How the Internet of Things changes Financial Services

How the Internet of Things changes Financial Services

The Internet of Things is going to change the models of business of the financial services sector, unveiling new legal issues.

I have already discussed about how the new models of business of the Internet of Things (IoT) are going to be disruptive, placing companies in front of legal problems that they had never experienced before. And the same rule is valid with reference to financial service sector.

The new models of business of the Internet of Things in the financial services sector

According to an estimate of BI Intelligence, there are at the moment 7 billion IoT devices, but the number is going to quickly climb to 22.5 billion by 2021. I don’t like this kind of estimates, but there is no doubt that according to analysts Internet of Things devices (i.e. connected technologies) will be anywhere around us, in any business, in any device, in any network and even on any individual.

This scenario is expected to create the so called “Bank of Things” that relies on the collection customers’ data from any of their devices in order to offer different services to them.

The chart below better outlines the some of the data flows and the services that can be offered by banks as well as the modalities in which banks can exploit collected data

Internet of Things

  • Banks can collect data from any device/machine. This includes both personal data from devices used by their customers (e.g. smartphones, but also wearable technologies) and M2M data collected directly from devices as it happens in the case of sensors installed in their industrial plants;
  • Such data can be used to
    • not only provide services their customers that are better tailored on their needs, but also to grant them benefits linked to their behaviour or for instance on the basis of the maintenance status of their industrial plant, as in the case of better pricing options linked to the specific scenario applicable to them, rather than being based on merely static data. The matter will become even more relevant with the coming into force of the Payment Services Directive 2 (PSD2) that, as covered in more detail in this blog post, will turn banks into “platforms” where third party suppliers will be able to plug in their services. The increase of number of service providers will inevitably increase the volume of data that can be collected, but the actual ability to exploit such data will depend also on the contractual arrangements with such third parties;
    • gain savings since the analysis of data can enable banks to adjust their business to its actual needs. For instance based on data collected from ATMs, it is possible to understand which areas need more ATMs than others and therefore change their location or change the number of branches that are open in a specific district; and
    • create a marketplace of data to be exploited by third parties. This is the most interesting (and less explored at the moment) line of business. If sensors are embedded on any device/machine/plant, banks would obtain a massive amount of data that can be a very valuable resource for their business clients which are interested to run any type of business.

New models of business = new legal issues

As it happens with almost any change in the way businesses are run, this leads to new legal issues that can be summarised as follow:

1. Privacy issues become bigger

Banks have always processed large amounts of data and had to face privacy issues. However, Internet of Things technologies will increase the size of the issue since

  • data will no longer be collected only from bank accounts, home banking technologies, branches etc., but from any device, car, plant and
  • will be used not only to ensure the proper performance of financial transactions, but to provide services, gain savings and share data with third parties.

This change takes place with the wrong timing because of the upcoming EU General Data Protection Regulation, which, among others, will

  1. increase fines up to 4% of the global turnover of the breaching entity;
  2. lead to higher risks of claims from customers, since it introduces the principle of accountability which places the burden of proving privacy compliance on the investigated party;
  3. generate a higher risk of claims from shareholders because of the size of potential fines and claims; and
  4. keep the existing criminal sanctions and orders of deletion of data.

Also, the current draft of the ePrivacy Regulation extends its scope also to M2M communications and therefore the perimeter of privacy rules might apply also in case of processing of non-personal data.

Privacy compliance will no longer rely just on the proper arrangement of documents, but will depend on

  1. the ability to map and control data;
  2. the implementation of organisational procedures that can ensure the proper processing of personal data both internally and with reference to third party suppliers/agents; and
  3. the adoption of technologies able to minimise the risk on illegal access to data and identify unlawful treatments in order to timely react to them.

2. Cyberthreat gets more serious

A larger amount of data collected from different sources inevitably causes also an increased cyber risk. I already discussed in this blog post that Internet of Things technologies, as any technology, cannot be 100% secure.

Companies need to put in place the measures to limit the risk of cyber attacks and in case of their occurrence being able to prove their compliance with principles of ordinary diligence. This measures include, among others,

  1. the adoption of a cyber risk policy, inclusive of a procedure to handle a data breach;
  2. the subscription of a cyber risk insurance policy;
  3. the implementation of a security and privacy by design approach;
  4. the appointment of a data protection officer.

3. Agreements with third parties need to be “adequately” managed

Given the size of privacy and cyber risks, agreements with third parties that provide services as well as with those that intend to exploit data shall be drafted in a way that

  • ensures the minimisation of risks deriving from third parties, but at the same time
  • guarantees that in case of data breach or unlawful processing of personal data, uncapped indemnity claims can be brought against banks.

4. Different legal basis shall be considered to ensure data ownership

I discussed the matter in a previous webinar whose recording is available here. The European Commission is currently considering different options in order to ensure ownership of IoT data, but the current viable routes are the following:

  1. data is linked to the device. This is more a factual status than a legal basis, but technology providers tend to structure their platforms/devices so that they keep control on processed data;
  2. data can be protected under copyright law, but this would require an “intellectual effort” in their collection/organization/analysis;
  3. data can rely on the European database sui generis right that is broader than copyright;
  4. data can be considered trade secrets or can be protected under antitrust regulations, making its exploitation an unfair competition conduct.

The European Commission is considering to introduce new rights to protect IoT data, but the above are the most frequent available options.

5. Data can be “stolen” through the data portability right

The new data portability right introduced by the EU General Data Protection Regulation is both a resource and a risk for a business. I thoroughly covered the issue in this blog post.

6. Data needs to be used

It seems obvious, but currently a number of companies are collecting data without actually using it, just to create their own database. Such conduct would not only be in breach of privacy regulations, but also might lead to misleading advertising if an expectation of getting an actual benefit from the provision of data is created in customers.

Interesting opportunities for the financial services through Internet of Things technologies, the challenge will be to properly exploit them in order to avoid to lose market share…

If you found this article interesting, please share it on your favorite social media.


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

How outsourcing changes with IoT and Artificial Intelligence

How outsourcing changes with IoT and Artificial Intelligence

Outsourcing agreements might considerably change with the usage of IoT and artificial intelligence technologies.

The battle on liability clauses of outsourcing agreements

A few years ago I published a blog post on liability clauses in outsourcing agreements, defining their negotiation as the “battle“. And indeed, according to my experience, negotiations on such clauses as well as on service levels and the liquidates damages/penaltiestriggered by their breach take almost half of the time of a whole contractual negotiation.

The position of the parties is that

  • the supplier cannot accept a liability cap that is excessively high since otherwise the agreement would represent a disproportionate risk for its business, if compared to the price received for the services, while
  • the entity receiving the services does not want contractual limitations in case of suffered damages and wants to be able to quickly recover the suffered damages.

The matter is somehow “facilitated” in countries like Italy where limitations of liability for cases of gross negligence and wilful misconduct are null and void. This means that there is not even scope for negotiations on these scenarios since any restriction to claim damages under such circumstances would not be valid.

How the battle changes with the IoT and artificial intelligence

The IoT and artificial intelligence are able by definition to predict any malfunctioning and either avoid their occurrence or limit the negative consequences on the business of their occurrence.

Sensors embedded in industrial plants can provide a clear picture at any time of status of the machines and in some cases of the whole line of production, ensuring that necessary maintenance activities are performed before a negative event takes place. At the same time, artificial intelligence systems, but also machine learning technologies, are able to have a much better understanding of potential forthcoming downtimes and of the measures to be adopted to prevent them from happening.

But, if despite of the above technologies a malfunctioning takes place, there is a risk that very large damages occur since it means that a massive incident happened.

The above means that

  • service levels might become considerably higher than those currently agreed because the likelihood of occurrence of a downtime will be much lower and in case of occurrence of a downtime the artificial intelligence system will be able to immediately identify the most appropriate remedy; while
  • liability caps might also become higher since if a malfunctioning takes place, much larger damages are expected to be generated.

It is likely that the scenario above will happen in a medium/long term since it requires that Internet of Things and artificial intelligence technologies become the backbone of provided technologies. At the same time, there might be a “transitional” phase when still suppliers will not be able to justify to their insurers and shareholders the reason why high liability caps can be accepted because of the employed technologies.

What is your view on the above? I would be happy to discuss, and if you found this article interesting please share it on your favourite social media.


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

Top 5 Internet of Things predictions for 2017

Top 5 Internet of Things predictions for 2017

The Internet of Things experienced a massive acceleration in 2016, but what are the predictions for 2017? What should we expect?

After the success of the 2015 and 2016 predictions on the IoT, below are my personal top 5 predictions on the legal issues that will affect the Internet of Things in 2017.

1. The Internet of Things is not just a technology, but will change the models of business

I have already discussed about it in several instances. The general understanding is that Internet of Things technologies just rely on sensors which can lead to predictive maintenance and additional efficiency. However, this is only part of the picture. It is happening a major shift from a model of business based on the provision of products to

  1. a model of business based on the offering of services and
  2. in case of B2B transactions relating especially to Industry 4.0 technologies to a profit sharing approach.

This shift has considerable legal consequences. Indeed, sensors enable to obtain a very large number of information about customers not only in terms of personal data, but even of trade secrets and confidential information, leading to new legal issues (previously never experienced) on, among others, data protection, intellectual property, cyber security and product liability.

2. Banks and insurance companies will adopt Internet of Things technologies to survive

Connectivity, telematics and digitalisation are not an option for banks and insurance companies. If they want to “survive“, they will have to innovate and – according to estimates – do it fast. FinTech and InsuranceTech are on the agenda of all these companies, but they require also an expeditious change in the approach to the business by the whole company.

But, as I mentioned in a previous blog post, “you cannot do I(o)T alone“. The Internet of Things requires the setting up of partnerships which need to enable interoperabilities between technologies of different suppliers. This might lead to major cyber security issuesthat shall be handled by means of appropriate technical and legal measures such as the implementation of a cyber security policy in order to test products and a cyber risk procedure to react to cyber attacks as well as through the implementation of a privacy by design approach and the performance of privacy impact assessment.

Also, when FinTech and InsuranceTech meet the IoT, new legal issues arise as outlined in this post. These issues are often addressed very late by banks and insurance companies, even because they put their legal department out of their “comfort zone“. This is why both the management and the legal department of those companies need to evangelised about the new legal problems deriving from these technologies.

3. Privacy by design will protect IoT businesses

The EU General Data Protection Regulation (GDPR) poses considerable new risks on Internet of Things technologies especially in the current uncertainty as to the allocation of the responsibilities between the different parties involved and the regulatory obligations. At the same time, as showed by the recent cyber attacks that exploited IoT technologies, it is not possible to be 100% protected from potential cyber risks.

The matter cannot be underestimated given the potential fines provided by the GDPR. Also, the new principle of “accountability” prescribed by the EU Privacy Regulation places the burden of proving compliance with the regulation on the investigated party, leading to what is commonly known as “probatio diabolica” (evidence of the evil…).

The implementation of a privacy by design approach, accompanied by the performance of a privacy impact assessment, enables companies to prove the adoption of whatever was required by applicable data protection laws putting businesses in a much safer position. However, their implementation requires a continuous review in order to be a valid defence. This review shall follow not only the launch of new services and functionalities, but also the development of technologies and security requirements.

And the matter is even more complex in the case of usage of artificial intelligence technologies that will pose not only data protection and liability issues, but also new ethical issues.

4. Industry 4.0 technologies will lead to a battle on data ownership

Companies are reaching a higher level of awareness as to the value of data. This is relevant when it comes to personal data for which it is necessary to identify techniques aimed at preserving their value for the business collecting it enabling at the same time to ensure privacy compliance.

But the matter is becoming exponentially prominent when it comes to industrial data generated by Industrial Internet of Things technologies. Suppliers and exploiters of Internet of Things are assessing the best placed legal basis to protect its data. Long negotiations are expected on who is the owner of data generated by the usage of Industry 4.0 technologies. Is it more relevant to keep control on data or to have it aggregated to big data in order to ultimately gain a better service?

The above is happening during a period when European regulators are planning to expressly expand data protection and copyright regulations in order to cover that generated/collected by IoT technologies.

5. Blockchain is a resource for the IoT, but the market is still hesitant

The blockchain technology is very useful for the exploitation of IoT devices as outlined in this article. But, also because of some negative publicity around Bitcoin, there are still considerable concerns about its usage.

Companies might not be able to afford risks associated to a technology which might get out of control of its exploiters leading to issues as to the allocation of the relevant responsibilities. However, the adoption of “closed” blockchains might vanish the high level of security ensured by an open blockchain. I wonder whether the right balance will be identified in 2017.

If you found this article interesting, please share it on your favourite social media!


Follow me on LinkedIn – Facebook Page – Twitter – TelegramYouTube –  Google+

The IoT needs a cybersecurity “gold standard” to tackle data breach fears

The IoT needs a cybersecurity “gold standard” to tackle data breach fears

No software is 100% secure, and Internet of Things technology is no different. However, because of public perception it is even more important for the IoT industry to find “adequate” safety standards to meet businesses’ and consumers’ cybersecurity needs. Continue reading