Suncorp is concerned that activities to prevent scams and unauthorised transactions could become collateral damage if future privacy laws curb certain uses of customer data.
Speaking on an ADMA privacy webinar in May, that was released publicly only last week, Suncorp’s government industry and public policy manager Lachlan Rees said customer data played a “crucial” role “for both our banking and insurance operations”.
Permissible use cases for customer data are an ongoing topic of discussion in the Privacy Act review, with implications for a broad range of data-driven sectors, including marketing.
Rees acknowledged the potential for data-driven marketing to become more expensive and potentially disruptive to customer experience - if they are asked for consent too often, for example.
However, Rees noted concerns within Suncorp that more high-profile “data-for-good” use cases could become much harder to perform in future.
“Customer data gives us crucial insights, not just on risk profiles or spending patterns, but also things like how to prevent and detect scams…, looking for vulnerabilities and where we can provide support to customers,” Rees said.
“That’s what our customers expect us to do. That’s how they want us to be using data, and to some extent it’s also what our regulators expect us to be doing as well.
“So I think the concerns are really that we might not be able to use data in the way that we know we need to to manage and operate services, but also to market and also for things like what we sometimes call ‘data for good’.”
Rees explained the anti-scam use case in more detail; essentially, the company worries a broad right to opt-out of data collection or use by the company could have unwanted impacts, including on its ability to carry out what it sees - and potentially financial regulators also view - as important work.
“One of the things that banks, for example, can do is they can link a merchant payment system to an individual’s geolocation data, and that helps us to manage things like unauthorised activity, transaction scam activity, that sort of stuff,” Rees said.
“There’s a bit of a concern that any restrictions on the ability to do things like that, through opt-outs and the like, might weaken our ability to actually use that sort of data for good purposes like preventing and identifying unauthorised activity.”
Suncorp’s comments provide a glimpse into its position on the revision of Australia’s privacy laws.
Though many enterprises have made submissions to various consultations over the past couple of years, not all have been made public.
The Privacy Act review was handed down earlier this year, with 116 recommendations; the government is presently consulting on which of the recommendations it should formally adopt.
Submissions to that consultation closed back in March, and some individual organisations have dripfed their submissions ahead of official publication.
The timing of an exposure draft of a revised Privacy Act remains unclear; Rees suggested it could materialise before the end of the year, though he added that it could be a few more years yet before a any changes pass into law and deadlines for industry compliance come due.
Suncorp is presently trying to sell its banking business to ANZ.
In regulatory filings [pdf], ANZ has stated that future Privacy Act changes pose unknown risks to data and information use cases.