A Developer's Guide to Privacy and Fairness?

Over the past few months I've noticed a range of different articles expressing privacy concerns about mobile apps, wearable devices and internet-enabled things, like smart TVs and bathroom scales ("the Internet of Things") on the one hand; and initiatives like 'Midata' to help you create your own 'personal data ecosystem', on the other. But regulation aimed at unfair trading is also relevant in this context, as are the various security requirements being proposed at EU level in relation to payments and 'cybersecurity' more generally. Official guidance in these areas is often broad but not comprehensive, as in the summary of privacy rules given in the context of Midata. It would be great to see a more concerted effort to draw all the guidance together. I have suggested this to the SCL. In the meantime, this overview explains briefly where to find guidance on meeting privacy and fairness requirements when using apps and other devices for consumer marketing purposes.

Note: as a developer, it's worth reading such guidance as if you were a consumer, to understand the regulatory intent. As a consumer it's worth reading guidance aimed at firms, since that gives you a better insight into how things actually work 'behind the scenes'.

The Information Commissioner has plenty of practical guidance on privacy in the context of cookies, mobile applications and data sharing (and a other guidance by sector or activity).

The Advertising Codes are important sources of information on how systems are supposed to behave in a marketing context.

PhonepayPlus has issued guidance on the use of premium rate numbers.

The Office of Fair Trading had plenty of guidance on how to comply with consumer protection regulation, which is now hosted by the Competition and Markets Authority, including principles for online and app-based games.

The OFT's guidance on what's appropriate in a consumer credit context, such as debt collection, is now in the FCA's consumer credit rules, and the FCA also recently consulted on updates to its guidance on financial promotions in the social media.

Firms seeking FCA authorisation often have to provide a lot of detail on their IT systems and governance in the process. The proposed new EU directive on payment services will broaden the range of regulated services and go into considerable detail on data security. In fact, security standards will be produced by the European Banking Authority, just to add to the confusion.

Knowing where consumers can complain is a guide to other regulators who may be interested in how your application works. There is an overview of UK consumer complaints channels here. There are specific complaints bodies for sectors, such as energy, financial services and telecoms, as well as for activities, like advertising and processing personal data.

However, it's you should be aware that the Data Protection Act gives businesses separate rights to process your personal data in the following circumstances:

• for the performance of a contract to which you are a party, or for taking of steps at your request with a view to entering into a contract;
• for compliance with any legal obligation, other than an obligation imposed by contract;
• in order to protect your vital interests;
• either for the exercise of a function conferred on a business by law or for the exercise of any other functions of a public nature exercised in the public interest;
• for the purposes of legitimate interests pursued by a business or by someone else to whom the data are disclosed, except where that processing is unwarranted by reason of prejudice to your rights and freedoms or legitimate interests.

Public sector bodies also have certain rights to use your data which I haven't covered here. However, it's important to mention the ID Assurance Programme run by the Government Digital Service team, which has issued useful guidance on ID assurance. And the Connected Digital Economy Catapult that builds platforms for SMEs is due to develop a code of practice on consumer protection.

The Beginning of The End of Consumer "Banking"

Funny to see a story from John Gapper in the FT this morning, saying technology will hurt retail banks but not kill them, only a few pages before First Direct admits it mis-sold complex investment products to consumers.  While I agree that innovation doesn't 'kill' anything, and must co-exist with what it is replacing, John seems to have a misplaced faith in retail banks' ability to maintain their direct relationships with consumers.  Banks are steadily being relegated to the back-office of retail finance.

 

John may be right to point out that banks lose money on the limited activity of offering current accounts, and possibly even savings account functionality, so that these are not attractive areas in themselves for technology businesses to enter. But of course you can't view those 'products' in isolation. They are just part of the 'bait and switch' routine that banks operate to persuade people to part with their money so the banks can earn far more from using those funds for their own ends.

To understand what the tech companies are doing, you have to consider how much money the banks make out of the end-to-end activity of robbing investors/depositors of yield while fleecing borrowers with expensive loans - and making everyone pay a lot for slow-cycle payment processing. 

 

It is wrong to say that technology companies are merely playing at the edges of 'banking' by offering payment services and person-to-person loans. This is all part of the strategy for disrupting the 'banking' sleight of hand.

 

Tech companies know that if they can provide a decent, transparent consumer experience to savers/investors on the one hand, and those who need the funds on the other, then they are in a position to cut the cost of moving money between the two. In fact, the money may not even have to move at all: the important issue is who is entitled to it, and whether it is available. 

 

You don't need a bank to keep the data and transaction records that tells you who owns the funds. It's all just data, as Marc Andreessen is quoted as saying. 

 

And it's far safer to separate the transaction processing and record-keeping function from the cash, which should be held separately from the processor's own funds. That's how e-money institutions, payment institutions, P2P lending and crowd-investment firms are set up...  They may rely on segregated commercial bank accounts for holding that cash, but the banks who provide those accounts have no control at all over which consumers own the money in them, or what those consumers choose to do with it amongst themselves.

 

In the EU, the regulatory support for such new business models began in earnest in Europe in 2000, with the advent of the first E-money Directive, and has snowballed with the Payment Services Directive in 2007, a new EMD in 2009 and the proposed revamp of the PSD. There are now hundreds of these payment institutions in the UK alone. And it's no coincidence that the UK has led the way in both creating and regulating P2P lending and crowd-investment platforms.

 

All of this spells the beginning of the end for consumer 'banking'.

 

 

Referral Process For UK Small Businesses The Banks Won't Fund

As mentioned briefly before, UK banks have been so hopeless in referring businesses they can't finance to alternative lenders that the government has decided to create a mandatory referral process.

Currently, the largest four banks account for over 80% of UK SMEs’ main banking relationships. Most SMEs only approach their main bank for finance, with around 40% giving up their search if they are unsuccessful.  A proportion of those rejected are viable businesses who simply don't satisfy the risk appetite of the largest banks. The result is that other providers of finance aren't able to help because they are not seeing the need among SMEs, and the SMEs are unaware of the alternatives to their bank.

So the government will use the Small Business, Enterprise and Employment Bill to require the larger UK business lenders to refer any SME whose finance application is rejected (with the SME's consent) to certain designated private sector platforms. Those platforms will then connect willing SMEs with participating alternative providers of finance (ranging from finance companies, to invoice discounting providers to peer-to-peer lending platforms to challenger banks). 

The platforms will need to comply with minimum standards to help ensure that SMEs are in control and properly protected throughout the process. All types of credit products offered by large banks to SMEs will be covered by the referral requirement, although there will be a low threshold below which it would be too costly to refer the funding application. Some businesses may also be excluded for various reasons that would include where the initial funding application was rejected for suspected money laundering. The proposals are also designed to complement and work in conjunction with the government policy to improve access to SME credit data, a process that is happening separately, but in parallel.

In summary, the SME funding referral programme should work as follows:

• SMEs must consent to be referred, and will have their details anonymised. Alternative lenders will only be able to see key information that would allow them to make an initial assessment of whether an SME may be a potential lending opportunity.

• If a lender wishes to explore a lending opportunity with a business, it would need to make contact through the platform and request consent to see that business’s contact details and begin a direct dialogue. Where a lender wishes to make a more detailed credit assessment, it will be able to obtain credit data from the business’s main bank via designated Credit Reference Agencies.

• Platforms will be able to exercise discretion over whether they grant financial and business advisers and other intermediaries access, but the platform must clearly notify SMEs when it is an intermediary that wishes to contact them, and not a lender.

The minimum standards for the referral platforms will be stipulated by the Treasury on advice of the British Business Bank. Standards will include: 

• data protection – to avoid excessive or misleading approaches or credit checks without consent;

• fair access to all SME lenders that agree to terms and conditions regarding appropriate treatment of SMEs contacted through the platform; and

• accountability for alternative lenders who fail to comply with the terms and conditions they sign up to when joining the platform. 

The Treasury will be able to de-designate platforms that fail to adhere to the standards. The FCA will oversee the obligation on banks to share information with platforms, and the platforms’ requirement to give fair access to lenders. Sole traders and micro businesses will be able to complain about platforms to the Financial Ombudsman Service when dealing with designated platforms. 

Further detailed regulation, including the designation criteria that potential platforms must meet, will be set out in secondary legislation following the passage of the Bill.

The FCA and Mobile Financial Services

The Financial Conduct Authority is going to great lengths to deepen its understanding of the retail financial services market. Project Innovate is a case in point, as is the recent (interim) report on how consumers use mobile devices. However, both initiatives underscore the need for non-banks to engage with the FCA far more than they have to date, and to provide a lot more information about how, why and when consumers need or want to use financial services.

It's a bit unfortunate that the FCA has used 'mobile banking' to describe consumers' mobile activities in the financial services context. We need to get away from such bank-centric language. After all, the FCA points out that consumers don't just use mobile devices to check the balance of a bank account, a bank statement or access internet banking web pages. There are many mobile services offered by payment institutions and electronic money institutions, not to mention the providers of credit, investment and insurance services. Each type of service provider is bound by different FCA-supervised rules and regulations when dealing with us, so it's also a little ironic that the FCA is concerned that "consumers may be unclear about their rights and obligations when using mobile banking products and services".

But terminology is a red herring. The starting should be to consider what activities consumers are engaged in when they need to rely on financial services - and whether the required services are sufficiently accessible or useful.

Here the banks' mobile offerings provide a helpful illustration of how financial services can be misaligned with consumer behaviour. The FCA found that consumers are using mobile devices to access major banks' systems far more frequently than the banks estimated they would (50 times more often than visiting a branch and 20 times more often than a web site). This has caused capacity issues and outages in bank IT systems, which the FCA is not happy with. But the FCA doesn't seem to have considered that this over-reliance on mobile channels might also demonstrate how awkward it is for consumers to use bank services through other channels. 

In fact I doubt whether we really need or want to contact our financial service providers' mobile sites at all, other than in an emergency. Nobody, except banks, engages in "banking". We may use a bank's services, but only in the context of a much wider activity, such as buying a house or a birthday present on the way to a party. "Banking" is what banks think consumers are doing, because banks only view the world through the lens of their own products and not consumers' day-to-day activities.

The FCA needs to avoid falling into the same trap. I mean, there are plenty of great examples of seamless online customer experiences out there which the FCA could use as a benchmark.

Indeed, what this report emphasises most is the need for non-banks to engage far more with the FCA, particularly in the context of Project Innovate.

Alas, it may be too late for them to help shape the second Payment Services Directive...

Google Switches To Defence In Its War On The Human Race

Nine months after Google's Chairman, Eric Schmidt, used his speech at Davos to declare war on the human race, he and the other  Big Data commanders find themselves very much on the defensive.

"I was suprised it turned this quickly," Mr Schmidt is quoted as saying of the political tide, after his European smarm offensive in June failed to avert calls for Google to be broken-up.

The trouble is that Big Data funds itself by selling the opportunity to find humans and present advertising to them. Even the craze in wearable devices is all about geolocating the wearer (and potentially their companion(s)) for advertising purposes. Ideally, you'll buy a watch or pair of glasses that will keep you reading ads and search results while on the move, but a wristband that tells your 'friends' what you're doing and where will do just nicely. Maybe one day you'll even go for the driverless car, so you can watch ads instead of the road.

As I mentioned in January, the advertising revenue that initially helped fund the transition from the analogue/paper world now dwarfs the value we actually get from Big Data and the Web. Mutuality - and humanity - is being sacrificed in the Big Data rush to sell you tat. Oh, and in the quest for The Singularity, when the high priests of SillyCon Valley believe that machines will achieve their own superintelligence and outcompete humans to extinction. Yes, really. 

In the same way that banks have grown from their mutual origins to suit themselves at our expense - keeping most of the 'spread' between savings and loans to suit themselves - Big Data platforms are primarily focused on how to leverage the data you generate ("Your Data") without rewarding you for the privilege.  GCHQ and the NHS are playing pretty much the same game.

But not all digital platforms finance themselves by using Your Data as bait for advertising revenue. Since eBay enabled the first person-to-person retail auction in 1995, that model has spread to create marketplaces in music, travel, communications, payments, donations, loans, investments and personal transport. The marketplace operators thrive by enabling many participants to use their own data to transact directly with each other in return for relatively small fees, leaving the lion's share of each transaction with the parties on either side. 

The marketplace model also reveals that most of daily transactions could be carried out between our machines. After all, they are much better at crunching all the data than we are. They are in the best position to combine our own transaction data, open public data and commercial product information to recommend the right car, mobile phone tariff or insurance products, without disclosing our identity to every advertiser in the process.  And why couldn't they arrange it so you switch to the cheapest phone or energy tariff each day, or switch car insurers depending on time of day or where your driving?

True, the platforms that enable you to leverage your own data more privately haven't yet attracted investors to the same extent as Big Data. eBay is solidly profitable and doesn't depend on substantial advertising revenues for its existence, yet it has a lower market capitalisation than Facebook or Google. It should come as no surprise to you that Wall Street and the world of high finance attaches a lower value to democratic and sustainable business models that don't suit a short term, institutional view of the world. But the financial news of 2014 must show institutional investors that we humans doubt whether Big Data has our best interests at heart. So the stock market value of marketplace operators may yet exceed that of the Big Data boys.

That's not to say that the whole Big Data movement has been a wasted experiment - it has just strayed from the path of simply digitising our daily experiences to trying to exploit them. Much of their technology could be re-aligned to empower you as an individual user, rather than treat you like a farm animal for the benefit of advertisers. 

Neither should we underestimate the Big Data giants' ability to reinvent themselves for the better. They are well-funded and more responsive to customers than banks and other institutions which have lost their way.

And it would be good to know they're working to sustain the human race, rather than kill it off.