Case Study: Raiffeisen Bank

My name is Manuel Schwarzinger. I am with the Raiffeisenlandesbank, and I am responsible for I.T. Digitalization Data Management.

I would like to talk about the big project where we are aiming for the goal gathering MAXIMUM USAGE from our data and being compliant with all the legal restrictions we have, for example GDPR.

The initial situation for us was, we have huge amounts of data we have to collect about our customers in case of dealing with them in specific financial services and transactions. Of course, we know quite a lot of things about our customers and there would be many use cases for secondary usage of data.

Secondary usage could be repurposing the data using the data beyond the original purposes. For example, analytics, which is more from a marketing perspective. Also, for Artificial Intelligence (AI) and Machine Learning (ML) algorithms to improve the personalization upselling and cross selling the marketing capabilities.

Other aspects for secondary usage is the point of data sharing and combining. We have several companies in our group and sharing and combining the data between those companies to maximize the value with adding information from one side to the other side would multiply the use of data.

This is also one goal, how to make these things possible. With this project, we want to maximize the information and benefit out of the data with full compliance with all regulations, especially GDPR. Let me spend a few minutes on the basic idea behind BigPrivacy (Anonos) and the Hitachi solution.

Being compliant with GDPR, there is one very critical issue, you have to separate the information value of the data from the identity behind the data. First of all, you have to make sure that there are technical and organizational measures to separate information data from the means of identifying the subject. It is okay to have the information, but it is must not be possible to identify who is the person behind the data.

Secondly, you have to have the additional information to make the data relinked with the person, you have to separate this, and the additional information must be separately stored and made only available to those persons who are authorized to remake the data.

This is the point where Anonos and Hitachi found out this concept of Variant Twins. Variant Twins are a very important term with privacy.

I've tried to systemize the use cases and a quadrant looking logic.

The first quadrant “A” which is internal use of the data for optimization of the internal use. This means use it for data for internal development and testing for internal statistics. This is already done before without Pseudonymisation because this is something you have to deal with as a bank. It's not really a problem to do it without Pseudonymisation, but we want to be on the safe side for any reason we are also focusing on this use cases.

The quadrant “B” would be the same with external partners working with the data, which means we have to use data for developing data driven tools for internal purposes. But we are developing those tools not on our own, but with external partners. This is the reason why we have to make sure that the data we are providing our external partners is fully compliant with all the GDPR regulations.

Quadrant “C” is having benefits in terms of monetization, in internal using the data. For example, we are trying to develop services with real customer benefit and the customer is willing to pay for the services. This is the quite classic situation with cross and upselling signals. This is also done before, but there are of course, significant restrictions in using the data for those use cases.

Quadrant “D” would be sharing data with external partners to enrich the data, providing the data for external partners to develop innovative services and this is in most use cases, not compliant with GDPR. It's sometimes really hard to deal with this use case.

The goal is developing a database analytic model to identify customers with potential credit rating risk. Identifying them and aware early point of time. Even earlier than they have the credit rating risk. Their value from the BigPrivacy solution is, we are able to develop the model with external partners using real data but completely Pseudonymised real data. So, the data is 100% consistent, it's 100% real but it's not linkable with the customers behind.

An expected benefit from our point of view is identifying the risky customers earlier and with the early identifying we are able to handle the risks much better, and maybe help them to get out of the problem situation. And, finally not to lose money for the bank. The second use case is the data enrichment within the group entities. This means combining insights of group entities to create customer benefits. Their added value from the BigPrivacy solution is we can share insights with intergroup entities, but only sharing the insights and not the identity behind the insights. This can help us to identify the customer needs more accurate, and it's a real large cross and upselling potential in all the group entities.

Last but not least, we want to open the data for innovative cooperation which means providing data with full color consistency and full quality for verifying ideas and ideas of some startup. They are able to use real data but also in a full, Pseudonymised way. So, there is no problem with GDPR. The expected benefit for us and the customers is having some real cool services, developing some cool services they are willing to pay for.

Finally, it's a benefit for the customers and also for us as a company. So, this was in a quite short way, the outline of our BigPrivacy project at Raiffeisenlandesbank.