What price privacy as the value of transaction data soars?

What price privacy as the value of transaction data soars?

Thanks to a booming payments market, the amount of transaction data is growing – as is its value. But regulation around it is patchy at best, and as more transaction data is used to feed models and analysis, more transparency and clarification around its use and abuse are needed.

Iga Pilewska ([email protected])

Transaction Data Soars

Growing in value

Of all the data that follows us through our lives, transaction data – data gleaned from digital payments – is among our most sensitive and valuable, giving insights into who we are and how we behave. We can use it to obtain credit, apply for citizenship – even support an alibi. Yet more and more entities now own it – and we may not even be aware that some of them do.

For several years payment providers have been boosting their profits by selling anonymized transaction data; Mastercard and American Express, for example, now sell it to hedge funds and investment banks. A new service from Mastercard helps merchants understand their customers better by analyzing their transaction data, and since 2018 that business has reported rapid growth. Financial institutions (FIs), meanwhile, can use transaction data to better forecast shifts in companies’ quarterly or yearly sales.

It’s not just payment providers that are widening their offerings: more and more organizations are productizing their transaction data, and more companies – across a range of organization types – are buying it. PayPal, Venmo (now part of PayPal), Apple, Amazon and challenger banks such as Monzo and Starling are just some of the companies that now own transaction data. And in the wake of European payments directive PSD2, the value of transaction data has been opened up to an even wider group of non-FIs.

Modelability up, transparency down

This development has its upside: cheaper currency exchanges, for example, or faster transfers. But it can come at a price: notably less transparency around where and why our transaction data is being used. Many payment providers profit from passing our information to third parties (PayPal, for example, shares its transaction data with 83 companies for marketing and PR purposes).

Most of these institutions assert that they only share anonymized transaction data that doesn’t identify individuals. This is fine for the likes of hedge funds, which tend to be more interested in insights on companies’ performance or market trends that come from aggregated data. But marketing and PR agencies may have an interest in narrowing down customers’ identities as much as possible so they can target them better – and potentially compromising their privacy.

In an age when significant proportions of money and payments are digital, it can be easier to model individuals' behavior based on their transaction data than their social media or geolocation data. But while there is much discussion around the improper use of social media data for credit scoring or recruitment, misuse of transaction data could be far more dangerous. And some firms may lack adequate controls to protect transaction data (protections that should be in place at FIs), or the operations necessary to comply with existing regulations.

Compared to the unstructured data coming from social media feeds, transaction data is also easier to structure and cluster, making it easier to model – for better or worse. It can be very useful in behavior modeling, for example: not only can individuals’ paydays be predicted, but also where they shop, or what they do at weekends. This can benefit customers: they can willingly share their data with third-party providers, for example, to glean more insights into their spending patterns and identify areas where they could save. But stronger regulations are needed to limit who third parties sell this data to, as is clarification on how existing regulations address the use of transaction data for marketing.  

A clearer picture needed

Moves to address the problem are afoot. Payment providers are already subject to several rules and regulations, notably the Payment Card Industry Data Security Standard (PCI DSS), Payments Attestations (annual attestations of compliance with IT controls), FCA Annual payments submission (REP018), and various financial crime regulations. Notably, the Dutch Data Protection Authority has already warned the Dutch Banking Association that processing clients’ transaction data for marketing purposes may be in breach of General Data Protection Regulation (GDPR).

GDPR is likely to be the most challenging obstacle for FIs and FinTechs that own transaction data and want to profit from it. Article 5 of GDPR states that personal data should be 'collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes'. As outlined by the Dutch Data Protection Authority, FIs must obtain consent from their customers to use their data for marketing.

We can expect other regulators to follow this reasoning. But even under GDPR, the question of whether companies should sell data when they have their customers’ consent remains unanswered. Users may seldom realize how exposed they are (in terms of companies being able to predict their actions) if they share their transaction data. Companies, for their part, could take responsibility for educating them – by placing terms and conditions around data use in a prominent place, for example, in much the same way that airlines remind flyers about prohibited luggage items during check-in. A clear line of responsibility for privacy violations that result from the sale of transaction data to third parties must also be established.

With increased use of new technology that can confer anonymity (such as ‘differential privacy’, which enables entities to share data about groups without disclosing information about the individuals within them), we can expect the value of transaction data to soar even further. Before the consequences of sharing and selling transaction data become unmanageable, however, we need clarity around the relevant regulatory landscape.  

Further reading

Spotlight on GDPR

(May 2018, Chartis Research)

Privacy risks dash funds’ alternative data dreams

(April 2019, Risk.net)

A blueprint for alternative data in asset management

(March 2019, Risk.net)

Points of View are short articles in which members of the Chartis team express their opinions on relevant topics in the risk technology marketplace. Chartis is a trading name of Infopro Digital Services Limited, whose branded publications consist of the opinions of its research analysts and should not be construed as advice.

If you have any comments or queries on Chartis Points of View, you can email the individual author, or email Chartis at [email protected].