legitimate interest of the business, regulators assuming responsibility
This report sets out to present for example, if it is for the purpose and issuing guidance for aspects of
a view of the positive use cases for of detecting or preventing fraud or data privacy within their remits. In
data and how they could be used money laundering or to ensure the some jurisdictions, for example, a
for greater economic benefit, while integrity and safety of systems; if it is central bank or financial regulator is
complying with the essential need for business improvement purposes, responsible for regulating the use of
to protect the individual and prevent for example, improving, enhancing or data.
the illegal. It does not shy away from developing new goods or services; or if The governance structure of
well-documented concerns about the it is for the performance of contractual the jurisdiction plays a key role in
misuse of data. But it argues that such obligations, for example, where the determining the responsible body or
incidents should not detract from the organisation needs to sub-contract or agency. For instance, the European
benefits an enlightened approach to disclose the personal data to another Parliament and Council of the
the collection and application of data organisation for the performance of a European Union issued the GDPR to
will bring for policy objectives. contractual obligation to the individual regulate the protection of individuals
In researching this report, OMFIF or a transaction sanctioned by the with regard to the processing of
spoke to a diverse group of public individual. their personal data and on the free
sector bodies that play an important Underpinning all of this is movement of such data within the EU.
role in regulating the use of data. They the fundamental principle of Each member state set up their own
come from the Americas, Europe, accountability. Accountability is an respective data protection agencies,
Africa and Asia Pacific. And they have organisation exercising responsibility as well as national laws, to implement
differing approaches and attitudes to over personal data in their care and the GDPR and monitor compliance
this crucial area of regulation. being answerable to individuals who with the requirements of the regulation
Many of the regulators interviewed have entrusted these organisations by data processors and controllers.
by OMFIF take a protectionist stance. with their data. This entails protecting Although the specifics vary for each
They focus on the needs and rights of personal data and using it for not just country, data privacy commissions
consumers almost to the exclusion of lawful but ethical purposes to benefit are usually responsible for enforcing
all other considerations. consumers. data privacy laws, protecting the
Data localisation – the practice While any kind of global standard will fundamental rights to personal data,
of keeping data in the region it is be hard to achieve, accountability as investigating and prosecuting data
generated within - is another area of the baseline is a logical and important breaches, and handling consumer
concern which hampers the sharing starting point. Governance and complaints. However, in some
of information. Often this falls under regulation of data is fragmented and jurisdictions, the responsibility
the auspices of national security or inconsistent. It is notoriously difficult for data protection may sit within
the fear that a nation’s sovereignty is to provide common frameworks in agencies responsible for information
threatened if it is unable to exert full any part of the global economy. The technology, trade and industry, or
control over data that is stored outside Basel banking accords came close, consumer protection more broadly. In
its borders. but in the end failed to generate the US, the Federal Trade Commission
Others recognise the tensions universal adoption. Finding a has been the chief federal agency on
omfif.org 7
privacy policy and enforcement
since the 1970s, when it began
enforcing one of the first federal Key findings of interviews
with regulators
privacy laws – the Fair Credit
Reporting Act. Since then, rapid
changes in technology have
raised new privacy challenges. Data regulators broadly fall into one of three camps:
Meanwhile, some states have
- Those that put an emphasis on consumer protection ahead of all other
legislated their own data
considerations;
protection laws and assigned
agencies within those states to - Those that recognise the tension between privacy concerns and the
regulate data privacy issues. appropriate use of aggregate data by both public and private sectors;
This report aims to open a - Those that embrace the widespread use of anonymised data for the
discussion among this diverse benefit of state, businesses and the economy as a whole.
group of regulators to explore
themes of common interest.
Many of the regulators that took part in the OMFIF study expressed
It does so by telling a story
confidence that the economic and societal advantages of the
about how data has benefited
responsible use of data are extensive. These include:
economies and societies in the
past, present and will do in the - Financial inclusion, especially the ability to provide tailored financial
future. services to the unbanked and those with limited access to credit;
It looks at the fundamental - Businesses, in providing better consumer insights for SMEs enabling
role of data in all organisations, them to scale up their operations;
from governments to healthcare - Social services, including improving the quality and delivery of
providers and even travel healthcare and education.
companies. It puts focus on
the special case of small- and
Of the regulators interviewed, 76% said that existing regulations on data
medium-sized enterprises,
privacy in financial services and other sectors are sufficient, with some
in providing them with better
of these stating that they need to remain proactive and keep up with the
credit through data and spurring
pace of innovation.
innovation. It examines how to
garner safety in data, solving the
tension between privacy and data The majority of policy-makers (69%) do not see a conflict between
sharing. And it speaks in detail of anti-money laundering or compliance considerations and data protection
the different approaches taken by policies. Among those that do recognise tensions, one respondent noted
regulators, in particular in financial that they tend to arise from a lack of understanding and co-operation
services. among the regulatory authorities.
It is clear that unlocking the
benefits of data at both a country
There must be flexibility in the application of rules, especially where
and international level will require
public interest needs to be demonstrated. Inter-agency collaboration
co-operation and coordination
is important, especially between central banks and data protection
across different regulatory bodies,
agencies.
including those that oversee
privacy, the financial sector,
economies and indeed the state The use of data by governments is the primary focus of those regulators
as a whole. considering how data can be used for economic and social benefits. Very
The report does not pretend few are considering the positive use of data by the private sector, which
it is in a position to make detailed they largely regard as a group to be limited, rather than encouraged.
policy proposals. Rather, it aims
to encourage dialogue among all
Continuous education and engagement with the public and industry
stakeholders in the data universe
must raise awareness of the role of data:
to promote best practice.
OMFIF thanks all of the - Consumers need to be aware of their rights;
regulators who took the time - Businesses need to be aware of their legal and ethical obligations;
to speak to us about these vital - All institutions, including governments, need to be aware of the ways
issues. We welcome your feedback through with they can maximise the use of data to improve services
on our report and hope that it and grow.
adds an important new aspect to
the debate on data. 
8 Data: Towards a new age of economic enlightenment
Chapter 1
Regulators grapple with
the role of data
Interviews conducted by OMFIF with global data regulators show widely differing
approaches to oversight and a need for greater understanding of the role of data.
AT a regulatory level, there is no explaining this diverse range of In the narrower sphere of the
such thing as one size fits all in the regulatory attitudes to data privacy. financial services industry, regulatory
datasphere. An OMFIF study of Some regulators are relatively new attitudes towards data privacy are
regulators’ views on data privacy to the notion of data protection, with shaped by varying levels in local
suggests these authorities fall into governments in countries such as financial literacy and inclusion,
three broad camps. In the first are Egypt, India and Saudi Arabia having technological and human resources
those that emphasise consumer recently introduced data protection capability, idiosyncrasies of legal
protection above all other objectives. laws for the first time. In some cases, systems and natural regulatory
The second is made up of those this has been driven by a recognition caution. Responses to OMFIF’s
that recognise the tension between that clear regulation governing the study of regulators suggest that the
privacy concerns and the appropriate datasphere is a prerequisite if they are majority recognise that their principal
use of aggregate data by both public to attract the investment they need to objective is to address the tension
and private sectors. And the third build a digital economy. Others, which potentially arising from the need to
is characterised by regulators that were quicker to identify digitalisation respect privacy without hampering
embrace the widespread use of as a national economic strategy, have innovation.
anonymised data for the benefit of a much longer track record of data One European Union-based
state, businesses and the economy as protection legislation. Singapore, for respondent to the OMFIF study
a whole. example, enacted its Personal Data addressed the regulatory conundrum
There are a number of factors Protection Act in 2012. presented by data privacy by
omfif.org 9
inappropriate way unexpected bills, and 38% report a
‘The advent of new financial to describe official timing mismatch between the receipt
technology twinned with the increased calculations of the of their wages and the due date for
volume, velocity and variety of data is unbanked populations their household bills. Data-driven
creating issues with data governance.’ of highly developed earned wage access throws a financial
economies. But financial lifeline to those unable to make these
exclusion estimates of ends meet. It also provides a useful
commenting that ‘it should be noted 7% in the US and 6% in Spain, France societal purpose by discouraging
that in a democratic society, it is and Italy all remain unacceptably high. predatory payday lending.
necessary to constantly reconcile So too does the level in the UK: ‘Today, Solutions such as these may appear
different interests and not to upset there are currently 1.2m unbanked beguilingly straightforward. But as this
their balance. One way of reconciling people in the UK, who by and large regulator noted, the tsunami of data
interests is to restrict the rights rely on cash and cannot access digital being generated in today’s society is
and freedoms of the individual, for payments or can access them only generating formidable challenges as
example, by enacting legislation that at disproportionate cost,’ said Jon well as opportunities for the financial
allows for the processing of personal Cunliffe, deputy governor of the Bank services industry and the regulators
data.’ of England, in May 2021. overseeing them. ‘The advent of new
‘The evolution of systems like open The regulator at a G7 central financial technology twinned with
banking have been driven mainly by a bank explained that its priority is on the increased volume, velocity and
focus on competition as a policy goal,’ addressing access to financial services variety of data is creating issues with
said a regulator from a G7 central bank across the broader subsection of data governance,’ he said. ‘This is
in response to a question about the society that is less narrowly defined something we are looking at carefully,
tension between the use of data and as underbanked or underserved, because we need to ensure that our
sensitivities about individuals’ privacy. rather than unbanked. Leveraging banks have the right systems and
‘In this and other areas, we have been data-driven opportunities, said governance in place to manage the
focusing for a while on encouraging this regulator, can
an increase in the flow of data to play a decisive role in
enable innovation and financial well- widening and improving ‘Non-bank third parties holding and
being, balancing this with the goals of the availability of aggregating data is not necessarily
maintaining high levels of consumer financial products inappropriate, but it may increase
protection, cybersecurity and safety among consumers
opacity and create new points
and soundness. The growth of our and small businesses
fintech ecosystem has generated with limited access
of vulnerability from a systemic
a new set of opportunities, but the to credit. ‘Increased perspective.’
challenge is to manage the shift digital access and
towards new forms of innovation that more efficient identification and new technologies, especially those
require more of a focus on privacy authentication can benefit thin-file that are more data-intensive. For
without limiting economic activity.’ or no-file individuals, or those with example, the use of new third party
This regulator reports that, to low credit scores that might not have providers and processors of data and
date, a number of use cases suggest been able to access loans under connectivity is an area where some of
that access to aggregated user data traditional underwriting approaches,’ the smaller institutions in particular
is having a positive societal impact. said the regulator. ‘Accelerated and may need guidance. Non-bank third
Take, for example, the contribution more accurate decision-making parties holding and aggregating data
it has made to the promotion of means that personalised, customer- is not necessarily inappropriate, but it
financial inclusion, which means tailored and competitively-priced may increase opacity and create new
different things in different societies. products can be made available points of vulnerability from a systemic
A respondent from the central bank to more consumers outside the perspective.’
of an emerging economy said that mainstream credit system.’This A practical example of a relatively
with more than one-third of its adult regulator said that another example of new vulnerability, this regulator added,
population unbanked, access to an initiative supported by enhanced is banks’ use of artificial intelligence:
basic banking services in his country data use is earned wage access, ‘Most of this AI uses involve large
was ‘deplorable’. This would be an which is helping consumers to receive volumes of data often coming in
and redeploy their at a much higher frequency than
wages prior to payday. traditional data and also sometimes
‘Our major challenge is that because
Even in this highly with entirely new types of data. For
data is such a broad term, we don’t developed economy, example, banks are now more likely
have enough people working in this 40% of households to process audio data for fraud
agency to investigate all the cases that are estimated to be prevention and detection purposes.
are presented to us.’ struggling to pay The degree to which banks have
10 Data: Towards a new age of economic enlightenment
to allocate sufficient regulation, for example, has improved
‘The legal entities responsible for
financial or human markedly over recent years among
complying with GDPR are also much resources to data consumers and regulators alike.
more familiar with the regulation. collection and ‘Much of our role is educative, and
Three years ago, they asked very basic analysis. Another, I see a big difference between
questions, such as “what is personal paradoxically, three years ago and today,’ said this
data?”. Now they’re posing more may spring from respondent. ‘Members of the public
specific and complex questions about the emergence in are now more familiar with their rights
the digital age of and are addressing their concerns to
the role of data controllers and data
a more uniform us more frequently. The legal entities
protection officers.’ approach to risk responsible for complying with
management. ‘As GDPR are also much more familiar
you move towards with the regulation. Three years ago,
modified, upgraded or enhanced a more data-driven approach to they asked very basic questions,
their systems to accommodate this lending, there will probably be such as “what is personal data?”.
higher volume, velocity and variety of an element of business model Now they’re posing more specific
data is something we are monitoring convergence, where banks adopt and complex questions about the
closely.’ Another example of a an increasingly uniform view of risk,’ role of data controllers and data
potential data-related vulnerability said one regulator. ‘The emergence protection officers. They’re looking
arises from consolidation in the of a financial monoculture may at impact assessments and other
financial services space. ‘Combining increase banks’ aggregate exposure ways of reducing the risks associated
IT systems linked to merger and to the same potential shocks.’The with data protection.’Less positively,
acquisition activity can also create potential data-driven complications this respondent suspected that it
challenges in the data governance raised by this central banker are is fear of financial sanctions rather
area,’ said this respondent. inevitably specific to the financial than respect for consumers’ privacy
There is no indication to date that services industry. But all sectors of that is the main driver of regulatory
any systemic risk to the banking the global economy are impacted by compliance: ‘I think these entities
industry is building up as a result of the speed with which the creation, are nervous about the big fines that
complications associated with the capture, storage and sharing of data can be levied under GDPR. They’re
volume, variety and velocity of data. is growing, and by the breathless not necessarily complying because
This may be a function of the fact pace of innovation that has been they believe data protection is an
that the data revolution is probably encouraged by this expansion. This important human right’.
still in its formative stage; it may be is creating challenges for regulators The interplay between leveraging
a by-product of the vigilance and across the public and private sectors, the benefits of data and building
natural caution of regulators. ‘There many of which are constrained defences against its risks and
are definitely risks arising from by limited financial and human dangers was a recurrent theme
open banking and from inadequate resources. ‘Our major challenge is in regulators’ responses to the
data governance and poor data that because data is such a broad questions put to them by OMFIF. A
management processes’, said one term, we don’t have enough people well-diversified spread of 16 data
regulator. ‘But I don’t see these as working in this agency to investigate protection authorities and other
being among the most important risk all the cases that are presented to us,’ overseers from Europe, the Americas,
issues worrying bank supervisors’. said a representative of a European Africa and the Asia-Pacific region
This is not to suggest that data protection agency with a staff participated in this survey, either
regulators themselves are of around 35 people. This was in verbally or in writing, which was
underestimating the potential risks response to one of eight questions conducted in the last quarter of 2021.
that may be embedded in the data put to regulators
revolution. Many of these have by OMFIF to gauge
already been well-documented. As their views on the
a result, strong defences have been use of data and 'One respondent suspected that it
constructed against technological digital technology is fear of financial sanctions rather
vulnerabilities such as data breaches. in financial services than respect for consumers’ privacy
Provisions have also been written and across the that is the main driver of regulatory
into data protection acts aimed at public sector.
compliance: ‘I think these entities are
preventing fraud, money laundering The same
and the financing of terrorism. regulator reported
nervous about the big fines that can
Some potential vulnerabilities that understanding be levied under GDPR. They’re not
are more theoretical. One of these of the issues necessarily complying because they
is the opportunity cost that may be raised by general believe data protection is an important
incurred by banks unable or unwilling data protection human right’.omfif.org 11
Question 1 laundering which our country is faced artificial intelligence, blockchain or
Are there policy outcomes or with’, this respondent noted. It also smart contracts are examples of
objectives that could be attained emphasised the significance of the role aspects that could benefit from (and
through the collection, processing data sharing plays in curbing corruption even depend on) the collection and
and sharing of data? What are the and organised crime. processing of users’ personal data’.
policy areas or issues that user data An African regulator echoed the This regulator added the rider that
can help address? view that data sharing is a prerequisite ‘those who create, design or use
Regulators from across the world for wider financial inclusion. In the technological innovations must comply
told OMFIF that there was a range absence of the necessary data, with all the rules on the processing of
of notable public policy objectives individuals will continue to be personal data’.
that could be attained through the denied access to digital IDs which
efficient collection, processing and are increasingly necessary to open Question 2
sharing of personal data. In the words the doors to basic financial services. Which groups in your jurisdiction do
of one Asian regulator, ‘like land, ‘One of the major barriers to financial you think could most benefit from
labour and capital, data has become inclusion is lack of proper identity’, enhancement of services from use of
a primary factor of production. The this regulator observed. ‘Innovative data in the financial services industry
lawful and responsible use of data, and privacy-respecting means of and in the public sector?
identifying unbanked Many of the regulators that were
persons would enhance interviewed as part of the OMFIF
‘One of the major barriers to financial the rate of financial study expressed confidence that the
inclusion is lack of proper identity’, inclusion and reduce the economic and societal advantages
this regulator observed. ‘Innovative poverty level’. of the responsible use of data
and privacy-respecting means of Other respondents are extensive. One EU regulator
identifying unbanked persons would agreed that data is highlighted its potential for supporting
making a notable start-ups and fintech companies.
enhance the rate of financial inclusion
contribution to This was echoed by a respondent
and reduce the poverty level’. supporting increased which flagged the broader economic
efficiencies in financial benefits of efficient data management:
with due respect to consumer privacy, services by sharpening lenders’ ‘Generally, consumers may stand to
is indispensable for gaining the insights into creditworthiness. One EU benefit from improvements to services
necessary trust from consumers and regulator pointed to the role played by provided by businesses. Small and
unleashing its full value’. its central credit information system, medium enterprises may also gain
A number of respondents indicated which stores data under strict and deeper consumer insights and scale up
that data sharing is an essential clearly prescribed legal conditions. This their businesses through greater use of
building block for the promotion of allows for the creation of a so-called data in a responsible and accountable
broader financial inclusion, which is negative list based on data on overdue manner’.
a core government priority in many loans, with positive data on repaid Beyond SMEs, unbanked individuals
countries. A regulator in one emerging credit included only when explicit and other financially disenfranchised
southeast Asian economy described consent is provided by data subjects. groups, respondents indicated that
the state of local financial inclusion as A Latin American respondent made data analysis is already making a
‘deplorable’, adding that large sections a similar point about the constructive notable contribution to the protection
of the unbanked populations are being use of personal data for credit of vulnerable sections of society. One
denied the opportunities created by scoring, which can support product Asia-Pacific regulator commented
digital payments. development: ‘This is used not just that its privacy commission’s human
‘More importantly’, this respondent to track the credit history and debt services dataset is an increasingly
reported, ‘because of the high profiles of data subjects, but also to granular and detailed source of
unbanked rate, opportunities to provide tailored financial services to information on areas such as health,
distribute social benefits more individuals based on the data collected education and justice.
efficiently cannot be harnessed by for each person’.
the government. This explains why Another regulator in
the government has intensified its Latin America shared 'Consumers may stand to benefit
campaign for financial inclusion’. The the view that the use of from improvements to services
success of this campaign, added this personal data can make
provided by businesses. Small and
regulator, is predicated on the efficient a notable contribution
collection, processing and sharing of to product innovation:
medium enterprises may also gain
personal data. ‘This is also crucial in ‘The massive analysis of deeper consumer insights and scale
the day-to-day operations of financial information - big data up their businesses through greater
institutions to identify, verify and - the implementation use of data in a responsible and
mitigate any risk of fraud and money of mechanisms with accountable manner’.12 Data: Towards a new age of economic enlightenment
Analysis of its dataset is now being ensuring that we provide interventions Question 4
used by this privacy commission to through the creation of policies, giving Do you believe that your jurisdiction
provide insights aimed at supporting advice and information, opening has sufficient rules in place to
vulnerable children and families. It is, dialogues and engagements, and safeguard individuals’ privacy with
for example, giving the government providing standards and support’. respect to the use of data in financial
a new perspective on the degree to Safety-first was emphasised by a and other services? What specific
which children from foster homes are number of other regulators (these are data privacy regulations or policies
being provided with access to the explored in more detail in the responses do you have in place (or think should
same opportunities as more privileged to question 4, below). But there is also a be in place) that are most important
youngsters. This privacy commission growing recognition that safeguarding to protect users with respect to the
reported that the results of its individuals’ privacy and leveraging the collection of their personal data?
initiative are measurable, and that key opportunities that are being unlocked Respondents to the OMFIF survey
performance indicators to date suggest by data analysis need not be mutually were generally confident that they
is that it is already generating positive exclusive. Singapore’s Personal Data have ensured that sufficient rules
results. Protection Commission reported that have been applied to their data
its priority is to achieve ‘strong data management to protect individuals’
Question 3 protection while also facilitating use of privacy.
What are your (or your constituents’) data by businesses to
priorities around the use of personal drive innovation and
data? growth’. ‘The process of granting the consent
Many regulators responding to the To this end, and the extent of usage needs to be
OMFIF survey indicated that their Singapore has recently determined not just by data subjects
foremost priority around the use of amended the Personal
who may not be fully aware of their
personal data is ensuring that their Data Protection Act
oversight combines systemic resilience to update the list of
rights, but by government regulation’.
with respect for public interest legitimate purposes
and human rights. This caution was for which businesses may collect, use Again, Singapore appears to have
emphasised by one EU agency which or disclose personal data. Permissible been at the forefront in this respect.
observed that its priority regarding purposes range from those intended Frequently updating its regulation
personal data ‘in the financial (or any to detect or prevent fraud to those has helped it to apply a judicious
other) sector’ is to ‘ensure compliance supporting business innovation and combination of carrot and stick
with the general rules of personal meeting contractual obligations. designed to safeguard consumers’
data processing set out in legal acts... Underpinning all of this, the rights without hampering data-
such as GDPR’. This is designed ‘to Singapore commission explained, is the driven innovation. An amendment
ensure that personal data should be fundamental principle of accountability. to Singapore’s Personal Data
processed only in accordance with the This is defined as the exercise by Protection Act in 2020 has required
principles relating to the processing organisations of responsibility over local organisations to appoint data
of personal data set out in article 5 of personal data in their care and being protection officers to cultivate an
the GDPR’. This processing, it added, answerable to individuals who have accountability culture. Another
must be ‘justified by at least one lawful entrusted these organisations with their recent amendment calls for them to
processing condition under articles 6 data. This entails protecting personal notify the Personal Data Protection
and/or 9 of the GDPR’. data and using it for not just lawful but Commission of data breaches if they
Similar caution was expressed by ethical purposes to benefit consumers. are likely to result in significant harm
an Asian regulator. ‘This commission’s Singapore noted that it had to the individual or if they affect more
primary aim is to ensure that personal taken a number of steps to foster an than 500 individuals. The maximum
information controllers, especially in accountability-driven culture through, fine for violation of PDPA obligations,
the financial sector, are resilient and are for example, the introduction of tools meanwhile, is being increased to 10% of
able to comply with global standards to help organisations protect data, such local annual turnover for organisations
when it comes to data protection’, it as guides on accountability and data at which this exceeds $10m.
reported. ‘The commission does this by protection risk assessments. Singapore Elsewhere in the Asia Pacific region,
has also implemented one regulator noted that it aims
a data protection to maximise consumer protection
‘This commission’s primary aim is trustmark certification through the rigorous application of
to ensure that personal information as a form of the ‘five-safes’ framework to the
controllers, especially in the financial recognition for entities management of its dataset. This is an
that demonstrate internationally recognised approach to
sector, are resilient and are able to
accountable data considering strategic, privacy, security,
comply with global standards when it protection practices. ethical and operational risks as part
comes to data protection’, of a holistic assessment of the risksomfif.org 13
associated with data sharing or release. ledger technology which could present there is integrity in the personal data
Combating re-identification risk a challenge to the guarantee of data being shared by law enforcement
was mentioned as an important part subjects’ rights as stipulated in GDPR. authorities. Clearly the concepts of
of regulators’ toolbox for protecting ‘Discussions on how to deal with this data privacy and AML/CFT strengthen
consumers’ privacy. ‘The information challenge are ongoing’, this regulator each other, resulting in a more holistic
in our datasets is de-identified’, said noted. approach towards protecting the
one respondent in the Asia Pacific Others said they were confident financial sector’.
region. ‘But as you add more datasets that GDPR has raised the bar close to While most respondents indicated
the risk of re-identification rises. So, it the highest possible level in the pursuit that they discern no tension between
is essential that the data is kept secure of data privacy. ‘The overarching data privacy regulation and compliance
and accessed only by those who are application of the GDPR to controllers obligations in areas such as anti-money
permitted to do so’. carrying out any kind of activity laundering, a handful acknowledged
Other respondents suggested that involving the processing of personal that this is unavoidable. ‘Tension does
because the data revolution is still data is considered to be a gold indeed exist between the two pieces of
in its early stages, it is unlikely that standard, sufficient to guarantee the legislation’, said another EU regulator.
the full implications of data storage protection of data subjects in respect ‘Having said that, one must surely and
and sharing will be fully understood of the collection, use and eventual equally recognise that there are certain
by the general public. This means retention of their personal data’, said common elements found in both AML/
that responsibility for personal data one EU-based respondent. CFT and GDPR, including but not
security must not be heaped entirely limited to, the risk-based approach
on to the shoulders of data subjects Question 5 and the requirement to have in place
themselves. ‘It is not enough for Do you perceive tension between a proper and effective compliance
data subjects themselves to grant meeting Anti Money Laundering programme (accountability). Moreover,
consent for the sharing of their data’, and Combating the Financing of obliged entities should ensure that
said one Latin American respondent. Terrorism compliance obligations they do not adopt a one size fits all
‘The process of granting the consent and fraud detection and data privacy approach in relation to the processing
and the extent of usage needs to be regulations? How can compliance of personal data for the purpose of
determined not just by data subjects policies evolve to reflect the fulfilling their AML/CFT obligations’.
who may not be fully aware of their increased reliance of
rights, but by government regulation’. consumers on digital
This implies that public education information in the
Clearly the concepts of data privacy
about data storage, usage and sharing financial sector (and
needs to be a core component of more broadly)?
and AML/CFT strengthen each other,
regulators’ broader responsibilities. Few of the resulting in a more holistic approach
‘Education of the public and industry respondents to the towards protecting the financial sector’.
is important to raise awareness OMFIF survey believed
of the obligations in the PDPA for there was any tension
organisations and the safeguards between AML/CFT compliance Question 6
in place for individuals’, Singapore’s obligations and the protection of Do you see any tension in the
commission reported. ‘The PDPC data privacy under GDPR or other policy-making space between the
holds regular events, which are open to local regulations. ‘The provisions of application and use of user data
the public, to highlight the importance our national AML act are applied in in financial services and privacy
of the data protection obligations accordance with the provisions and considerations?
and how they may be implemented. principles of the GDPR, in particular Similarly, few of the regulators
Advisory guidelines are also issued the requirements of necessity and interviewed by OMFIF believed that
to help businesses interpret how the proportionality’, said one EU regulator. there was any tension between the
PDPA may apply in certain situations’. ‘In practice, these require case-by- harnessing of individuals’ data and
Respondents shared the case consideration and monitoring’. privacy considerations in the financial
Singaporean view that the protection One Asian respondent went a step services sector. Some noted, however,
of data privacy is a fluid process further, arguing that AML and CFT that minimising these tensions can be a
which should be adaptable and compliance requirements should delicate balancing act, calling for what
updatable in response to market be regarded as complementary to one European regulator described as
innovation. One European authority data privacy obligations: ‘We believe ‘continuous political discourse’.
was confident that its national data that the backbone of strong law Others added that as this ongoing
protection law and GDPR combined enforcement surveillance is the discourse should involve the
to create ‘powerful legislation for data implementation of relevant data general public, policy needs to be
privacy’. But it added that it is keeping privacy regulation. Effective, efficient, communicated clearly and free of
a watchful eye on the evolution of and accurate surveillance and law technical jargon or impenetrable small
cryptocurrencies based on distributed enforcement can only be possible if print. ‘Restrictions on data subjects’14 Data: Towards a new age of economic enlightenment
financial services. activities, aggregated data use was
‘Financial service providers are ‘Yes, there is some mentioned by respondents as having
innovators who seek to use the tension between these a constructive supporting role to play
available data to create new valuable parties because two in the delivery of government services
products. Privacy regulators divergent interests are and research.
principally seek to protect the at play’, said a regulator For example, one respondent
privacy rights of the data subject, in a leading African pointed to the extensive analysis that
economy. ‘Financial data-based research has underpinned
hence, the divergence of philosophy
service providers are in areas such as domestic violence
and approach. We see that this innovators who seek to and the protection of vulnerable
conflict can be moderated by having use the available data children. Data analysis has also been
a comprehensive data policy and to create new valuable used by this government, for example,
strategy that addresses the various products. Privacy to conduct more granular research
interest points’. regulators principally into the impact on society of penal
seek to protect the financial measures such as traffic
privacy rights of the fines. ‘For young people aged 18 or 19,
rights, such as the processing of data subject, hence, the divergence fines for minor traffic infringements
personal data, must be proportionate of philosophy and approach. We see can be disproportionately large’, this
to the objectives pursued’, said that this conflict can be moderated interviewee explained. ‘Financial
one EU-based respondent. ‘In by having a comprehensive data penalties of this size can kickstart a
setting a policy on the processing policy and strategy that addresses the cycle of problems’.
of users’ personal data in financial various interest points’. The benign use of data of this
services, it is important that the legal ‘It is the policy of the state to kind is valuable, this regulator
provisions are worded in a sufficiently promote the free flow of information noted, because of their potential
comprehensible and predictable that will benefit our society’, said to strengthen public buy-in for the
manner to make clear the extent to one Asian regulator. In line with collection, storage and analysis of
which and the conditions under which this policy, this authority explained personal data.
the right to restrict the privacy of data that it is planning to ‘experiment on More broadly, some regulators
subjects is exercised’. alternative regulatory approaches were again eager to emphasise that
The need for consistent and clear that would allow innovation to flourish there are tangible economic gains
communication stripped of jargon is while ensuring data protection such to be generated from the analysis of
perhaps more pressing in emerging as the conduct of innovation hubs or aggregated user data. ‘We see allowing
than in developed economies. ‘Our regulatory sandboxes’. It added that businesses to access data, particularly
priorities are to ensure that financial it was ‘empowering developers and business data (which may or may not
service providers properly and coders of applications to ensure that encompass aggregated user data) as
consistently communicate the data privacy-by-design is met at the onset being important to drive economic
use proposition to customers despite of the software development’. growth, but we want to balance that
the possibility of having adequate with the responsible use of data’, said
legal basis for the processing’, said one Question 7 one respondent. ‘Our approach goes
African regulator. ‘Due to the low rate Are there instances or specific beyond just supporting the disclosure
of literacy around data, the burden use cases where you believe it of aggregated data, which is limited
is on the data controller to show it is important to allow an entity to specific use cases, to supporting
has expended sufficient efforts and (individual, business or government) the disclosure of anonymised data.
resources to educate the data subject’. to access aggregated
As with their responses to the first user data?
question in the survey on public policy It is clear from the
outcomes, regulators suggested responses to this
‘Our approach goes beyond just
that their ultimate objective is to question that the supporting the disclosure of
respect consumers’ privacy without efficient aggregation aggregated data, which is limited
discouraging innovation in financial of data is already to specific use cases, to supporting
services. This is a combination which having a substantial the disclosure of anonymised data.
has allowed open banking to thrive in a and often measurable Aggregation of the user data is just
number of countries and is a blueprint positive impact across
one means of anonymisation of
which could be applied to other wide cross-sections
sectors. of society. Beyond
the data. We believe a more holistic
Some believe that encouraging its use to combat approach that supports disclosure
innovation has the potential to money laundering, the and use of anonymised data in a
generate tensions between data financing of terrorism responsible manner will be more
privacy laws and the regulation of and other criminal useful for businesses’.omfif.org 15
Aggregation of the user data is just of financial and digital
one means of anonymisation of the service platforms, ‘With the advent of financial and
data. We believe a more holistic there is a need to digital service platforms, there
approach that supports disclosure ensure that there is is a need to ensure that there is
and use of anonymised data in a seamless availability
seamless availability of personal data
responsible manner will be more useful of personal data
for businesses’. between these entities between these entities to effectively
In the financial services industry, to effectively provide provide said services. This can only
meanwhile, some respondents said services. This be achieved if data portability is
identified open banking as an area can only be achieved unimpeded.’
which could not have flourished if data portability is
without access to aggregated user unimpeded.’
data. ‘A private-sector initiated open This respondent added that ‘should purpose of the framework is to guide
banking scheme has been approved such data portability be allowed, it is companies intending to share data,
by our central bank’, said a regulator crucial for joint controllers of personal and to provide a common language
in Africa. ‘This allows financial sector information to comply with all relevant and resources to help companies to
players to share customer data within data protection laws, rules and policies share data in a responsible manner.
the industry based on compliance and be made aware of their joint This is applicable both to domestic and
with national data privacy regulation responsibilities to their data subjects. cross-border data sharing. This will
and other relevant laws. We foresee Moreover, the sharing and porting of promote good practice standards and
instances like these growing in the data from one platform to another build consumer trust, which can act as
future’. may create risks, especially during the a competitive differentiator.’
data transfer process. In this context, As an example of how Singapore
Question 8 all the parties or institutions that is applying data sharing to support
Do you have a view on data sharing control or process the data throughout economic development, the
between companies and data its lifecycle have a role to play in Commission pointed to the launch
portability? Data portability is ensuring that the data is protected’. in September of the better data
defined as the ability for users to Several respondents stressed that driven business programme. This
access and move their personal promoting public trust in data sharing initiative aims to support SMEs that
data across different applications, is of paramount importance if its full are starting to learn to use data to
programmes and platforms. economic and social benefits are to generate insights and those that seek
Regulators interviewed by OMFIF be harnessed. This was emphasised to apply and share data for more
were generally positive about data by the Personal Data Protection complex purposes. The programme is
sharing, although some confusion Commission in Singapore, which has designed to help businesses learn how
appears to exist at a grass roots level established a trusted data sharing to collect data safely, combine data
about the meaning and potential framework. ‘This is a distillation of the across systems with adequate data
benefits of data portability. One EU experience from our engagement protection measures, and share data
interviewee, for example, noted that with companies who are collaborating externally with partners and suppliers
data subjects are still unfamiliar with on data sharing’, it explained. ‘The in line with the PDPA obligations.
the concept of data portability and
their right to it, and that there is ‘room
for improvement’ in this area. Another
added that although article 20 of
GDPR requires data controllers to
respect consumers’ data portability,
the right to portability is still not widely
applied, meaning that its full potential
‘remains to be seen’.
This view was shared by an African
regulator, who expressed the view that
data portability remains inadequately
defined, ‘especially in developing
countries’.
This may represent a missed
opportunity, because others
emphasised that in some areas, most
notably open banking, data portability
is a prerequisite. As one Asian
regulator explained, ‘with the adventYou can also read
