5 minute read 31 Jan 2019
couple using laptop analyzing finances

How firms can balance data privacy with customer expectations

By Cindy Doe

EY Americas Consulting Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

5 minute read 31 Jan 2019

Show resources

  • A defining debate: balancing data privacy with customer demands and expectations (pdf)

    Download 847 KB

Financial services firms must put robust governance and privacy safeguards in place to deliver richer and more evolved customer experiences. 

The proliferation of data, paired with emerging technologies such as artificial intelligence, have generated enormous opportunities for financial institutions and their customers. Financial services companies are gaining a clearer sense of what their customers want, where they want it, when they want it and how they want to get it.

Customer activities and associated data insights educate financial services firms further on customer nuances, activities and preferences — enriching the overall experience. While data has immeasurably improved a range of functions and processes (e.g., customer service, compliance, financial crime, regulatory reporting), the manner in which data is used by these organizations carries significant potential privacy implications and further regulatory scrutiny.

You can download the full article here (pdf).

The changing nature of data governance

Data governance is difficult to put into practice at many firms due to a range of factors, including a growing web of various privacy requirements, particularly in sectors with vast quantities of sensitive consumer data. For context, data privacy addresses a combination of legacy and new regulations, both foreign and domestic (refer to sidebar). These regulations are also coupled with growing concerns and expectations related to cybersecurity, such as New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500),1 the Federal Information Security Management Act (FISMA) and the Federal Exchange Data Breach Notification Act, among others. 

In fact, while data privacy is evolving to address a complex patchwork of regulations and technical challenges, it should, at its core, commitment from financial institutions to safeguard customer data, while using and retaining only requisite data to generate insights in a pragmatic, measured and prudent manner to enrich customer experiences.

  • Data privacy law and regulations in a nutshell

    General Data Protection Regulation (GDPR): Announced on April 2016 and became effective in May 2018 to enhance protection of personal data. ey.com/fsgdpr

    Gramm-Leach-Bliley Act: Also known as the Financial Modernization Act of 1999, a federal law enacted in the US that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. ftc.gov

    California Consumer Privacy Act of 2018: As of January 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. caprivacy.org

    Health Insurance Portability and Accountability Act (HIPAA): Developed by the Department of Health and Human Services, HIPAA is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. hhs.gov

Governance and privacy safeguards balanced with customer data usage

Consumer information is the lifeblood of financial institutions’ businesses. Customer data enables financial services organizations to create market differentiation and better target customers and prospects with products and services that align with their unique needs. The most successful companies use rich, updated and accurate data and insights to engage customers and connect with clients in compelling ways across multiple channels and digital touch points. 

Customers expect more value, more personalization and near seamless interactions. As such, to drive better experiences, retain existing customers and acquire new ones, organizations are using data along with sophisticated analytics to counter new market entrants, many of which do not face the same requirements as established financial institutions. 

Today, more than ever, financial institutions are collecting prodigious and diverse amounts of consumer data — both structured and unstructured — to deepen relationships, create exceptional experiences, further establish financial health and well-being, and build trust. Trust is no longer just about being a safe, reliable, secure, resilient financial institution. It is also heavily reliant upon how firms empower their customers to make decisions about how the institution is allowed to use data to personalize experience and create more value through customized products and services. 

Absent that trust, financial services companies could experience significant business head winds — attributed mostly to reputation decline and credibility issues. As such, to build and reinforce customer trust, financial institutions should establish data privacy as the cornerstone of their strategy for growth. Consumer data is at the very core of how firms assess and model risk as well as price, service and sell the products. In fact, without significant consumer insight, financial institutions would not be competitive and could potentially lose their valued customer base. 

Financial services firms are collecting prodigious and diverse amounts of consumer data — both structured and unstructured — to deepen relationships, create exceptional experiences, further establish financial health and well-being, and build trust.

Market activity creating even more data 

Decades of commercial mergers and acquisitions, core platform replacements and integrations, and workforce transformation programs have generated mountains of consumer data in every enterprise. While this new ecosystem of consumer data creates business opportunities for financial institutions, many firms candidly admit challenges associated with data governance along with proper risk and security controls. These variables have made it difficult for companies to address the underlying data integrity issue. This creates a massive risk to realizing the benefits of new technologies and connected data ecosystems such as cloud, unstructured data platforms and analytical environments. 

Additionally, there is no doubt that legacy systems create complex issues. But there are new ways to tackle managing consumer data. The key for financial service companies is to gain executive commitment and investment. Data privacy leaders also need to challenge executives who hope for an easy answer, especially those who wish that the problem will simply fade. Nothing is more valuable to a financial institution than its customers and the trust those customers place with the institution to protect their data.

Where do we go from here?

Faced with a tsunami of consumer data-related regulation, financial institutions find themselves at a critical inflection point. To continue to grow, companies will need to use customer data. Yet to safeguard their reputation and foster trust with customers, organizations must institute robust governance and internal safeguards to protect data privacy. Cleaning up customer data is not easy because it sits not only in the most obvious spots but also in unstructured data environments that may lack transparency and traceability — complicated further by extended partnerships, vendors and alliances — potentially unattended and, in many cases, without sufficient visibility to the board and C-suite. 

In the future, customers will expect more control over their data and will want the option to “opt in” to hyper personalization. They will expect that firms won’t use their data without permission; therefore, all of these considerations must be elements of governance. 


Data privacy isn’t just about regulation or enabling technology; it is first and foremost an obligation. It is the most fundamental promise businesses can make to their customers — the uncompromising protection of their personal information. Financial institutions that are able to design, implement and adapt privacy safeguards, while using available customer data to deliver richer and more evolved experiences, will be the biggest winners of all.

About this article

By Cindy Doe

EY Americas Consulting Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.