
By Amir Tabakovic
Originally published on the Mostly AI blog.
Looking back at data-driven innovation in banking
During my tenure at a retail bank developing digital offerings, I frequently encountered the reality that "you can't have your cake and eat it too." Trade-offs are inherent to innovation in regulated, risk-averse sectors like banking.
Typically, promising concepts face modification through various constraints — regulatory compliance, security protocols, infrastructure limitations — culminating in secure, compliant solutions that often lack market viability. Much of my work involved creative problem-solving to preserve innovation while navigating internal obstacles.
Data monetization projects proved particularly exciting. The goal was transforming underutilized value in credit and debit transaction data into benefits for both retail and corporate clients. However, the primary barrier emerged unexpectedly: the data protection officer's office.
Innovation vs. Privacy
Customer data falls under stringent protection legislation. Using GDPR as a framework, three major privacy obstacles emerge.
1. Legal basis
Data-driven innovations typically require explicit customer consent. While other processing justifications exist (legal compliance obligations), most innovations don't qualify. Achieving consent presents substantial challenges — it must be freely given, specific to intended use, informed, unambiguous, and revocable. Marketing campaigns typically achieve only 15–20% approval rates. Many predictive applications demand a critical mass of data, raising early questions about obtaining sufficient participant consent.
2. Security and confidentiality
Beyond securing legal permission lies implementation security. Processing must guarantee appropriate protection of personal information through multiple measures: access controls, encryption, anonymization. These protections span the entire product lifecycle despite constant feature evolution and infrastructure changes. "Privacy by design" represents the optimal approach — embedding robust privacy frameworks from inception minimizes ongoing effort.
3. Public perception
Legal compliance and technical privacy measures don't guarantee public acceptance. Services perceived as manipulative, biased, or exploitative face rejection. Mark Zuckerberg's 2004 statement — "you can be unethical and still be legal" — reflects attitudes incompatible with banking. Banks require customer trust.
Poor communication alone destroys confidence. A 2014 Dutch bank incident demonstrates how public backlash forced the abandonment of spending-based targeted advertising plans. Transparency, ethical consideration, and recognition of increasingly privacy-literate consumers matter critically.
Should you just give up being innovative?
Privacy violations lack "fail fast" tolerance. Numerous interconnected considerations regarding privacy and security cause many innovators to abandon their efforts. The choice seemingly requires sacrificing either innovation or privacy compliance.
However, forward-thinking organizations recognize substantial commercial value in customer privacy protection. Only privacy-compliant, shareable, monetizable customer data holds genuine commercial worth. A developing PrivacyTech market addresses the modern privacy requirements of organizations operating with customer information.
New privacy approaches enable innovation
Three promising privacy techniques emerge as market leaders.
Differential privacy
Differential privacy provides a mathematical framework quantifying how individual data subjects influence database queries and statistical outputs. Tech companies like Google and Apple employ differential privacy for private data analytics. Critics note insufficient transparency in implementation methodologies, with some researchers arguing companies like Apple compromise privacy for improved data utility.
Homomorphic encryption
This class of encryption enables processing operations on encrypted data without decryption. Data remains encrypted throughout processing; secret keys needn't transfer to the processing entity. Output stays encrypted until the key holder reveals it.
AI-generated synthetic data
AI-generated synthetic data represents one of the most innovative PrivacyTech solutions. This artificially generated data mirrors real-world datasets and their statistical properties without containing actual customer information. Consequently, it achieves full anonymization and GDPR exemption.
Conclusion
These three emerging privacy-protection innovations enable banks to extract hidden customer-data value while maintaining maximal privacy safeguards. Organizations cannot justify abandoning data-driven innovation by citing privacy concerns. Rather, advances in privacy protection constitute the pathway toward sustainable data-driven innovation.