South Africa’s big banks say that keeping client information out of the hands of third parties is a top priority – but that doesn’t stop consumers from pointing the finger at them when marketing calls start interrupting their business day.
Marketing calls often occur soon after a banking customer opens a new credit account, or gets approved for a loan – begging the question, is this merely coincidence?
It is not an uncommon practice for some banks to use customer information in their own marketing, selling products from other internal financial divisions (such as insurance, healthcare et al), or for demographic and research purposes.
Notably, banks like Standard Bank and FNB also have dealings with bank-approved (and regulated) third party companies – so customer and client information is definitely changing hands.
With information travelling down and across channels, information security comes into question. What is stopping an employee, acting independently, from slyly selling off a database of information for monetary gain?
These are the questions BusinessTech posed to South Africa’s big banks, asking where exactly customer information is used – and what systems banks have in place to keep that information out of the hands of opportunistic marketers.
Capitec assured BusinessTech that it does not sell or provide third parties with any of its client’s information for marketing purposes.
“We have a business intelligence division that aggregates data and bring us business insights,” Capitec said, “but they work with financial data anonymously; in other words, not linked to a specific person/name/etc.”
Capitec expanded on how it keeps client information secure, and showed how it was safe from any single-employee shenanigans.
“All client financial information is accessed with a consultant/employee finger print. If data leaks then it is easy to determine which fingerprint is linked to the specific leak. This in itself is a good deterrent if an employee had ideas.”
“Protecting customer information is one of the foremost priorities…it is a serious responsibility, not only for Standard Bank, but for the banking industry globally,” Standard Bank said.
The bank explained that it invests a lot of resources – in terms of people and money – into making sure client data stays protected from leaking into the wrong hands.
“Customer information is accorded the highest level of protection,” it said. “Standard Bank has diligently applied information security and information technology measures that protect customer information from unauthorised access and/or disclosure to third parties.”
The bank added that it complies with all relevant confidentiality laws and regulations that regulate the processing of customer information in the bank’s possession, pointing out that access to customer information by third parties is strictly regulated.
“Any breach of these policies and procedures is taken seriously with severe consequences for those involved.”
Nedbank group’s risk protection of personal information officer, Thav Reddy stressed that the green bank does not sell any information to third parties.
“Information provided by our clients is only used for the purpose of facilitating their specific transactions,” Reddy said. “It is against Nedbank’s policies to sell client information.”
“This information is used for statistical and research purposes to develop products which meet our clients’ needs,” Reddy continued, but stressed that client information is treated with utmost confidentiality.
As a security measure, Nedbank says it engages in pre-employment screening, including integrity checks, ITC screening and reference verification for all employees.
“Those who are applying for positions where a high level of integrity and honesty is expected may go through more stringent screening processes.”
The bank says it also implements audit trails on client information systems that monitor access to information and run regular awareness programmes to ensure that employees are aware of their responsibilities.
Reddy conceded that, “like in any organisation, employees who want to act outside of our governance, may find a way to do so.”
“Our forensic team will investigate all complaints of possible compromise of client information. The sanction is dismissal and we will pursue criminal charges where appropriate against the employee,” he finished.
Certain sections of FNB’s business have deals with third-party companies, whereby customer information is provided to them – but only after a customer’s consent is given, the bank said.
For instance, FNB Homeloans customer data is shared with OUTsurance when the customer completes a quotation form at the attorneys. As an example, FNB provided the consent clause below, which is in a quote sent to customers prior to any information being passed on to OUTsurance.
It is only when the customer accepts the quotation that the bank sends the information to OUTsurance for quoting on HOC.
“I accept that the Lender provides the required information and requests, on my behalf, a quote for Home Owners Comprehensive insurance cover from OUTsurance”
Attached is the visio process confirming the above.
FNB pointed out that it is only customer contact details that are sent to OUTsurance, together with the property details – hence, no other personal data. FNB stressed that it does not pass on information companies outside of its operations, even if there is a “yes” response on a customer’s marketing indicator.
In Personal Banking FNB has the following processes and policies in place:
- Customer Consent Policy and Process: governs the rules and processes around obtaining the customers consent at account opening stage for marketing purposes. In this instance the customer is asked the relevant question which allows the bank and approved third parties to market to the customer in compliance with the national credit advisor (NCA), consumer protection act (CPA) and any other relevant piece of legislation. When an existing customer applies for a new credit product, FNB said that it is obligated by the NCA to ask the question again.
- Credit processes: during the credit application process the customer is asked for their consent to share their data with ITC for the purposes of performing credit scoring. This credit consent is stored on FNB’s internal systems.
- Collections processes: During collections processes, customer data is shared with external debt collectors and attornies for the purposes of collections. In these instances FNB does not request separate consent but is stipulated in the banks terms and conditions, it said.
When asked about employees potentially selling off data, indepenendntly, FNB responded saying, simply: “This is illegal and is a dismissible offence.”
Absa joined the other South African banks in affirming that it does not give out customer information – adding that it subscribes to a code of banking practice that undertakes to keep customer information completely confidential, even when the customer is no longer a client.
“Absa will, as a general rule, not disclose a customer’s personal information – including to other companies in our Group unless allowed for in the Code,” Absa head of compliance and regulatory affairs, Anthony Smith said.
“Additionally, in accordance with the provisions of the Consumer Protection Act, Absa’s customers have specified their consent or not to disclose personal information, which decision Absa respects.”
Smith pointed out that the potential for an errant employee to sell customer information to third parties will always exist across all industries and not just the financial services industry. “The [Absa] Group strictly prohibits these behaviours and technologies are in place in order to both prevent and detect any distribution of customer information outside of the Group,” he said.
“Absa has implemented a number of robust controls which include, inter alia, technologies to prevent and detect any distribution of customer information. Furthermore, Absa ensures its employees are trained and regularly made aware of their obligation to safeguard customer information,” Smith concluded.