Introduction
Over the last year or so, members of the ADPO executive committee have had the pleasure of consulting on a very interesting and worthwhile study with a professor of Finance in University College Dublin. The professor in question is Professor Cal Muckley who is carrying out research with another academic from Maynooth University and Assistant Professor Shivam Agarwal from Rennes School of Business in France. Their research has highlighted some very valuable and beneficial findings. Their research has found a link, of first-order importance, between changes in money management behaviour of older adults and the onset of dementia. This potentially means that financial institutions may be able to flag worrisome behaviours as worthy of investigation by medical professionals to sooner predict Alzheimer’s disease in more mature customers.
Professor Cal Muckley's argument is that financial institutions have a responsibility, wherever possible, to protect customers who may be vulnerable, such as older adults. The idea of Money Management Difficulty (MMD) allows banks to look at changes in spending patterns to help predict illness in the vulnerable. His study investigates whether difficulties with everyday financial tasks like paying bills and making pension decisions can be an early indicator of dementia.
Professor Muckley and his co-author developed an AI model using various clinical and personal factors, including MMD, to predict a dementia diagnosis. The research consistently found MMD to be the most important indicator, even after accounting for other factors like age. By identifying customers who may be vulnerable to dementia, financial institutions can take steps to protect these customers and support them in making informed decisions about their finances.
Safeguarding the Health of Banking Customers with Explicit and Informed Consent
On the surface, this study demonstrates amazing potential for using financial behaviours of customers to provide the additional benefit of alerting them and their loved ones to potential health challenges and by so doing, allowing customers to take preventative measures to improve their health outcomes.
The research can also help inform discussions that bank customers may need to have with their loved ones about transferring financial control to a reliable agent, especially in cases where an individual's cognitive abilities may be already in decline. By doing so, financial institutions can help protect vulnerable customers and ensure their financial well-being.
If we reflect a bit more about the findings of this study, we can also see that it raises important questions about the implications of using personal data to predict cognitive decline. Under the General Data Protection Regulation (GDPR), companies are required to collect data for specific, legitimate purposes, and the use of financial data to predict health conditions could blur the lines of what is permissible under the regulation. Financial institutions typically collect customer transaction data to provide banking services, not to provide health-related monitoring. If they were to expand their processing of data to predict dementia, they would need to clearly justify this new purpose in their privacy statements and to their customers.
The findings of the paper raise a very important question about whether financial institutions could or should legally process such sensitive/personal information without obtaining explicit consent from their customers before commencing processing and whether the predictive use of MMD falls within their original data collection purposes. Upon initial reflection it would seem to fall distinctly outside the original purpose, which would usually be either performance of a contract, fulfilling a legal obligation around Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) requirements or perhaps for the purposes of financial audits and compliance with national and EU-level banking regulations.
Any kind of data relating to an individual’s health is classified as special category data under Article 9(1) of the GDPR, and the processing of this type of data requires the application of stricter conditions. While financial transaction data is not typically considered health data, using it to infer health conditions (such as dementia) could potentially transform it into special category data. Financial institutions would, thus, need a separate legal basis for processing this data in such a way. A possible legal basis that could be applied would be explicit consent (Article 9(2)(a)) or perhaps financial institutions could use a lawful justification as their legal basis like vital interest (Article 9(2)(c)), or public health (Article 9(2)(i)).
The safest option for a legal basis from the perspective of both the financial institution and the data subject would seem to be receiving explicit consent from customers before any processing of their data commences. Only the customer knows their situation and making decisions around their financial situation without their explicit consent to do so could pose serious harm to the individual’s autonomy and sense of self-determination.
Additionally, in order for financial institutions to monitor customer spending behaviour as a potential indicator of cognitive decline, the customers would not only need to give explicit consent but also informed consent. Informed consent refers to a more general requirement outlined in the GDPR, across various articles and recitals, that any consent given by a data subject (customer in this scenario) must be based on adequate knowledge about what they are agreeing to. In order to gather informed consent, financial institutions will have to provide easy-to-understand information about the data processing activities they plan to carry out on the data subject's personal data. The data subject should also understand what data is being collected, why it is being collected, who will access it, and how it will be used. Informed consent must be given clearly by the data subject, either through a statement or an affirmative action, i.e. ticking a box, or signing a form.
However, obtaining informed consent from customers could prove problematic for financial institutions. Customers may not fully understand the implications of having their financial data analysed for health reasons, and those already experiencing cognitive decline may lack the capacity to give meaningful consent. This situation could lead to questions further down the line of whether consent was truly "freely given" and informed as required by GDPR.
If financial institutions can actually successfully gather explicit and informed consent from their customers, the challenges do not end there. They then need to consider the actions that should be taken if and when signs of cognitive decline start to appear for customers. Do they contact the customer individually or do they contact the customer along with their next of kin, or their legal representative or their medical practitioner or all of the above? What is the appropriate action to take?
We have Consent: What happens next?
Looking at this from another perspective, AI models are not foolproof and produce diverse levels of error. AI algorithms rely on the data they are trained on. If the data is incomplete or inaccurate, the algorithm will likely produce incorrect results. False positives can occur, where customers flagged for cognitive decline may not actually be ill at all. Awareness of such a possibility may cast doubt over the results of the processing. This raises ethical issues around prematurely initiating discussions or decisions about Power of Attorney (PoA) based on this financial data alone. Misinterpretation of spending behaviour could lead to the customer experiencing unnecessary anxiety or pressure to transfer financial control to their next of kin.
Regardless of whether the results are accurate, being flagged as suffering from cognitive decline by a financial institution may not be a wise choice for anyone to make. It might become financially appropriate for the institution to limit or deny credit to customers who are flagged as having a high risk of dementia. This could make it difficult to obtain loans, credit cards, or other forms of credit. Even if such customers are able to obtain credit, the institution may charge higher interest rates as the customer would now most likely be considered a higher risk borrower. Limiting access to the high-risk results to just the customer and a nominated representative of their choosing would seem appropriate here. Arguably, if this is done, however, would the bank be reneging on their responsibility towards the customer by failing to act on important health information?
From the perspective of the financial institution, if a customer has been flagged as having cognitive decline and the customer is inclined to refuse the finding due to all of the above reasons. What is the appropriate action for the financial institution to take in such circumstances?
Should they cease and desist and not contact anybody without the consent of the customer? Conversely, if it turns out that the customer was actually suffering from cognitive decline and the financial institution failed to act on the information produced by the processing due to the customer’s decision to do nothing, are they (the financial institution) liable for any damages or financial losses incurred by the customer or by others as a result of the cognitive decline, i.e. accidents or inappropriate behaviour due to illness?
The legal responsibility and scope of such actions for the financial institution would need to be clearly defined, as acting too quickly or too slowly could have financial and emotional consequences for all involved.
Clearly, the issue of power of attorney is central to this research. The logical consequences, in the majority of cases, will most likely result in the transfer of financial control from the customer to the next of kin or to a reliable agent. Timing the decision to grant PoA is delicate. If flagged too early, the customer might resist transferring control, feeling that their independence is being compromised. Equally, waiting too long might lead to customers losing the capacity to make important decisions themselves, resulting in a legal and emotional scramble for family members or caretakers to secure PoA.
To Conduct a DPIA or Not To?
Conducting a data protection impact assessment (DPIA) is a requirement under the GDPR for certain types of data processing, including processing that is likely to result in a high risk to the rights and freedoms of individuals.
More generally, in the data protection and privacy field, DPIAs are carried out when initiating any new data processing activity, especially those involving high-risk data such as health data or large-scale data processing. Financial institutions would be best placed to conduct a DPIA when considering introducing services such as the service discussed here. A DPIA will help identify any potential risks this new type of processing might pose to their customers. Once these risks are identified, the financial institutions can develop measures to mitigate those risks. Such measures might include implementing stronger security measures, or obtaining appropriate explicit and informed consent from customers, or training staff on data protection principles for customers and especially considerations for older and vulnerable customers.
Conclusion
In summary, while this research could greatly aid in early dementia detection and improve customer protection, it introduces complex ethical, legal, and practical challenges around power of attorney, privacy, and autonomy. Ensuring a thoughtful and cautious approach to implementing these findings is essential to avoid unintended harm or overreach.
コメント