There are no globally accepted standards for the internet of things (IoT) security. Fears around data breaches linger because the consequences of weak IoT security can be severe. Weak security around smart electricity meters can compromise critical national infrastructure, while inadequate IoT security in connected cars can lead to fatal accidents.

Listed below are the key regulatory trends impacting the IoT theme, as identified by GlobalData.

IoT regulation

The rapid growth of the IoT market has raised several security concerns. These typically revolve around the lack of regulation and the lack of common IoT standards. Legislation covering IoT security remains a fragmented patchwork of laws.

As IoT deployments grow, governments have started to focus on this issue. New governance measures are also gaining traction. In May 2020, the US’s National Institute of Standards and Technology (NIST) released the Foundational Cybersecurity Activities for IoT Device Manufacturers guidelines. Similarly, the European Telecommunications Standards Institute (ETSI) has released a technical specification guide on Cyber Security for the Consumer IoT segment, which outlines leading security practices for consumer IoT devices.

Data privacy

More ‘things’ connected to the internet creates more data points for commercial providers to capture, which may not have been explicitly permissioned by users and customers. Apple, as a handset provider, has done much to enable permission to be easily turned on and off within mobile devices by application, but when devices multiply and interact with each other, it is more difficult to provide informed consent, even if it is requested.

Also, with new technologies like IoT, data is recorded automatically, for example by sensors or CCTV linked to facial recognition or is produced or inferred from other data using more complex methods of analytics, such as machine learning (ML). The growing use of biometrics is generating additional data types, such as iris recognition and fingerprints, for which governance frameworks and methodologies do not always exist. ID Finance, for example, incorporates behavioural biometrics into its AI-based fraud scoring engine to boost loan approvals and reduce the incidence of non-performing loans.

Another stumbling block toward the use of IoT in banking is the need to work with Apple, Google, Samsung, and other Big Tech companies to integrate any fintech IoT offering into a broader product ecosystem. This would only increase the complexity of data privacy and security.

Open banking IoT

The promise of IoT in banking is cross-sector automation, which drives much deeper customer insight and convenience. Whereas many customers today manage their financial lives through discrete applications, IoT promises to integrate these services and then automate them. Part of that is dependent on agreed standards for what data to share, when, and how.

In the US, aggregators like Plaid help break down the barriers between products and providers, so consumers can interact between different applications. But the next step is to automate process steps within each discreet application to ensure optimal consumer outcomes.

Consent management

The most useful data—whether it be customer location or enriched transaction data—has to be enabled or allowed by the customer, and this is not always forthcoming in the absence of some clearly defined benefit. Banks will need to formalise an approach here, train staff to handle objections, and clearly explain privacy laws and the benefits of sharing data. In addition to service calls, customer support will need to field calls related to deployed devices.

It is critical that customer consent is given freely, specific to the data usage intent, and is informed, unambiguous, and can be revoked at any time. Securing customer consent for new services is very challenging, particularly if the customer data will be shared with third parties. Emphasis must be placed on the fact that a customer’s consent can be revoked at any time, which means that data governance processes have to be in place to enable the deletion of such data.

A related issue is that many corporate data-privacy initiatives are too technical or legalistic for the everyday customer. Consent management as a function needs to be driven by teams that sit across technology, business, user experience, and compliance. To this end, some larger financial services providers have invested in full-time data relationship managers, who work specifically on delivering messages in a way that is not only understandable but also valuable to the end user.

This is an edited extract from the Internet of Things (IoT) in Banking – Thematic Research report produced by GlobalData Thematic Research.