At the end of May this year, there was a notable but not widely reported case, which involved a German bank receiving a monetary penalty of €300,000 from the Berlin Data Protection Authority (DPA). The case concerned an individual who applied on the bank’s website for a credit card which was subsequently rejected by its credit lending algorithm.

The customer doubted the accuracy of the decision and requested further information from the bank, on the basis they had a high income and a good credit rating. In response to the customer’s request, the bank did not provide specific information about the application, but instead only disclosed generic information about the credit scoring process. This put the customer at a disadvantage as it did not allow them to challenge the automated individual decision.

In making its decision to take enforcement action against the bank, the Berlin DPA cited noncompliance with the following articles of the General Data Protection Regulation, or GDPR:

• Article 5: The obligation to process personal data fairly, lawfully and in a transparent manner
• Article 15: The right of access by the data subject
• Article 22: Concerning automated individual decision-making, including profiling

The matter is significant for many reasons, not least because the rights that individuals have concerning automated decision-making enable them to request that a decision made about them be subject to human review. With many organisations using analytics and embracing artificial intelligence to improve the speed and quality of their decision-making processes, organizations will need to carefully consider how these tools work to ensure they are able to adequately explain the logic around the outputs, and, if applicable, arrange for decisions impacting individuals on this basis to be subject to a human-level review.

A similar spotlight has recently been shone on the UK banking sector in relation to the transparency of customer decision-making after a figure in the public domain was notified that their account would be closed by their private bank. After initially being informed the decision to close the account was made for commercial reasons, the individual submitted a data subject access request and was subsequently provided with the minutes from an internal meeting which confirmed the account was being closed, in part, due to their political views not being aligned to the inclusive values of the bank.

The widely reported case sparked a frenzied public debate about the transparency around decisions to “de-bank” customers. This was after a slew of people came forward to share similar examples of sudden and unexplained closures of their bank accounts, which raised a number of questions around internal decision-making, including how individuals designated as a Politically Exposed Person (PEP) or designated as an increased risk should be treated. This prompted the UK government to propose changes in the law that would compel banks to provide customers with 90 days’ notice and an explanation as to why an account is being closed.

Banks are required to comply with various anti-money laundering and financial crime prevention rules and have previously cited strict requirements which prevent “tipping-off” account holders that they are under suspicion of a potential financial crime.

What both cases highlight is that individuals are increasingly aware of their rights under data protection laws and are prepared to exercise these rights against banks and other financial service providers if they feel decisions are being made that impact them in a material way without a clear or transparent explanation. It also shows that banks will need to be mindful about the optics of relying on complicated legalese, in their account terms and conditions and privacy notices, to defend their actions in relation to the use of automated decision-making through artificial intelligence and for internal decisions to close customer accounts. They will need to consider the impact of disclosing details on how commercial or risk-based decisions affecting the customer are made, and how internal intelligence reports and files are compiled relating to PEPs and other high-risk customers, given that such documentation may need to be disclosed in response to a data subject access request.

Key Data Privacy Considerations

Banks and financial services organizations should carefully consider the following areas as part of their privacy and wider compliance arrangements.

Transparency

• Ensure that privacy notices inform of uses of personal data and provide meaningful detail about the categories of personal data that will be collected and the purposes for which it will be used.
• Be clear about the use of predictive analytics, artificial intelligence and other forms of automated decision-making and circumstances when it may apply, e.g., for assessing credit-worthiness, transaction monitoring and making credit-lending decisions.
• Articulate the data rights that individuals have and provide contact details for where queries should be directed, including the Data Protection Officer.

Data Subject Rights

• Ensure internal procedures are up-to-date and clearly define the processes for handling data subject rights requests. These should take into account the typical response timeframe of one month and pre-disclosure review of collated documentation.
• Foster collaboration and alignment between the Privacy Office, Technology function and responsible business areas. This is critical to understanding how any potential automated decision-making is applied within the organization for decisions that impact customers, particularly in light that it may be necessary to explain to a customer how decision-making works in practice or in the event a human review is necessary.
• Provide internal guidance on key decision-making activities, such as AML and financial crime prevention processes involving enhanced due diligence for high-risk customers. Guidance should explain the importance of ensuring that external data sources are accurate, that criteria for decision-making is appropriate and fairly applied, and that internal commentary remains factual and avoids subjective views that could be problematic from a reputational perspective in the event of disclosure in response to a data subject access request.

Learn more