In brief

In brief

  • Data privacy is an essential concern in financial services, but a nation-wide, common framework around consumer data privacy does not yet exist.
  • The frameworks in response to regulatory initiatives can be repurposed to build stronger client relationships, emphasizing five core capabilities.
  • A control framework helps address privacy risk and identify the areas of focus and questions they should ask, as well as who should respond.

Consumer data privacy is more important than ever for financial services providers, especially in an era where data is migrating to the public cloud and providers are hyper-focused on culling data for stronger personalization. But as long as big data breaches make headlines, trust in firms to protect data is eroding—and that erosion has a cost. Accenture’s “Data Privacy: A platform for building trust-based relationships in financial services” reports that large, private sector firms could lose an estimated $5.2 trillion in value creation opportunities over the next five years due to eroded trust in our digital economy.

Industry groups, led by the Business Roundtable, a trade association representing over 200 CEOs from leading U.S. companies are seeking common ground at a national level regarding a framework for consumer rights and data privacy. We hope a national privacy law emerges from this effort, in the interim, financial institutions should expect to face overlapping legal compliance requirements and potential litigation risk.

Building the foundation

Financial services firms should start by assessing how information enters their organization and how it lingers within applications. Likewise, they should examine the complexity generated by unstructured data sources over decades of organic and inorganic growth. Firms that can grasp their customer data challenges in innovative ways can differentiate themselves in a competitive marketplace.

Financial services institutions are investing in holistic activities, approaches and tools to address compliance needs related to emerging privacy regulations such as consumer rights.

Many institutions in the U.S. have put frameworks in place to respond to large-scale legislative requirements, such as the European Union’s General Data Protection Regulation (GDPR). These can be repurposed with a focus to proactively build stronger client relationships, and with an emphasis on five core capabilities:

Privacy program governance

Financial institutions can consider establishing roles such as data protection officer or chief privacy officer, or raising existing roles' stature, so they are authorized to highlight risks and make required changes.

Data discovery and classification

A privacy program may need to focus closely on discovery, inventory and classification of personal information.

Process design and implementation

Providers may want to design processes to manage all client requests related to privacy—from beginning to end—including access to information, opt out or erasure requests.


Institutions should leverage capabilities to protect personal data across all applications, workstations, servers and the data supply chain, in accordance with the overall privacy strategy.

Training and awareness

Providers can offer training at two levels—enterprise-wide training to build overall awareness, and role-based training for front line staff handling consumer inquiries, ranging from consumer contact teams to social media specialists or those managing online platforms.

View All

Establishing a control framework

Each function has a role to play in a data privacy transformation, but all functions should be aligned in terms of business strategy and execution. As for the three lines of defense, each has a specific area of focus their senior stakeholders and teams should be paying attention to during the transformation.

  • First line of defense: Business and operational management can help keep the focus on the consumer while dealing with near-term priorities such as how the business can process data access requests.
  • Second line of defense: Those directly responsible for risk management can coordinate privacy policies and associated controls related to data collection and information request procedures, while providing a sustainable and suitably high-touch advisory model for the business going forward.
  • Third line of defense: Audit functions should broaden their focus on privacy to properly address the expanded scope of programs and controls going forward, and to prioritize the items for management attention.

Beginning the transformation

In today’s data-rich business environment, financial services firms have an opportunity to seize. Through a comprehensive framework, and existing data privacy structures and processes, they can create more transparent, trust-based relationships with clients.

Why stop at mere compliance? Financial services firms can design a holistic approach that lets them create a differentiated, customer-focused outcomes.

About the Authors

Samantha Regan

Managing Director – Strategy & Consulting, CFO & Enterprise Value

Gracie Pereira

Managing Director – Accenture Security Financial Services

Ben Shorten

Managing Director – Accenture Finance & Risk

Gregory Ross

Senior Manager – Accenture Finance & Risk

Timothy Lisko

Security Principal Director – Accenture Security


2019 Compliance Risk Study-Pressure yields clarity
Financial services cyber resilience: Room to grow

Subscription Center
Stay in the know with our newsletter Stay in the know with our newsletter