Lending is all about knowing your customer. The more you know, the less risk you take, and the higher your profit margins. As any lender will tell you, aggregating a borrower’s transaction data across their bank accounts is hands down the best tool for customer analysis and decisioning.
However, accessing a consumer’s financial data comes with strict rules and guidelines. For any lender that targets European customers, this means complying with GDPR. Despite its ominous name, the general data protection regulation is explicit. If you collect or use personal consumer data in your business model, you have to protect your data subjects’ privacy or pay dearly.
Where Data Aggregation and GDPR collide
The logic behind account aggregation is clearcut. Consumers generate valuable financial data every time they get paid or make a payment. They do so with different bank accounts and payment cards, culminating in a rich stream of information. By themselves, each tributary sketches a limited portrait. Put together, though, the data becomes a financial tell-all of the user’s life.
The revealing secrets in payment data
Some of the data points collected via account aggregation are mundane. For instance, payments at a supermarket divulge little beyond where we like to shop for groceries. In contrast, others paint a vivid picture of our personal and private life. GDPR calls this revealing information “sensitive” or “special category” data.
Sensitive payment data can speak volumes. For example, payment information can reveal what union you belong to, what political campaign you support or what religious beliefs you hold. In short, payment data can unearth telling details about your faith, beliefs, and values — all of which are considered private and confidential.
Furthermore, medical bills and pharmaceutical purchases also appear in our payment data. It’s not hard to imagine how easy it would be to use this information to find out if a person has an underlying health condition or to guess their sexual orientation.
The dangers of omitting sensitive data
Firms that want to process special category data must meet a range of criteria and general data protection rules. First, they must have a lawful basis to do so. Then, they need to meet one of ten criteria laid out in regulation. Finally, companies need to justify their reasoning to do so before accessing sensitive data, then identify and mitigate any associated risks.
Some financial service companies find this burden over cumbersome. Instead of burning out their data protection officer with endless alerts, these firms abandon special category data altogether.
Yet for lenders using account aggregation to analyze and make decisions about their customers, omitting transactions is also a risk. A partial view of a borrower’s spending habits corrupts the decision-making process. In turn, lenders miscalculate risks, and miss opportunities.
How abstraction lets lenders utilize sensitive data while being GDPR compliant
Despite the restrictions on sensitive data, lenders do have a workaround at their disposal: abstracting individual bank statements into composite metrics and indexes.
The concept is relatively straightforward. Instead of using raw, special category data, the lender replaces it with anonymized composite metrics. This substitute data mimics otherwise sensitive data, but without revealing details. Lenders can then leverage their potential for analysis, allowing them to make better decisions while remaining compliant with GDPR.
Here’s how it works in practice. Let’s say a lender using account aggregation in their workflow gets a loan request from a new client. With this request, the lender receives an output from the client’s aggregated bank data containing all their financial information.
In its raw form, the data set could contain sensitive information such as a donation to a political party or medical bills. As is, the data can’t be used for decision-making because it contains private information and the lender would be violating the user’s privacy.
Instead, the lender would be better served using abstracted metrics built from the raw data. To determine whether to approve or deny a loan request, the lender doesn’t need to know if a person pays union dues every month. They need to know whether that person’s average income minus their average spending is positive or negative, and this information can be obtained by processing the data before submitting it to their analysis and decisioning algorithm.
But that’s just the bare minimum. On top of net balance and cashflow for a given time period, this type of analysis can generate risk indexes that can also be factored into the decision-making process.
For example, using statement categorization, it’s possible to identify individual bank statements that constitute markers for risk-associated behaviors, such as spending on online gambling and betting, or paying back multiple loans at the same time. Instead of presenting all this data in raw format and risking a GDPR violation if private information also gets swept up in the mix, it’s possible to build indicators that quantify how many instances of risk-associated behavior the user is engaged in, or the amount of money spent in a given time period on risk-associated activities without having to show individual bank statements.
This approach is very useful because it fulfills a dual function: it prevents GDPR violations when using financial data to analyze customer behavior, and it simplifies analysis and decision-making because the lender only has to look at a single indicator instead of dozens or potentially hundreds of individual bank statements.
How indicator-based analysis provides an edge
Of course, abstracting data adds a layer of complexity to an already intricate process. Lenders must either manually anonymize data or ask their developers to spend time and resources building proprietary algorithms.
Unnax helps lenders manage sensitive data from the start, minimizing risks and improving UX along the way. Our account aggregation technology anonymizes data from the start. Lenders can quickly tap into GDPR-compliant borrower account data with a simple API call. This data comes ready to use, and, optionally, with advanced indicators, making the loan assessment process even more efficient.
Surviving in today’s disruptive consumer lending environment requires tackling multiple obstacles face-on. In addition to an increasingly crowded space, borrowers expect near-instant money wrapped in engaging UX. If these pressures weren’t enough, lenders face growing uncertainty as the economic outlook is far from clear due to the COVID-induced financial crisis.
To overcome these challenges, lenders need to tap every tool in their arsenal, and Open Banking technologies such as those we’ve discussed are the key.