top of page

SCA, in combination with the General Data Protection Rule (GDPR), has accelerated the discussions around customer privacy and the minimum required information necessary for transactions. GDPR has championed the awareness of data minimization and purpose limitation. In essence, companies are only allowed to ask for the minimum information needed to make a decision. For example, an institution only needs to know if a customer is older than 18 today, as opposed to storing her or his birthdate in perpetuity. Meanwhile, SCA requires multifactor authentication, and capturing personal data that is specific enough to meet increasingly stringent “know your customer” and anti-money laundering regulations. Both have led to entire database systems being rethought and redesigned. For financial services this means that data systems must be designed for the minimum needed information required for any transaction. A bank can’t copy and store a customer’s entire financial history in perpetuity to make a credit scoring decision if all it needs to know is, say, that a customer has paid the last two years of utility bills on time. A comparable change, perhaps, occurred when centralized computing transitioned to distributed computing. In centralized computing, a terminal sent someone’s date of birth to a central server, which calculated the customer’s age, and then the central server pinged the terminal with that information. But transmitting the date of birth puts customers’ personally identifiable information at risk of exposure. In distributed computing, the terminal calculates a customer’s age and only transmits that number to a central server, thereby obviating any transmission of personally identifiable information.

Data privacy and minimum required information


Open finance/banking