Operationalising data ethics in the financial services sector
14 August 2019
Financial institutions have become accustomed to managing gigantic volumes of data, ranging from customer data to business intelligence and employee data. However, the financial services sector is being revolutionised by data-driven, and data-generating, technology. With the likes of mobile, blockchain and artificial intelligence reshaping traditional financial services, we are seeing the emergence of a new trend threatening to disrupt these disruptive technologies – data ethics.
Data ethics has been defined as the study and evaluation of moral problems relating to data, algorithms and corresponding practices to formulate and support morally good solutions. In practice, data ethics embodies the difference between what financial institutions can do with data, and what they should do with data. In other words, where legislation and regulation form the letter of the law, data ethics represents the spirit of the law. Technologies such as artificial intelligence amplify and add new dimensions to ethical uses of data, but the concept of data ethics is technology-agnostic. This means that it is just as relevant to other data-rich activities undertaken by financial institutions, such as social listening.
Data ethics is rapidly becoming one of the most important strategic and, given its philosophical heritage, operationally complex risk management challenges facing companies. If a financial institution is perceived to be using data in an underhand or reckless way, it could face significant consequences including loss of customer trust, regulatory investigation, and investor backlash. Indeed, Charles Randell, Chair of the UK’s Financial Conduct Authority and Payment Systems Regulator, has warned that the financial sector could face its own "Cambridge Analytica moment" if it loses public trust over the way it handles data, signalling the growth of data ethics (or lack thereof) as a concern for regulators across the world. Additionally, investors are more actively urging companies to remedy perceived ethical deficiencies in their data management practices, suggesting that it is only a matter of time before data ethics makes its way on to the environment, social and governance (usually referred to as "ESG") agenda of organisations.
These factors have led to data ethics being an issue that no financial institution can afford to ignore. Given senior management’s unique position to ensure that the concept is embedded in every relevant layer of their organisation, the following are some suggestions for operationalising data ethics:
1. "JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD"
This is the core principle that should underpin every discussion and decision about data management. It can help to rebut arguments that advocate underhand or ‘creepy’ business propositions. This sentiment can help to shift your organisation’s mindset from a compliance/tick-box approach to an approach based on values and principles.
2. ENGAGE PRINCIPALS
Ethical questions around the use of data should not be left to be determined by lawyers or compliance teams alone. These issues require engagement across a broad range of internal stakeholders, from those involved in designing and implementing digital services to those responsible for customer and business strategy. Tone from the top, engagement at all levels, and education and awareness are critical to ensuring that all internal teams understand the importance of ethical approaches to data, and the implications of getting this wrong.
3. ESTABLISH PRINCIPLES
Work with your stakeholders to develop data ethics principles. Although good ethical behaviours can be incentivised, they are more likely to come from individuals buying into a commonly held set of principles. There is a growing volume of guidance outlining the ethical principles that should underpin data processing activities – these include the European Commission’s High-Level Expert Group on Artificial Intelligence, the Organisation for Economic Co-operation and Development, financial services regulators such as the Hong Kong Monetary Authority and data protection authorities such as the Commission Nationale de l’Informatique et des Libertés (CNIL) in France. Financial institutions can use this guidance as a base for creating data ethics principles that reflect/supplement the organisation’s data use cases, corporate purpose, risk appetite and values. They should also think carefully about how these principles might be used in practice, and whether it is appropriate to give additional guidance on areas that are higher risk.
4. DATA CULTURE, NOT DATA VULTURE
The concept of ethics in any given society is constantly evolving, as behaviours move between ‘acceptable’ and ‘unacceptable’ in public and regulatory consciousness. This can make it challenging for organisations to be sure that they are operating in a way that is ethical, and seen to be ethical. Operationalising data ethics means establishing a framework that can, in the long term, withstand a fluid socio-cultural landscape. It is important to establish regular reviews to refresh data ethics principles, and regularly review the effectiveness of governance and internal controls to ensure that they are driving the desired behaviours (for example, responsible data use, rather than reckless data hoarding). It could also include regularly stress-testing data ethics principles against public sentiment by monitoring current affairs and engaging market researchers.
5. LEVERAGE EXISTING POLICIES AND PROCEDURES
Data ethics may seem like yet another regulatory expectation for financial institutions to comply with, but there is ample opportunity to build on risk management frameworks, impact assessments, internal policies and procedures and governance and accountability models implemented as part of an existing data privacy compliance programme or risk management approach more generally. For example, it may be necessary to decide which data ethics questions to build into template data privacy impact assessments (for use where personal data is involved), and which to include in a stand-alone ethical data impact assessment (for use in all other data use cases). The right governance strategy may be to create new bodies or committees (such as a data ethics board), or to redesign the terms of reference for existing forums to ensure that ethical questions are addressed. Whichever approach is taken, the relevant bodies should be incorporated into the wider governance structure and have clear responsibilities and escalation protocols. To embed data ethics within a financial institution, it is essential that ethical decisions become part of the day-to-day management of the business and an issue on which senior management is kept informed.
6. ETHICS BY DESIGN
As with privacy, embedding ethical considerations into the "DNA" of products and services from the outset can save time, money and resources involved in having to redesign a product or service later. Consider including questions around data ethics in any new product/service approval process.
7. YOU HAVE TO UNDERSTAND THE RISKS TO IMPLEMENT A REMEDY
Many people in a financial institution will have a role to play in embedding an ethical approach to data use. For example, specific data ethics considerations may be different for data scientists within an organisation, in comparison to the marketing team. It is important to make it as easy as possible for people to identify what activities are, and are not, considered to be ethical in the context of their roles. Providing risk-based, role-based training to stakeholders at all levels of the organisation is critical.
8. KNOWLEDGE IS POWER
The more you understand about the provenance of the data, why it needs to be used to achieve the business objective, and how it is to be used, the greater your ability to assess whether the data use is ethical. Due diligence is key to achieving this. For example, are you using data to mirror consumer preferences, or to manipulate them? How relevant is the data being collected, relative to the purposes of the processing? And how are the algorithms used to process the data trained, tested and validated?
9. ENGAGE THE SUPPLY CHAIN
Engage with your data supply chain and flow down (or up) your data ethics principles, for example, by interrogating the data source, and including contractual provisions to ensure the integrity of the data and the processing activities. With the proliferation of data-sharing and secondary use of data, aligning data ethics principles among members of the organisation’s data ecosystem can help to meet ethics objectives (such as transparency).
For any financial institution looking to cultivate customer trust and a sustainable business model, a core question must be: how should it collect, manage, learn from and potentially monetise the vast quantity of data available to it in a way that is acceptable in the environment in which it operates? The tips above should help to establish the tools to answer this question. The answer could prove to be critically significant, and determine whether a financial institution’s use of data creates value, or whether it exposes the organisation to a raft of costly reputational, regulatory and litigation risks.