Retail banks are under increasing pressure to innovate and personalize their products and services for the benefit of their customers, yet at the same time they are subject to rapidly developing laws and regulations concerning the protection and processing of their customers’ personal data.
The Deloitte Future of Retail Banking Report (2020) noted that progress in other industries – for example in retail (tailored products), transport (ride hailing), and hospitality (home-sharing platforms) – alongside advances in fintech, are contributing to the redefinition of customers’ expectations of banking services and products. The report outlined how the advances in other industries mean that banks are increasingly expected to deliver hyper-personalized products and services to their customers. According to the report, hyper personalization is defined as using real‑time data to generate insights, by using behavioural and data science to deliver services, products and pricing that are context-specific and relevant to customers’ manifest and latent needs (i.e. those needs which, due to a lack of information or availability of a product or service, cannot be satisfied). Further, consumers expect banks to anticipate their needs and make relevant suggestions, according to a survey conducted by Salesforce - State of the Connected Customer.
There are numerous legal guidelines, regulations and laws around the use and processing of personal data to personalize products and services in the banking sector in South Africa. The Conduct Standard for Banks, issued by the Financial Sector Conduct Authority on 3 July 2020, states that a bank that provides financial products or financial services to retail financial customers must, when designing a financial product or financial service, make use of adequate information on the needs and reasonable expectations of retail financial customers.
The Conduct Standard further notes that the bank must undertake an assessment, by persons with relevant competence, relating to the characteristics of the financial product or financial service, the distribution methods intended to be used in relation to the financial product or financial service, and the related advertising and disclosure approach and materials. This is to ensure that, amongst other things, they target the identified groups of retail financial customers for whose needs and reasonable expectations the financial product or financial service is likely to be appropriate. The banks must also include reasonable measures to limit access for retail financial customers for whom the financial product or financial service is likely to be inappropriate.
In order to successfully make use of consumer data for marketing, banks have to lawfully process and use customer data in an increasingly complex regulatory environment. Some of the regulatory issues that retail banks must navigate include the new prince of data protection - the Protection of Personal Information Act, 2013 (POPIA) (which will become fully effective on 1 July 2021).
There are eight conditions for the lawful processing of personal information according to POPIA, namely:
- Accountability - the bank is responsible for ensuring the conditions for lawful processing are met.
- Processing limitation - the bank must process personal information lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data subject's consent, unless certain exceptions apply.
- Purpose specification - the bank must process personal information for a specific purpose and adhere to the retention and restriction of records provisions in POPIA.
- Further processing limitation - further processing must be compatible with the purpose of collection.
- Information quality - the bank must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated.
- Openness - the bank must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure that the data subject is aware of certain information.
- Security safeguards - the bank must: (i) secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures; (ii) in terms of a written contract, ensure that the operator, which processes personal information for the bank, establishes and maintains security measures; and (iii) as soon as reasonably possible after the discovery of a compromise, notify the Information Regulator and the data subject.
- Data subject participation - the bank must allow a data subject to access and correct its personal information. The bank may also be required to correct, delete or destroy personal information.
Further, the National Credit Act, 2005 (NCA) requires that any person who receives, compiles, retains or reports any confidential information pertaining to a consumer or prospective consumer must protect the confidentiality of that information, and in particular, must use that information only for a purpose permitted or required in terms of the NCA or other national or provincial legislation; and report or release that information only to the consumer or prospective consumer, or to another person only (a) to the extent permitted or required by the NCA or other national or provincial legislation or (b) as directed by the consumer or prospective consumer or an order of a court or the National Consumer Tribunal.
The kicker here being that, according to the NCA, advertising is not a "permitted purpose". A potential solution to this issue is for credit providers and credit bureaux to clearly distinguish between confidential information and other information relating to customers.
POPIA also governs all forms of direct marketing undertaken by electronic means and provides that the processing of personal information of a data subject for the purposes of direct marketing, by means of any electronic communication (including e-mail, text messages and automated calling), is prohibited unless the data subject (a) has given consent to the processing (opt-in) or (b) is a customer of the responsible party (i.e. the bank) and then only if (i) the bank has obtained the contact details of the data subject in the context of the sale of a product or service; (ii) for the purpose of direct marketing of the bank's own similar products or services; and (iii) the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details at the time when the information was collected and on the occasion of each communication with the data subject for the purpose of marketing (opt-out).
If the bank is promoting a financial product or a financial service (as defined in the Financial Advisory and Intermediary Services Act, 2002), the bank will also be required to comply with the General Code of Conduct for Authorised Financial Services Providers and Representatives (Code of Conduct). Thankfully there is some overlap between the Code of Conduct and POPIA when it comes to direct marketing. The Code of Conduct requires that where a bank or any person acting on its behalf uses a telephone or mobile phone call, voice or text message or other electronic communication (this is broader than POPIA) for an advertisement, it must allow the potential customer during that call, or within a reasonable time after receiving the message, the opportunity to demand that the bank or other person does not publish any further advertisements to the potential customer through any of these mediums (opt-out). The bank or any person acting on its behalf may not charge a client a fee or allow a service supplier to charge a client any fee for making such a demand. While the opt-out formulation is compliant with the current provisions of the Electronic Communications and Transactions Act, 2002, financial services providers (including banks) should note that POPIA will require an initial opt-in for contact with potential customers, while existing customers must be given the option to opt-out.
In addition, the Code of Conduct further requires that a bank must record all telephone conversations with clients in the course of direct marketing and must have appropriate procedures and systems in place to store and retrieve such recordings. A bank must, on request of the client, make recordings of telephone discussions available to the client. The Code of Conduct also sets out requirements for information that must be included in an advertisement and information that must be provided to a client when recommending a specific financial product or service to a client.
The latest addition, the Conduct Standard for Banks is aligned with the requirements of the Code of Conduct as regards direct marketing. Both the Code of Conduct and the Conduct Standard for Banks also provide that a bank may not offer or provide any financial product or financial service to a retail financial customer or potential retail financial customer on the basis that any transaction will be entered into automatically, unless the financial customer explicitly declines the offer (i.e., negative option marketing is prohibited).
A bank must also have in place processes and procedures for the approval of advertisements and advertising methods by a person of appropriate seniority and expertise within the bank, which must form part of the governance arrangements. Generally speaking, advertising by a bank must be factually correct, not contain any statement, promise or forecast which is fraudulent, untrue or misleading and, in the case of advertising targeting retail financial customers, use plain language. The Conduct Standard for Banks also sets out specific disclosures that must be made in relation to financial products, financial services and agreements to be signed by customer.
For those wondering where the Consumer Protection Act, 2008 fits in to all of this - in terms of the Financial Sector Regulation Act, 2017, the Consumer Protection Act does not apply to a function, act, transaction, financial product or financial service that is subject to the National Payment System Act or a financial sector law, and which is regulated by the Financial Sector Conduct Authority. The Consumer Protection Act itself also provides that it does not apply to any transaction that constitutes a credit agreement under the National Credit Act, but the goods or services that are the subject of the credit agreement are not excluded from the ambit of the Consumer Protection Act.
As we enter the new normal and the age of digitisation, it appears that the demand for hyper-personalised products and services will drive the future of banking. However, the banking sector will have to navigate a myriad of laws and regulations to ensure that in the process of creating hyper-personal solutions for their customers, they do not breach their privacy.