Global Retail Banking Report
The huge data breach at credit bureau Equifax and the fake-account scandal at financial services company Wells Fargo may nudge the US to follow Europe’s lead on data protection.
The General Data Protection Regulation (GDPR) comes into force in May 2018 across the European Union. It will oblige all companies, including banks and fintechs, to have controls and systems in place relating to how they obtain customer data, how they store it and for how long, and how they may reuse it.
Fines for mishandling data will rise substantially. Today’s fines of €50,000 to €300,000 (US$61,000 to US$370,000) are often just seen as a cost of doing business, not a deterrent to poor practices. This will change when companies face fines of up to 4% of gross turnover.
Germany and France already have strict data laws in place, says Roberto Valerio of online fraud-prevention firm RISK IDENT. His company is based in Germany, working for Otto, the second-largest online retailer in Europe after Amazon, as well as a number of telecoms companies.
European data laws mean that his company cannot pool information from different corporate clients to assess whether a shopper or customer is who they say they are.
“In the US you have more freedom to combine information from different sources. If you see fraud from a certain person or email address, that can be used when they apply online elsewhere,” notes Mr Valerio.
How the GDPR will work in practice is still unclear, but Mr Valerio is pleased to see that the regulation gives customers more rights over their data, such as being able to have it deleted. Others welcome new consumer powers too.