观点提炼:
金融数据与技术协会(Financial Data and Technology Association)主席盖文.立特约翰(Gavin Littlejohn)就数据分享,隐私法和开放银行,开放金融之间的关系做出分享,他提到2018年,欧盟通用数据保护条例、支付服务指令2 (PSD2)正式生效,这两份文件深刻影响了金融数据共享方式,改变了客户保护措施,对于共享数据有了更广泛的法律依据。目前,其他国家也在加强开放数据立法,巴西出台了名为LGPD的新立法,提出了先进的开放银行倡议,欧洲在建立一个更加开放的金融体系,印度、澳大利亚、加拿大、美国等国均在推进相关进展。因此,任何国家想要建立开放金融市场,都需要通过隐私立法建立起客户数据权益保护,避免金融服务过程中的算法歧视问题。
速记稿:
Good morning. My name is Gavin Little John.
大家好,我叫盖文.立特约翰。
I chair in Financial and Data Technology Association,
我是金融数据技术协会的主席。
which is an association for firms operating financial technology,
这是一家专为运行金融技术的企业设立的组织。
that campaign for open banking, open finance
这些技术主要在全球众多市场中使用,
across many markets in the globe。
用于推行开放式银行和开放金融。
I am going to talk you today about
今天我将会和大家主要谈一下
the junction between data sharing, privacy law and the rule of open banking and open finance,
数据分享,隐私法和开放银行,开放金融之间的关系
particularly the trend referring to
尤其是讨论一下开放银行和开放金融
how it affects institution in banking sector,
如何影响银行业的组织机构,
new market actions, and how it affects customer,
影响新市场行为,又会给客户带来怎样的影响,
also seen through the lens of the policy.
并从政策的角度进行分析。
In 2018 , the European Union General Data Protection Regulations came into force.
2018年,欧盟通用数据保护条例正式生效。
A few months before that at the start of 2018, the Second Payment Services Directive came into force (PSD2).
在那几个月前就是在2018年初,支付服务指令2 (PSD2)正式生效。
Taking together those two pieces of European Union wide legislation
将这两份欧盟广泛应用的立法文件整合在一起
has made material impact on the market landscape
共同对整个市场产生了实质性的影响
for how financial data is shared and what the protections are for any customers
它影响了金融数据共享方式,对客户保护措施也发生了改变。
If we take these cases of open banking for instance,
如果我们以这两个开放银行事件为例,
we can see that prior to that coming into force,
我们就可以发现,在上述政策法规正式生效之前,
the ability in customer to have adequate liability protection
客户并没有清晰的受到法律责任保护
or certainties of what would happen to them if things went wrong was not particularly clear.
当出现问题时,他们也面临很多的不确定性。
So PSD2 made a great effort tightening that up.
因此支付服务指令2 (PSD2)也努力试图加强上述的不足。
The General Data Protection Regulations apply though way beyond financial services。
欧盟通用数据保护条例应用范围不仅局限金融服务领域
They apply to all companies.
也适用于所有企业。
I will characterize it as having a more general approach
我认为它更像是一个通用的方法,
to things like data privacy and the rule of explicit consent.
应用在数据隐私和明确同意的法则中。
But i think until you really get to know the details of legislation,
但是我认为,除非你对立法细节特别了解,
it is often assumed that it is just locked on data sharing.
否则一般情况下人们认为它只能应用于数据共享方面。
But actually, GDPR has a wide range of legal basis for data sharing
但事实上,该数据保护条例对于共享数据有更广泛的法律依据
including in the public interest, including for things like public protections
它可以为公共利益,公共保护提供法律支持
such as investigating money laundering or organize bribe .
例如,在洗钱及组织行贿调查方面,便可依据此条例开展。
The data can be shared for those prophecies.
数据可以在上述情况下共享。
The data can be shared as a data controller with partners
这些数据也可以与合作伙伴共享,数据所有者成为数据控制者
who need to help, for example, a large bank under contract
这些数据可以帮助合作伙伴根据合同为一些大银行提供支持
for the large bank still has some responsibilities on the oversight of data processor.
支持银行对数据处理器进行监管。这也是大银行肩负的职责。
We also have the ability for the customer
我们也具备专业能力
to opt by consent having their data shared
帮助客户选择是否同意将他们的数据进行分享。
as one of the basis that data can be shared by the data controller to another party.
看看他们是否愿意成为数据控制者,将数据分享给第三方。
It is quite complicated though
其实整个过程还是很复杂的。
because GDPR has many parts to punish companies
因为该数据保护条例有很多细节描述
if they don’t adhere to the rules of data sharing
列出公司没有遵守数据共享原则时会受到的多种惩罚
and at least has one of legal basis for sharing data as a servant of their need.
同时,它还有多种数据共享法律依据作为支持辅助条例。
It can be very easy at that point to think that
从这个角度上来看,人们很容易认为
because the company can be punished, the customers are protected.
因为公司不遵守规则会被惩罚,所以客户权益受到保护。
But it is not the case.
但事实并非如此。
In fact,there is no real liability protection written in GDPR
事实上,该条例中并没有清晰列明责任保护内容
figuring highly to look after customer needs when things go wrong.
也没有提到当出现问题时应高度照顾客户权益
So, in the Second Payment Services Directive,
因此,在支付服务指令2 (PSD2)中,
we do see a much stronger set of protections for the end customer.
我们确实看到对于终端客户更强劲的保护措施。
So, when the banks are required
因此,在明确同意之后,
by their customer through explicit consent to share their data with a regulated actor of their customer’s choice,
客户要求银行分享他们的数据给客户指定单位
what we described as open banking or open finance,
我们称其为开放银行或者开放金融,
under PSD2 which only applies to payment data so far, being a payment service directive,
支付服务指令2作为一个目前只应用于支付数据的支付服务指令
under PSD2, the customer has the right of recourse
会赋予客户追索权
to any actor in eco-system who has a data share with them
当公司受到黑客入侵或者破坏数据使用规则时,
if the company gets hacked or breach the massive uses of the data.
客户可向任何数据共享方提出追索。
In fact in PSD2, it makes very clear
事实上,支付服务指令2明确指出
that these third party providers have got a liability to meet customer’s need
这些第三方提供者有责任确保客户的需求利益
in order to make sure that even the companies are thin tech with a thin balance sheet,
确保即使公司技术不足,资产负债表情况不佳
they have to put in place cyber-risk insurance as a part of that process.
他们仍具备网络风险保障能力,是客户使用过程中重要组成部分。
Taking a further though and looking what is happening across other markets,
我们进一步看一下其他市场发生的变化。
we can see that, if you go to south America, if you go to Brazil, they have got a new piece of legislation LGPD,
南美和巴西都出台了新的立法,名为LGPD
which is, to a certain extend, broadly similar to GDPR
该立法与欧盟通用数据保护条例十分相似
And like in Europe, we have seen it building blocks
欧洲也在构建金融服务结构,
for financial services to make a more open eco-system.
旨在建立一个更加开放的金融体系。
And Brazil has now a quite advanced open banking initiative.
巴西也已经提出了先进的开放银行倡议。
In Australia, we have the customer data right.
在澳大利亚,客户享有客户数据权益。
Again, it is pretty much consistent with the fact
同样,这一点也与上述措施不谋而合。
that customer has right in data and can choose to share them as they wish.
即客户享有数据权益,可以自愿选择与他人分享数据。
In Australia though, they have made very clear
澳大利亚明确表示
that they are going to go beyond payments data and financial services in general
他们将不再仅仅局限在支付数据和金融服务领域,
and into utility, telephony and whole range of other things
他们将拓展到所有客户享有数据权益的领域中,
where customer has right of data.
包括设备和电话制造。
We see similar process in India
我们也看到印度也在积极推进这方面的发展。
with New Data Protection Act on the new data aggregated by the Reserve Bank of India.
印度设立了印度储蓄银行新数据的数据保护法案。
India has a really successfully developed identity solution
印度成功的开发了身份管理解决方案
and unified payment interface that they are building on top of that
并在解决方案中建立了统一的支付界面
to enable all financial services with the legal basis of customer rights in data
确保所有的金融服务都具备法律依据,保障客户数据权益
to be shared with regulated actors of customer’s choice.
使客户可以将其数据与其自愿指定的单位机构共享。
We can see in all of these domains in Brazil, in India and Australia,
在巴西,印度和澳大利亚的举措中我们可以看到
some of our requirements we have in European Union, including UK of
我们在欧盟包括在英国的一些要求也得以体现和完善
actually requiring the party who receives the data to go through some kind of accreditation process.
即我们会要求接收数据的一方进行鉴定是否合格
That is typically done by a financial regulator
这项工作主要有金融监管机构施行
or in a case of the customer data rightness jury.
或者由客户数据正当陪审团来完成.
The oversight is by the competition watchdog.
这个过程由竞争监管委员会负责监管。
In the turning to North America, in Canada, they recently renamed the initiative they had on open banking
而北美加拿大重新命名了他们在开放银行中的倡议
as customer directly finance
宣称客户可以直接融资,
and that is tempting to build upon discussions emerging on privacy
这也主要基于对客户隐私问题的广泛讨论而提出的
and also the customer should have rights in their financial data
同时也提到客户应该有自己的金融数据权益,
in order to share it.
这样才能更好的共享数据。
In the US, because of the federal state-by-state legal system,
由于美国联邦以及各州独立的法律体系各不相同,
it is becoming slightly untidy with a privacy legislation
各州隐私法出台情况也不相同。
emerging in California and coming into force in California,
加利福尼亚州隐私立法出现和生效后,
and other states are in the process of working on the delivery of privacy legislation.
其他各州也正在致力于推动隐私法的出台。
I think from a bank and thin tech perspective,
我认为从银行和科技的角度来说,
it is becoming slightly untidy
现在各州也变得各不相同,
because there are too many forms and many skills restricted just to one state
因为很多特定形式和技能也仅仅适用于一个州而已
and it is becoming difficult for companies to keep a consistent approach to have privacy dealt with.
对公司来说,使用统一的方法处理隐私问题也是十分困难的。
I know the US authorities are looking that
我知道美国的权威机构也正在经历巨大的压力。
and there are a lot of building pressure on the US Treasury and other regulatory authorities in US
美国财政部和其他的规范权威机构都在经历着很大的压力
to really begin to piece together a proper strategy
他们试图找出一个合适的策略政策
to enable that market to flourish with better more ease.
使市场能够繁荣,能够减轻承担的巨大压力。
I think we can see the market
我认为我们可以看到仍有很多市场
where customer data right has not been established.
还没有建立起客户数据权益。
The rule of open banking and open finance has been materially inhibited
开放银行和开放金融的规则已经本质上受到了禁止
and has become more of data and technology play
且这些规则更多是数据和技术主导,
rather than based on the right of customer.
并非基于客户权益而建立。
That leads to competition failings and restrictions on innovation
这导致竞争失败,限制了创新发展。
I guess uneven playing field for market participants
这并未为市场参与者创建平等的竞争环境,
and very few adequate protections for end customer.
也没有为终端客户提供充分的保障。
So we are advocating in F data which I chair
所以,在我任职主席的金融数据技术协会中,我们提倡
we are advocating very strongly that any country that wanted to build the way towards open finance market place
任何想要建立开放金融市场的国家
do so on the basis of having forces established clearly customer data rights through privacy legislation.
都要通过隐私立法建立起客户数据权益
It just makes the rest of processes much easier to implement.
这会让整体后续流程操作起来更加简单。
Going beyond those initial building blocks
说完这些初级构建结构之后,
-a privacy into a really important piece of consent,
在同意许可的过程中隐私也是必不可少的一部分
we see consent is something that can be both governed and taken away.
我们经常能看到客户同意许可过程可能会被他人主导或者彻底剥夺
And the customer should have the right to be able to choose not to share the data at some point.
客户应该享有权益选择不去共享他们的数据信息。
That’s for the number of new places
在很多地方
where data privacy law and open finance requirements really have a little bit 哦of attention
数据隐私法和开放金融要求都比较引人注意
because normally in privacy law, you have the right of or the expectation of data minimization。
因为一般来说在隐私法里,人们有权缩小数据。
If we think of that in financial services
我们可以假设,在金融服务中,
and you don’t know your customer well enough
你没有很好地了解你的客户,
because you have chosen to take thinner slides of their financial data.
因为你对客户的金融数据记录非常少
you could also be accused by financial regulator of mis-selling a financial product.
此时你可能会受到金融监管机构指控违规销售金融产品。
So ,the companies that are operating in this domain have to learn
因此,在这一领域进行操作运营的企业就必须要学习
how to find a balance.
如何才能找到一个平衡。
This is also typically in privacy legislation the right to be forgotten
通常在隐私法里,这也是被遗忘的权益。
That remains intention with the requirements for financial services companies for other record keeping.
这也要求金融服务公司额外进行数据保存与记录。
That not just refers to
这些数据记录不仅仅是为了证明
when you have sold customer product
你是否已经销售客户产品,
You also have to have a financial record keeping to show
你也需要有这样的记录来证明
where you have chosen not to sell a financial product
你已经选择不会出售金融产品
particularly if customers apply for something, for example,
尤其是当客户还购买了例如信贷或者保险时,
credit or insurance.
这些记录更加重要。
They may have a right of recourse to the regulator
他们也有向金融监管机构提出追索的权益,
to see whether they have suffered from any discrimination.
要求金融监管机构核查他们是否受到任何歧视对待。
With this works,
在这样的体系下,
actually companies that operate in this domain are just having to focus on
这一领域运行的企业就不得不关注他们
their financial services obligations
在提供金融服务时需要履行的义务,
and spend a lot of time documenting and building in processes.
还要花大量时间便构建这一程序,编写相应的文件。
GDPR had a lot of things set to
欧盟通用数据保护条例列出很多内容,
write about it and build it coming into force.
就是为了辅助编写或者建立这一程序
Financial services companies particularly the large ones
金融服务企业尤其是那些大型企业,
didn’t go through quite a lot of that process.
并没有严格遵循这一流程。
In actual fact, the larger impact of old financial services
事实上,传统的金融服务带来了巨大的影响
were there were a lot practices which were not very well supervised in the market
市场上仍然有很多的金融服务行为没有受到严格监管
about the whole customer data which was used.
客户的所有数据信息都被滥用。
In financial services on a whole,
在整体金融服务市场中,
there was already quite a strong basis of regulation
已经建立了一个强劲的监管基础,
of treating customers fairly, of not massively using their data
监管要求公平对待客户,不要大量使用客户数据
or of mis-selling financial products.
也不要违规销售金融产品。
I think on the whole, the privacy legislation came in
我认为整体来说,隐私立法已经
- the GDPR from European perspective
在欧盟通用数据保护条例中建立。从欧洲的角度来说,
was not a particular arduous thing for financial services to deal with
该条例履行情况的检查不是金融服务要做的事情
because they already had data privacy officers and compliance officers
因为他们已经有了数据隐私官和合规审查官
to just check their paper work and processes
他们会主要负责检查纸质流程和现实操作情况,
were adequate for the jobs they had to do.
确保他们所实行的流程能够满足工作需要。
As we see the increasing use of algorithm distribution of financial services,
我们看到人们越来越多地使用金融服务算法分配功能,
One of the most important things that is known being really worked on and contemplated across multiple markets
据说很多市场都致力于研究并深思的一件重要的事,
is the impact of massive use of data
便是数据大规模使用会带来的影响
in a way that may create discrimination and bias again in customers
这些数据的使用方法可能会在客户中产生歧视和偏见
So we see a number of programs
因此,我们可以看到有很多项目
to effectively provide test environment for algorithm bias
致力于提供有效的测试环境,测算歧视和偏见
and there have been a number of facts that are not be wanted.
测试结果仍有很多是我们不愿意看到的结果。
So I think I can get next wave of financial services and data regulation to come.
我认为我们可以期待下一轮的金融服务和数据监管的到来。
Thank you!
谢谢!
