Banking on big data: the transformation of banking services through data analytics

Friday 14 April 2023

Session Co-Chairs
Josh Hogan, McCann FitzGerald, Dublin
Sajai Singh, JSA, Bengaluru, Karnataka

Evis Daum, Federal Reserve Financial Services, Atlanta, Georgia
Kim La Barbiera, American Express, New York City, New York
Grady Nye, Mastercard, Purchase, New York City, New York
Adeola Sunmola, Udo Udoma & Belo-Osagie, Lagos

Wednesday 2 November 2022


New technological tools are rapidly becoming available for banks and Fintechs to exploit ‘big data’, or the very large volumes of data that traditional data processing software simply can’t handle. These tools have the power to transform how banking services are delivered to customers. Big data algorithmic analytics, especially when combined with ‘open banking’ and fast identity checking technology, such as biometrics, means that financial providers are better placed to tailor products for consumers and speed up the delivery of services. However, these developments can’t race ahead unchecked. For the technology innovations to work, they need to be successfully integrated into the legal and regulatory landscape on consumer protection.

At the IBA's 2022 Annual Conference in Miami, there was an excellent panel session on the legal and regulatory landscape for consumer protection and how it might evolve in the future.

What is meant by ‘big data’?

Josh Hogan opened the panel, noting that in today’s world, there are enormous amounts of financial data available through banking systems, which can be used to introduce services to improve people’s lives. To do so, understanding customer product innovation is critical. Moreover, artificial intelligence (AI) is becoming ever more powerful.

Sajai Singh outlined what is meant by ‘big data’ and how organisations can increasingly mine sets of anonymised data. For example, big data analysis is a useful means of showing consumer spending patterns, which can help companies sell products. Data can also be used to create targeted, individualised products. For example, in the future, insurance providers may wish to use the biometric data of individuals (eg, blood oxygen levels, heart rate, time spent asleep, sleeping respiratory rate, etc) collected using certain products, such as smartwatches, to sell custom health insurance plans.

Grady Nye outlined an interesting example, namely Test & Learn, a self-service analytics tool built by Mastercard for business users, such as financial institutions. Test & Learn allows business users to utilise data within their business to unveil insights and make better decisions, such as developing products in response to the trends it observes in the industry.

Access to data: open banking

Kim La Barbiera spoke about open banking, noting that it enables third-party financial service providers to access consumer banking information, eg, transaction history. In working with third-party data aggregators, banks can benefit from understanding information about their customers, however this is a double-edged sword as banks do not want to give away data that they could monetise themselves. In addition, there is a tension between data protection rights and the promotion of advanced payment services, and how Fintechs are acting in this regard. This raises the question: where does regulatory intervention come into play to draw the line between the two?

Adeola Sunmola discussed the new Nigerian regulatory framework[1] relating to open banking, published in February 2021, and the regulatory guidelines[2], which were issued in May 2022. Both the regulatory framework and guidelines aim to promote data sharing across banking and payment systems, with a view to promoting innovation and the range of services available.

Hogan spoke about the revised EU Payment Services Directive 2015/2366 (PSD2), which resulted in the emergence of account information service providers (AISPs). AISPs provide consolidated information on one or more payment accounts held by the payment service user with either another or other payment service provider(s). Essentially, AISPs act as data aggregators and provide payment service users with an overall view of their financial situation at a particular point in time. AISPs may also, for example, assist customers with budgeting by allowing them to analyse their past transactions and spending habits.

La Barbiera explained how American Express supports Plaid, a data network and payments platform, which allows consumers to safely connect their American Express accounts to apps and services in order to securely share their financial information in a matter of seconds. In doing so, consumers can access detailed transaction history, retrieve real-time balance information and access detailed borrower information directly from their bank account.

Data protection issues

The panel discussed the protection of individual personal data in the era of big data and the ways in which individuals’ right to privacy can be respected. Consumers should own and control their own data and understand the value of their data. A risk arises where data is collected for one purpose and is, subsequently, used for another purpose. The anonymisation of personal data may be the answer, but it begs the question: how can you appropriately anonymise data to create a new product without also creating a data protection risk?

Singh distinguished and clarified certain terms that often get confused with one another, such as data sovereignty, data privacy, data localisation and data residency. Given that over 100 countries have data sovereignty laws, some of the compliance challenges for companies working with data from multiple territories include: ever-changing laws, business growth in unchartered territories, the expectation of data mobility, being ready in terms of technological transparency for an audit, issues related to cloud infrastructure and compliance efforts resulting in higher operational costs.

La Barbiera noted that American Express offers a number of products to merchants, with the customer’s permission, to better understand how customers are spending their money and where they are spending it. This often has an international aspect, and American Express is required to consider all of the relevant data regulations and guidance to determine how the data is to be used. Such regulations and guidance include, inter alia, the EU’s General Data Protection Regulation, guidance from the European Banking Authority, the California Consumer Privacy Act, etc.

Regulatory intervention

The panel discussed what regulators are doing in this space, what they should be doing, what effective regulatory intervention looks like and whether, potentially, there is a tension between different types of regulators where there may be overlaps, such as between financial regulators, data protection regulators, competition regulators, etc. Of particular interest, Sunmola outlined the recent regulatory interventions in Nigeria aimed at improving consumer protections in a market where mobile banking is widespread.


This was an excellent panel, with good audience participation during the Q&A. The panel concluded with the co-chairs Hogan and Singh thanking the speakers and noting that the session represented a very successful collaboration between the IBA Banking Law Committee and its Technology Law Committee on a truly ‘hot topic’ of mutual interest.