Financial regulators begin to probe ethical use of big data and artificial intelligence in banking.
Singaporean regulators are exploring the responsible use of data analytics and artificial intelligence in financial services, however the introduction of onerous new data laws in Europe plus the controversy surrounding Facebook and Cambridge Analytica looks set to have a wider impact on future policies.
The Monetary Authority of Singapore will publish by the end of 2018 a guide containing key principles and best practices for firms using AI and data analytics, helping financial institutions “strengthen internal governance and reduce risks of data misuse”.
“With fear and greed cycles often determining behavior of financial services players, the reputation of the industry has been deeply impacted in recent times, creating a trust deficit with consumers,” Arvind Sankaran, Venture Partner at Jungle Ventures told Radar. “As incumbents and innovators jostle for market supremacy in the brave new world, it is quite possible that pressures to win new customers, sell new products, drive margin and market share could trigger and amplify potentially egregious use of data analytics.”
MAS believes the industry itself can address its concerns about the potential misuse of big data, and is adopting the ‘carrot’ approach.
“Given the thought leadership demonstrated by MAS over the years as new industry forces emerge over the horizon, I am not surprised with them taking the lead here,” said Sankaran.
Europe, however, is already wielding the stick with the introduction of the General Data Protection Regulation.
GDPR went live in May, and now firms who are loose with their data policies face the prospect of fines topping €20m ($23m) or four percent of global annual turnover, whichever figure is greater.
“All banks and insurance firms have a huge challenge in how they deal with this; it’s a fundamental part of any data talk at the moment,” said Ian Bradbury, chief technology officer for financial services at Fujitsu UK.
Earlier this year, a scandal erupted when it emerged personally identifiable information of at least 87 million Facebook users was harvested from research firm Cambridge Analytica for political purposes.
It is alleged the data was used to influence voter opinion, and caused several governments to condemn the practice when it became clear the information was not given with appropriate consent.
The saga became a political football and thrust the issue of data aggregation into public consciousness, coming just months ahead of GDPR and its promise to wrench control of personal data away from businesses and hand it back to the consumer.
As competition in finance heats up and technological solutions become cheaper, experts are warning firms to resist the temptation to play around with customer data at a time the regulatory focus has never been higher.
“Transparency is key,” said Rohan Massey, leader of the Ropes and Gray privacy and cybersecurity practice in Europe. “Information or communication with individuals should be concise, transparent, intelligible, easily accessible and in clear and plain language.”
In particular, he said, data controllers who carry out profiling and automated decision-making should proactively engage with individuals whose data they are processing by providing clear information about how their data is being used and how the processing might affect them.
“There are banks that are using publicly available data assets, like social media, to identify life events like marriages or moving home, to then help their customers through offers,” said Bradbury. “There is an ethical argument, rather than a regulatory one, around advertising and selling, and making it appropriate.”
A regulator’s view of ethical is likely to differ strongly from that of a fund manager or a broker, and this line of thinking is what has driven the MAS to turn to industry, in a hope it will present a moderate solution before it has to step in with a GDPR-esque law of its own
“One can only hope that the GDPR compliance frenzy now abates but there may be concerns that we are only entering the eye of the storm with national data protection authorities poised to unleash a typhoon of massive fines on non-compliant organisations,” Massey said.
While that scenario is unrealistic, he said, fears may not subside until one or more of the regulators has shown its hand in regard to fines.
Regulatory action is likely to be “targeted and proportionate” focussing on the most serious cases involving high-impact, intentional, wilful, neglectful or repeated breaches, he said.
The EU’s efforts have gone way beyond the previous levels of consumer protection around data usage given their extra-territoriality, and have broadened the territorial scope of the European privacy regime. And for US firms, who are used to different rules, the citizenship of the data subject does not matter – the GDPR will apply even if the subject is not European, provided certain criteria are met.
Hedge funds and brokers have advised many activities could likewise be deemed to target EU investors in a way that “envisages” offering goods or services to them, prompting them to rethink entirely their future AI strategy.
“Compliance with the GDPR is not a one-time event,” said Neil Robson, regulatory compliance partner at Katten Muchin Rosenman. “Managers must ensure that as long as they are in scope of the GDPR they stay compliant, including observing any changes in best practice.”
It is also unlikely to be the final word on responsible big data use, experts believe, and banks should expect similar measures to appear in other jurisdictions – including Singapore
“I don’t think GDPR will be a high water mark; I will be interested to see what the response is in the US from the Cambridge Analytica fallout; there will be legislation as a result,” said Bradbury “When you get up to EU level, or US level, typically it is not a lone country implementing. It becomes the de facto standard. GDPR as a piece of legislation is pretty good, and will be deployed throughout the world in my view.” •