A customer-centric approach has become an imperative in the financial services sector, increasingly supported by the processing of vast amounts of market and customer data, among other factors. However, the complex and ever-changing regulatory environment presents challenges for personal data sharing. This Viewpoint shares some best practices for addressing these challenges to unlock the full potential of personal data in the bancassurance sector.

UNLOCKING THE FULL POTENTIAL OF DATA

Banks and insurance companies collaborate to offer more tailored products and services than those they can develop on their own. However, effective customization only works through a deep understanding of the customer’s personal situation. Thus, accessing the largest volume of meaningful personal data has become the crucial factor in offering products and services adapted to each client’s needs and behaviors. The alliance between banks and insurers allows them to make the most of both worlds: extensive knowledge of the customer and a wide sales distribution network with deep expertise that can be translated into simple, tailor-made solutions and products.

Despite being theoretically clear, achieving a smooth collaboration is a complex challenge; data ownership, multiple stakeholders, different companies and roles, independent strategy roadmaps, a broad range of opportunities, and privacy and compliance constraints are some of the challenges banks and insurers face. Overcoming these issues and implementation obstacles requires an enterprise approach structured around four workstreams (see Figure 1):

1. Business — understanding the potential of data, prioritize data-sharing opportunities, and define feasible roadmaps

2. Legal — ensuring regulatory compliance, managing customer consent, and developing privacy policies

3. Technology — deploying the required technology stack to capture and process data properly and at the right time

4. Operating model — coordinating teams and capabilities from opportunities identification to implementation

BUSINESS: UNDERSTANDING THE POTENTIAL OF DATA

Aligning business strategies between banks and insurance companies is essential for successful data-sharing initiatives. Both banks and insurance companies (and the potential joint ventures involved) face a wide array of opportunities when diving into the data world. Data-driven opportunities are typically presented as use cases where a specific application of personal data processing is described for a clear objective.

To ensure that the identification of use cases translates into delivering real value to customers while providing a coherent user experience, it is necessary first to set clear priorities and objectives. This step may involve identifying key customer segments, drafting marketing campaigns, designing innovative products and services that cater to specific customer needs, and so forth. By aligning the business strategies among all partners, the organizations involved can maximize the benefits of data sharing and drive growth in a pragmatic and non-monolithic manner.

A four-step process can be a helpful tool to translate ideas into feasible implementation roadmaps:

1. Define short- and long-term ambitions for use of data. Each company has its own priorities (e.g., innovative products, excellence in customer service, use of Internet of Things), and these should be reflected in the ambitions.

   • Example of long-term ambition. Develop more innovative products and customer service; ensure offered products and customer service are both provided in a tailored way to each customer.

   • Example of short-term ambition. Increase average number of products per customer; include variables related to personal circumstances (e.g., if someone recently became a parent or started entrepreneurial activities) to better understand and serve customers.

2. Translate ambitions into data use cases (e.g., definition, dataflows, impact levers). Upon defining ambitions, workshops may be helpful for use case identification and definition.

   • Example of short-term ambition translated to use case. Create a trigger to detect when a customer becomes or is about to become a parent and offer a tailored life insurance policy. Be sure to involve experts from different areas in the identification of use cases and consider the portfolio and business dynamics of each company since different use cases might have significantly different impacts. For instance, although offering simple bancassurance products at the right moment might have good penetration, improving retention and renewals might translate into a larger economic impact.

   • Define clusters or segments to ease identification of use cases. As shown in Figure 2, identifying potential use cases might be easier when thinking about the different steps of the customer journey.

3. Classify use cases according to stakeholders’ preferences and conditions. Classification cannot overlook economic aspect (business cases needed), companies’ capacities, and defined ambition. These are typically addressed in two steps:

   • Qualitative classification into high, medium, or low priority based on use case’s enabler nature (i.e., eases future implementation of other use cases), alignment with overall company strategy, ease of implementation, and potential impact (high-level estimate)

   • Final classification, considering detailed business cases of high-priority cases (i.e., the “winners” of previous classification)

4. Establish implementation roadmap for priority use cases validated by all stakeholders. It is important to consider in which entity the use case will be deployed as it will determine resources needed for development.

• Example across stakeholders. If all the priority use cases will be developed on the bank side, there might be delays, while the insurance side might show spare capacity.

LEGAL: REGULATORY COMPLIANCE PRIORITY

The first challenge that may come to mind when thinking about personal data sharing is how to navigate the complex legal landscape surrounding personal data protection. Banks and insurance companies must comply with regulations, such as the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in the US, or similar regulations elsewhere. These typically require organizations to obtain explicit consent from customers before collecting, processing, and sharing personal data. Additionally, companies must ensure data is securely stored and protected from unauthorized access.

The legal workstream has a clear and concise mandate: to build a balanced and comprehensive legal framework that allows the implementation of data use cases in the short and long term. Notwithstanding, wording this legal framework so it is acceptable to everyone can be challenging without the proper support and guidance from the business side. Additionally, customer consent is not the only component of building the legal framework; legitimate interest, privacy policies, and the use of anonymization technology solutions are powerful resources that might speed up implementations and even provide extra security in the eyes of regulatory bodies.

Every partnership should be analyzed in depth. Considering the particularities of each legal setup, four key learnings can always be applied when addressing data-sharing opportunities:

1. Define the potential use cases. A detailed definition of the potential use cases (short-term and long-term), including which personal data and dataflows are required, is crucial before beginning to build the legal framework, since it must be as specific as possible to ensure robustness. Collaboration between legal and data analytics teams is necessary for the right trade-off between the criticality of personal data and the accuracy of the developed models. For example, geolocation may be critical data that could instead be replaced by postal codes without hindering the accuracy of the resulting model.

2. Consider and leverage different legal enablers at different stages of a use case. Data analytics models typically require a training stage before deployment and the corresponding data processing in each stage can be significantly different. Thus, the legal framework should be ready to handle these two ways of working with data analytics models.

3. Manage customer touchpoints. Efficient management of the customer touchpoints is key for collecting a larger share of customer consent and ensuring regulatory compliance.

4. Employ anonymization techniques. Anonymization techniques can enhance data protection. However, the anonymization process is also subject to regulation and might shrink the potential impact of a use case if not applied efficiently. There are anonymization techniques that preserve the greatest amount of information while ensuring the regulatory compliance of the result (typically measured by the K-anonymity and L-diversity factors of the resulting anonymized base) and federated learning techniques that allow the training of models with all the available information and no “physical” data sharing between parties.

TECHNOLOGY: DIAGNOSIS & ALTERNATIVES

Since there is no best platform alternative a priori — development of a new shared bank-bancassurer platform, migration to one of the available platforms, coexistence/communications between existing platforms — each case should be studied considering the stakeholders’ particular circumstances and strategies.

Despite a plethora of alternatives, some essential analyses should be used to endorse the one selected. Among these evaluations is the relationship between entities. For example, one stakeholder might be a subsidiary of the other and thus its platform might be embedded in the parent environment. Other key considerations relate to specific software licenses, security, and access control. These issues must be examined closely by IT security and the legal department. These assessments become even more complex when linked to platform-evolution roadmaps where updates and improvements occur repeatedly following a sprint-based methodology.

This complexity is one reason technology diagnosis and the methods for evolution translate into endless discussions. Nevertheless, we have identified one ultimate truth: technology cannot drive business opportunities or use cases. Instead, business must point out opportunities, and technology should be used to find the necessary enablers to engender those opportunities since there is always a way to make things happen.

OPERATING MODEL: IDENTIFICATION TO IMPLEMENTATION

Overcoming the previous challenges can be meaningless without the appropriate coordination. The coordination needed for data use cases is even more challenging considering that adopting a data-driven business requires the active involvement of top management roles, cooperation among teams from different areas, and continuous monitoring of results and performance.

According to Arthur D. Little’s (ADL’s) experience, a three-level governance model (see Figure 3) allows for defining and implementing data use cases with a real business impact:

1. Business committee/board. Top management roles must be responsible for identifying opportunities and setting the priorities to be tackled through data. These opportunities and priorities must be coherent with corporate ambitions and interests. Despite the business committee not being in charge of defining the actual use cases, it must set and endorse the implementation roadmap to ensure necessary commitment among all parties.

2. Strategy and governance committee. This committee is not only in charge of detailing how to implement and run each use case but also of allocating the necessary resources to meet the roadmap defined by the business committee/board. Technology and legal team members must be involved in the use case, detailing activities since their input is crucial to ensuring an adequate customer experience and regulatory compliance.

3. Project committee. This committee's responsibilities go beyond the implementation of use cases, since monitoring and fine-tuning are compulsory activities for success in a data-driven business. Assigning an owner to each use case helps generate initial traction after use case deployment and provides the business committee/board enough visibility on business needs for future opportunities.

Once again, every partnership should be analyzed in depth. The different structures of each partnership (e.g., bank + insurer, bank + insurer + joint venture, etc.) can add extra complexity to the definition of the governance model. According to ADL’s experience, this extra complexity can be handled by ensuring the segregation of duties (as previously described) and maintaining an “as reduced as possible” audience in the different committees.

Conclusion

THE PATH FORWARD

Aligning business strategies and setting clear objectives are vital steps in delivering real value to customers and providing a coherent user experience. Organizations must navigate the complex legal landscape surrounding personal data protection while building a balanced and comprehensive legal framework. Technology should not drive business opportunities or use cases; instead, it should find the necessary enablers to realize them. Lastly, effective coordination between banks and insurance companies is essential for the successful implementation of data analytics models.

By adopting a structured approach, banks and insurance companies can unlock the full potential of personal data sharing and drive growth in the bancassurance sector, enabling innovative product and service offerings that cater to customer needs. As the industry continues to evolve, organizations must remain agile, constantly reassessing their strategies and priorities to ensure they are meeting the ever-changing needs of their customers.