Frictionless Financial Services Are Convenient, But Are They Safe?

A century ago, the most valuable thing banks had on hand was the money in their vaults. Today, however, banks have something that’s just as precious as cold, hard cash: data.

Think about it. As the arbiter of people’s financial life, banks probably know more about individuals than most of their friends, including how much money a person makes and where they spend it. And thanks to modern technology, it can use that data to offer more and better banking products and services, tailored to an individual’s specific needs.

But with a great deal of data comes a great deal of responsibility. Data protection in financial services industry circles has therefore never been a more important subject.

This is especially true given the ubiquity of mobile banking. Because digital financial services are so common, banking customers are more comfortable than ever conducting transactions and purchasing financial products online. In return, they expect financial experiences that are faster, easier and more personalized.

That raises the stakes for online banking security. Consider recent findings from technology and management consultancy Capco. According to the company’s research, 89% of U.S. insurance policyholders between the ages of 18 and 65 are willing to share additional personal data if it means having access to insurance offerings that are attuned to their life circumstances and values. In 2021, the company similarly reported that nearly three-quarters of consumers would share some form of personal data to get cheaper insurance premiums.

Clearly, banks and other providers of financial services have a careful line to tread: Using consumers’ data to expand and enhance digital products and services on the one hand while protecting that same data on the other.

Embedded Finance: The Future of Banking is Here

The willingness of consumers and businesses to share personal information to get a better banking experience comes at a time when embedded finance is gaining traction.

“Embedded finance” describes the integration of financial products and services into existing customer journeys that are hosted by non-financial services organizations. A common example is retailers who offer flexible low- or no-interest financing for big-ticket online purchases, like a bed, computer or new appliance. Traditionally, consumers wanting to finance big purchases would have to go to a lender and secure a loan or line of credit. In the world of embedded finance, however, the retailer partners with a bank or other financial services firm to offer the financing directly to the consumer at the point of purchase.

“While the term ‘embedded finance’ may be a recent addition to our lexicon, it’s not novel. For decades, banking customers have been able to access financial products on non-banking channels and with non-banking partners,” the IBM Institute for Business Value (IBM IBV) wrote in its 2023 report “Embedded finance: The voice of the makers.” “What’s new is the radical shift in the way clients consume banking and insurance services in the moment and location of their need.”

Technology facilitates the smooth sharing of data that enables the frictionless, hyper-personalized end-to-end experiences customers have come to expect. Banks and financial services providers must meet those expectations within the constraints of online banking security and privacy legislation that stipulates strict data protection for banks.

Privacy Concerns Add Constraints

Embedded finance ups the ante when it comes to protecting data, even as it offers frictionless capabilities for consumers, according to Sean O’Dowd, head of global financial services solutions at Nutanix. He said data sharing also becomes a cybersecurity risk because the attack surface is expanded, creating more areas to protect.

“Banks are being forced to share information in a way that they really haven’t had to before,” O’Dowd told The Forecast.

He said this is due to open-banking regulation via Payment Services Directive 2 (PSD2) out of the European Union (EU), which is a catalyst for things like embedded banking and banking-as-a-service. 

“The primary technology vehicle that makes this all super easy is the API...yet that is where the data protection challenges arise,” he said.

Although technology makes it easier, information sharing is complicated by compliance obligations whose purpose is strengthening IT security for banks, according to Hector Arias, who leads Red Hat's retail banking strategy globally including embedded finance, and is one of the authors of the IBM Institute for Business Value research mentioned above.

“Everything related to money is super confidential, so banks need to protect data and comply regardless of who is participating in the banking value chain,” Arias said.

Europe’s General Data Protection Regulation (GDPR) is the most comprehensive privacy legislation affecting the global banking sector because it applies to data held by financial institutions and protects consumers. 

“Every vendor and every processor that is providing services to the financial entity is also obliged to protect that data,” Arias continued.

Since taking effect in 2018, GDPR has racked up a hefty total of eight- and nine-digit fines for mishandled data breaches. Although those paying the highest fines tend to be tech giants and not banks, financial institutions must be wary of risking their data security, banking relationships and brand equity as they tap into customer data to deliver enhanced services.

Another regulation of note is Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private-sector organizations across the country that collect, use or disclose personal information in the course of a commercial activity. Several Canadian provinces have their own legislation that is like PIPEDA. In the United States, meanwhile, California in 2018 introduced its own statute to enhance privacy rights and consumer protection: the California Consumer Privacy Act (CCPA).

Despite the potential perils and pitfalls that have made regulations like GDPR, PIPEDA and CCPA necessary, consumers love online and mobile banking and financial institutions have an obligation to continue delivering them. As a result, “the race is on” to provide the best products and services without jeopardizing privacy protections, O’Dowd said.

Data Integration Requires a Framework

Although the technologies for digital banking have been around for a while, new technologies like AI and machine learning are creating opportunities for financial services providers to differentiate themselves, O’Dowd noted. With access to the right data, for example, AI can facilitate improved customer service via chatbots. Meanwhile, machine learning enables mobile banking apps to improve their performance over time by adapting to customers’ preferences and even anticipating their actions.

“The whole conversation about AI improving these digital channels is really interesting,” O’Dowd said.

In order to turn an interesting conversation into an awesome reality, banks and non-banking partners must find a way to integrate siloed data efficiently and securely.

“[Banks are] leveraging these new technologies in small, confined and compartmentalized ways,” O’Dowd continued, noting that there is a lot of potential for generative AI to help with data integration by tapping into data lakes and providing more unified views of customer information.

Even so, data governance and data quality controls are critical for meeting compliance obligations and protecting customer information. Neither is easy given the complex relationships spurred by embedded finance.

To make those relationships work as they embed more products and services in external IT ecosystems, financial services companies often rely on unregulated technology infrastructure to support service delivery, according to Arias, who said banks are still responsible for data that passes through third-party companies. To support new business activities between all parties, new and legacy technologies alike must adhere tightly to best practices around privacy and security, he said. 

“You need a framework for those companies,” Arias added. "Banks need to evolve their risk control framework to safely open their distribution model and prepare their foundational technology platform for these open business models. This effort is paid off with the huge opportunity ahead."

This framework must cover technology integrations so data can be confidently shared while ensuring that all parties meet their regulatory obligations. In that way, banks and non-banking partners should view financial data security as a shared responsibility. The former must have clear visibility into how the latter are going to process customer data, Arias said.

Cloud Equals Trust

The increased dependence on shared, distributed IT infrastructure has led to the introduction of even more regulations in Europe. For example, the Digital Operational Resilience Act (DORA) went into force in early 2023 and will apply as of Jan. 17, 2025. The regulation recognizes that banks are increasingly dependent on technology that can create what regulators call “concentrated risk” and on technology companies to deliver financial services.

“Banking is very, very regulated and technology is not regulated yet, although regulations like DORA are starting to change that,” Arias said.

Clearly, the risks that embedded finance pose to data privacy are great. But so are the doors it opens for consumers seeking financial freedom and flexibility. And while there’s no silver bullet for replacing threats with opportunities, it’s becoming easier for banks to find middle ground between them with the help of cloud computing.  

Consider geopolitical risks, for instance, which are a big reason for continued regulation. Given the volatile nature of the world today, financial institutions must have an exit strategy in case they need to change technology providers. Multi-cloud adoption can help them comply with regulations while avoiding risky vendor lock-in.

“Most regulators now permit the use of cloud, and we have seen cases of banks running on cloud that are more reliable than banks that are running on traditional data centers,” Sam Everington, CEO of Engine by Starling — a cloud-native, SaaS banking platform owned by British bank Starling Bank — told the IBM IBV. “Cloud infrastructure in most markets is an option if it’s managed the right way, with the right level of ability to move between cloud providers.”

Indeed, embedded finance that’s built on cloud-based infrastructure buoys consumer trust instead of eroding it, suggested Andy Nam, CIO for Asia and Oceania at Japanese bank Mizuho Bank. “Clients recognize the value of an established relationship that is based on trust and reliability. But this trust is not to be taken for granted, as clients have learned to look elsewhere for convenience,” Nam told the IBM IBV. “This is the reason why incumbents can’t stand still, but must learn how to work with other financial institutions and non-banking partners.”

Editor’s note: Learn more about Nutanix Cloud Platform, solutions for FinServ and Project Beacon, Nutanix’s vision for delivering data-centric PaaS level services that aren’t tied to a single infrastructure provider.

Gary Hilson has more than 20 years of experience writing about B2B enterprise technology and the issues affecting IT decisions makers. His work has appeared in many industry publications, including EE Times, Embedded.com, Network Computing, EBN Online, Computing Canada, Channel Daily News, and Course Compare. Find him on X.

© 2024 Nutanix, Inc. All rights reserved. For additional legal information, please go here.