Does Your Bank Need a Chief Medical Officer?

In some parts of the globe, cities are slowly relaxing their social distancing guidelines. Businesses are beginning to open up and residents are once again venturing out to offices and into storefronts.

Some tech companies have made the move to become remote-first, keeping employees out of physical offices for the foreseeable future. Banks, however, face regulatory scrutiny over communication and documentation, and can’t allow their employees to work from home as easily.

So as many begin to let their guard down, where do a bank’s responsibilities lie in regard to maintaining a safe, virus-free work environment and branch location?

As with everything, the buck stops with the banks’ leadership. They are responsible for not only heeding guidelines from their local and federal governments, but also for understanding concerns of their customers and employees. To answer the question in the title, no, banks don’t necessarily need a chief medical officer. They do, however, need to appoint a person or a group responsible for creating safety measures around their branch and workplace.

The first step in doing this (aside from abiding by governmental guidelines) is to listen to the concerns of customers and of employees. While some may be ready to show up to the office or branch with minimum precaution, others may request increased social distancing in the office and curbside services at the branch.

Listening to these concerns will offer a clearer picture of next steps and a timeline. Options include offering individual cubicles separated by plexiglass, monitoring employee temperatures, increasing cleaning frequency to once-a-day, limiting the number of employees in the office and rotating work-from-home schedules, limiting customer numbers in the branch, requiring face masks, increasing sick leave for employees, etc.

If a requirement such as taking temperatures at the door arises that no one on the team feels comfortable with, hire an outside medical specialist. And if all of the new protocols seem completely overwhelming, banks should consider bringing on a consultant to help with things like deep cleaning protocols, updated health and safety plans, and emergency response plans.

Would it hurt to hire a Chief Medical Officer? Certainly not. But by listening to employees and clients and applying some creativity, banks can come up with a workable solution that helps both employees and customers feel safe.

Fintech Brings Peace During a Pandemic

COVID-19 has brought many new challenges to daily life– from working from home requirements to new budgetary restraints and stock market volatility. Fortunately, it is in times of crisis when fintech solutions shine the brightest. In a pandemic-burdened world, companies across the fintech sector offer answers (and to some, a sense of peace) to those wrestling with today’s new set of problems.

Personal connection

Even though many financial services offices are still closed to outside visitors, fintech tools can help maintain personal connections without requiring face-to-face interaction. Some roboadvisor platforms, for example, connect users with a dedicated certified financial planner to make sure their accounts are on track and to help them plan for the future.

And when it comes to replicating in-branch conversations, some banks– including Bank of America– have introduced video ATMs to offer customers a way to meet with a teller while social distancing. As an extra bonus, the video technology is making tellers available for longer hours, from 7am to 10pm.

Increased visibility

Fintechs provide users access to their account information 24/7 via web and mobile interfaces. More importantly, however, are the integrated analytics and tools that many platforms offer to help users make decisions, answer questions, and offer scenario-planning to help them reach goals.

Keeping users well-informed about their current financial situation as well as their options can help empower them to plan for their future. This is crucial when many are struggling with the uncertainty of job security and stay-at-home orders.

Digital communication

Chatbots have gained popularity over the past couple of years, fueled by advances in AI technology. In the past few months, however, the need for chatbot and automated response technologies have accelerated. That’s because bank call centers have been overloaded with a spike in mortgage refinance request and calls from consumers who need help sorting out financial hardships. Banks are seeing increased value in chatbots, which help relieve pressure on call centers by offering a different channel for consumers to go to for answers.

Circumvention

Looking back, many fintech companies originated to help users work around a process or a service that just didn’t suit them. For example, there are a multitude of players that cater to unbanked and underbanked consumers, helping them work around requirements imposed by traditional financial institutions. Additionally, mortgagetech companies help banks process loan applications more efficiently by moving the entire process into the digital realm.

In a post-pandemic society we will see many new needs arise that aren’t well-served by traditional processes. Take the traditional, brick-and-mortar bank branch model, for example. Because branches have been forced to temporarily close their doors to customers, many have accelerated digital transformation efforts that make the majority of their services available online.

Digital identity

In a pre-pandemic world, digital identity verification was already a hot topic. Now that banks and fintechs are working with consumers almost exclusively online, there is an increased need for services that remotely authenticate users’ identities. Fortunately, there are a wide variety of instant identity verification offerings– from KYC and AML tools to blockchain-based identity networks– available to help banks and fintechs better serve their remote clients.

Open Banking in the Same Language

What happens when third party fintechs try to access banking data on behalf of their consumers, but each way has a different way of doing so?

That’s exactly what’s happening in the U.S. right now, and it’s a major factor in preventing the country from adopting an open banking culture. In an era when consumers conduct their banking activities with multiple providers, open banking not only safeguards consumer data but also places them in control of how they want their data used and for how long.

Speaking different languages

The lack of a consistent approach is also the reason why customers of some U.S. banks have been locked out of third party applications such as Robinhood and Digit. While these customers were prevented from using their own banking data, banks had good reason to lock out the third party providers, citing security concerns. Our piece Are U.S. Banks Leaning Towards Closed Banking? covers the drama in more detail.

What’s needed is a standardized regulation for data sharing. Banks can’t trust third parties and what they may do with customer data. With new regulations such as CCPA and GDPR, banks are required to keep track of how their clients’ data is used. Once a third party possesses customer data, the bank can no longer guarantee it will be used and stored properly.

Aligning the approach

So how does the fintech industry get everyone on the same page when it comes to data sharing?

The Financial Data Exchange (FDX) was created to solve that very same problem. “FDX is member-driven and governed by majority vote and we’re united by a common mission and purpose: providing secure and convenient financial data sharing,” said FDX Managing Director Don Cardinal. “Our Working Groups are inclusive, transparent and benefit from our members’ decades of experience and professionalism.”

FDX is a non-profit organization that is creating what is essentially a playbook of data communications rules for banks and third party fintechs. FDX currently counts 102 organizations– only one third of which are banks– that vote on an agreed upon global standard for data sharing.

Keeping the end consumer in mind

Importantly, FDX not only helps its member organizations speak the same language, the alignment trickles down to benefit end consumers as well. That’s because FDX helps place consumers in control of their own data, allowing them to decide which organizations can use their data and for how long. Aiding in this transparency, some banks have created dashboards that allow customers to view and edit which apps have access to their data.

To promote more consumer awareness, FDX is working to create a certification stack that would indicate to consumers whether a bank, fintech, or organization is part of FDX. You can think of this similar to a bluetooth logo on a device that informs consumers that a product has undergone the Bluetooth Qualification Program.

So when can we expect mainstream adoption of FDX?

“While we cannot give an exact date, we know from similar innovations (online banking, billpay, mobile banking, EMV chip cards) that we are moving from the Innovator to the Early Adopter stage and that acceleration of adoption will accelerate once we pass the mid-market peak,” said Cardinal. “To date, our members have moved nearly 12 million U.S. consumers over to the FDX API.”

Are U.S. Banks Leaning Toward “Closed Banking?”

Odds are, if you work in fintech, you know what open banking is. It is such a popular concept that in Europe an entire regulatory regime, PSD2, has sprung up around the concept.

So if Europe is progressive enough to create regulations mandating open banking, how is the U.S. doing? It turns out that some banks in the U.S. are taking an opposite approach and preventing third parties from accessing consumer data.

Keeping it secure

The motive behind this move is pure: banks are closing down connections to third party apps to keep customer information secure and limit data breaches. Data retrieval methods such as screen scraping or using the customer’s password to gain access are indeed unsafe. We spoke with Chief Growth Officer and Co-founder of Flybits, Gerti Dervishi, who said this type of data sharing is “risky in so many different ways” since data scraping is not a standard protocol. Regarding recent decisions of U.S.-based banks who are gating off third parties, Dervishi said, “Honestly, this couldn’t go on for much longer.”

First-movers

JP Morgan Chase recently came up with a new access plan for third party fintechs that require access to customer data. The aim of this new plan is to stop third parties from using password-based access to retrieve customer banking data. Starting July 30, fintechs will be barred from pulling customer information until they sign data access agreements and stop using customer passwords to retrieve banking information. Instead, JPM wants third parties to connect to consumers’ accounts via its open API. The bank made it clear that not only is this method more secure, it will also place consumers in control of what data they want other applications to access.

PNC Financial is also cracking down on third party data access, but is leaving third parties with fewer options. Explaining the decision to the Wall Street Journal, PNC Chief Customer Officer Karen Larrimer said, “When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers. This puts customers and their money at risk. We want to make sure we know who is setting up the account.”

As part of the move, Pittsburgh-based PNC is preventing customers from using P2P money transfer app Venmo and has blocked “multiple different aggregators,” including Plaid, which PNC states circumvented its security protocol. Plaid, a popular data transfer network, connects consumer information to other third party apps such as Square’s Cash app, Robinhood, and Digit.

Who owns the data?

But shouldn’t the consumer be able to decide if they want a third party to use their data? This became a major issue when PNC began directing users from PayPal’s P2P payment app Venmo to Zelle, the bank’s in-house P2P money transfer tool. This is because, as Dervishi said, “There is already an agreement in place with Zelle. [PNC] understands data sharing with Zelle, but they don’t have a standardized agreement with Plaid.”

When it comes to the issue of data ownership, Dervishi circled back to the need for standardization. Because PNC does not have a clear agreement in place with third parties, there is nothing to hold them accountable when it comes to how they use or store customer data. “We need a NAFTA for data,” he said.

So though it may seem as if both of these U.S. players are taking a “closed banking” approach, that statement isn’t exactly correct. Both banks offer open APIs. The difference is that PNC has shut out Plaid (and, in turn, the many third party apps that use Plaid) to head off security issues. JPM (and potentially others) may not be far behind. As Ron Shevlin pointed out in his piece The Real Story Behind the PNC Venmo Clash, “[JPM will] be watching what happens with PNC, for sure. If PNC sees limited account attrition, other Zelle banks will be likely to follow.”

At the end of the day, the only thing to prevent banks in the U.S. from taking a “closed banking” approach may be to follow in the footsteps of the European Union and create a PSD2-like, standardized regulation for data sharing. “Because each bank takes a different approach to third party data access,” Dervishi said, “until we have a well-understood framework like open banking and PSD2, we will have a thousand different methods [to access data].”

Everything Fintech at Davos 2020

The five-day World Economic Forum wrapped up late last month. The event, based in Davos, Switzerland, hosted some of the brightest minds in the world to speak on some of the biggest issues facing our society today.

We combed through the agenda to bring you a view of the discussions through a fintech lens. Here’s a summary of some of the most interesting fintech-related topics covered at the global event.

Shaping the Future of Financial and Monetary Systems
The majority of this session wrestled with digital transformation. One of the overarching themes in this discussion as it related to digital transformation was the idea that we’ve recently reached a major inflection point in the banking industry. That is, banks are no longer adding products and services to their existing models, but the very nature of how they operate is beginning to change. And as these changes happen, banks can only move as fast as their customers are willing to move alongside them.

Shaping the Future of the Digital Economy
This panel represented a range of industries. Specific to the financial services industry, PayPal CEO Dan Schulman said he expects the fintech industry to see more innovation in the next five years than it has seen in the last 30. The cause of this development speed comes down to AI. Along with AI, digital transformation was another hot topic. The panel agreed that digital transformation has opened up new opportunities and in many cases requires firms to revamp their entire business model.

From Token Assets to a Token Economy
This session sought to answer the question, “how can tokenization make illiquid assets accessible without creating new financial risks?” The panelists explained how tokenization makes fractional ownership possible with physical goods, such as a famous painting or a piece of real estate. One overarching theme that pulsed throughout the discussion is that global regulation is behind in the tokenized asset realm. So while technology may be advanced enough for a tokenized asset economy, we are still many years away from it being commonplace.

How to Implement Responsible AI
The World Economic Forum has teamed up with the government of Singapore to create a model framework of governance for the use of AI. This panel discussed the new framework and how it addresses the explainability of AI, which aims to be simple enough for all players to understand. As a part of the effort, the group has also released a toolkit for boards of directors to understand how to conduct AI oversight.

The Real-World Impact of 5G
This session hosted representatives from Verizon, Qualcomm, and ABB. The group addressed political and policy issues around security and trust. Secondary to the conversation were social concerns. The first considered if 5G will cause a digital divide between societies that have 5G and those that do not. The other social concerns addressed were potential climate change and health concerns.

Global Cybersecurity Outlook
The general consensus of this panel is that we are currently losing the battle of cybersecurity. The panelists looked at who is ultimately responsible to act as the authority to govern fraudsters, discussed the balance between security and consumer privacy, and considered whether businesses’ cybersecurity spending is happening in the right areas. Finally, the panelists concurred that security is not an IT problem, but that it is a business problem and everyone at the organization should be a security expert to some extent.

Creating a Credible and Trusted Digital Currency
This discussion looked at opportunities, challenges, and concerns around digital currencies. The panel acknowledged that digital currency adoption has a certain and definite future. Representatives addressed real use cases, including cross-border payments, financial inclusion, and fraud prevention. Among the discussion points were stablecoin competition, central banks’ participation, as well as cultural effects. Much of the dialogue circled back to digital currencies issued by central banks (CBDCs).

Other sessions worth a look include Valuing Unicorns, Building Trust in Data Flows, and Investing in the next Frontier.

The CA Consumer Privacy Act Went into Effect While You Were on Vacation

If you’re unfamiliar with the California Consumer Privacy Act (CCPA), you might want to stop catching up on email you missed over the holiday and focus on this new regulation. Here are a few highlights of California’s new law, which went into effect yesterday.

CCPA grants California residents new rights when it comes to their data and privacy. Essentially, this group of consumers are now entitled to know what data businesses collect about them, where they received it, how they plan to use it, who they have shared it with, and if it will be sold.

Here’s are some take-aways of what fintechs need to know now that the new rule has taken hold:

What’s required of you

Essentially, California consumers have the right to receive a report of their personal information that a business has collected on them for the past year, the right to have that data deleted, and the right to limit the sale of their data to third parties.

All of this means that in addition to tracking consumer data, businesses are also responsible for reporting where the data came from and where it’s going.

CCPA may not apply to you

The state of California has almost 40 million residents, and if you’re conducing business in the U.S., you likely have clients there. And even if you don’t, CCPA grants the new privacy rights to all California residents as defined by income tax, even if they are not currently living in the Sunshine State. In contrast, those living in California but paying income tax in another state are not covered by CCPA.

That said, there’s still a chance CCPA won’t apply to you. Businesses with gross annual revenues less than $25 million, or those that deal with personal information of fewer than 50,000 consumers, or businesses that generate less than 50% of their annual revenue from selling consumers’ personal information are exempt.

Heads up: you could be sued

Data breaches are generally always costly, and CCPA will add to the expense. If a consumer notifies a business that it has improperly handled their data and the business doesn’t rectify the issue within 30 days, the consumer has a right to sue for damages in the amount of $100 to $750 per incident, injunctive or declaratory relief, or another option deemed suitable by the court.

On top of that, if a business experiences a data breach, sells consumer data without permission, or retains data after the consumer requested it to be deleted, the Attorney General has a right to charge violators $2500 to $7500 for each consumer data file involved.

CCPA may go federal

As you plan out methodologies to document data collection, usage, and distribution, don’t limit your systems to Californians. The privacy act may eventually be escalated to the federal level so plan your data protocol around all of your U.S. clients.

Just because you’re GDPR compliant doesn’t mean you comply with CCPA

The U.K.’s General Data Protection Regulations (GDPR) went into effect in May of 2018. But just because you’ve mastered your compliance strategy for GDPR doesn’t mean you can rest easy when it comes to CCPA.

On the contrary, there are a handful of differences between the two, as outlined by Pillsbury Law:

  • The coverage group
  • The privacy policy disclosures
  • The breadth of disclosure rights
  • The data disclosures and deadlines
  • The right to opt-out
  • The explicit protection against discrimination

For a more in-depth look into the differences, I highly recommend taking a look at Pillsbury Law’s piece.

Identity verification may be an issue

A user may request access to all of his data, but how do you ensure he is indeed who he says he is and not a criminal? Furthermore, how do you ensure he is a California resident?

According to IDology COO Christina Luttrell, “If GDPR is an indicator of how CCPA will unfold, then businesses need to consider how criminals can and will exploit subject access requests.”

Luttrell went on to explain, “The organizations that will be well positioned to complete CCPA-related requests are the ones that understand the facets of CCPA identity verification (IDV) and adopt IDV systems that scale and automate, are secure and easily integrated, and have multiple IDV methods that will satisfy consumer needs.”

You may be late but you’re not too late

In the event a business violates the CCPA, it has additional time before fines and enforcement take hold due to the 30 day period to cure noncompliance.

If a business can fix a problem with its privacy compliance and follow the procedures set forth in the law to do so, then they haven’t violated the law and will not be subject to a lawsuit for the failure to comply.