Whether or not banks physically leave the UK in the coming months, cross-border data handling is a growing issue no financial institution can ignore.
Whatever incentives the UK government might offer to try to keep European and global financial centres in London after Brexit, a number of banks are already looking to relocate to alternative bases within the EU. Even if they don't ultimately make the break, the prospect of Brexit is forcing them to face up to some tough truths - from how loyal their staff are, to whether their data is portable.
Moving data is a serious undertaking for any sizeable organization. For a bank, it's particularly daunting. How would they do this without downtime, without interrupting data access? And what if the new target territory has tougher data privacy laws, placing additional restrictions on where data is allowed to go and what it can be used for?
Frankfurt, for instance, is one of the popular alternative destinations for UK-based banks, yet Germany has very strict laws governing what can happen to customer data (it's why Amazon Web Services had to build a data centre there).
Any bank contemplating a physical move - whether they use their own data centres predominantly, or a combination of on-premise and cloud facilities - will need to explore how tied in they are to their current location and set-up. Physical data migration is a huge and risky undertaking, particularly for live transactional data. It can be expensive too.
Even if they plan to stay put, financial institutions will need to consider how such fundamental changes to the EU might affect the way they handle data. In Germany, restrictions mean disaster recovery provision can't extend beyond national boundaries. They also prevent analytics from being performed on residents' data using a cloud service in another country. That includes local fraud detection - for example if a German customer is traveling and spending in the US, and the bank needs to monitor transactions in the US for signs of unusual activity.
Control is what counts
Brexit isn't the only factor with a bearing on data privacy considerations. Recent and looming changes of government in several countries could continue to affect data privacy parameters globally. So banks need to assess how easily they'd be able to adapt if requirements alter in markets home and away.
It is not a stretch to imagine this happening. The current attempt in the US to overturn internet privacy rules and allow ISPs to sell on consumers' internet browsing history has caused uproar, and triggered new debate about what's acceptable. If this sort of practice becomes the standard, what's to stop banks sharing insight about customer purchases - for example as a harder metric to show brands when targeted social media adverts result in a product purchase?
It is difficult to imagine the public buying into this, especially when their relationships with banks rely heavily on trust, but it's an indication of how far things could go without adequate consumer safeguards. The inevitable backlash against greater commercial freedom is likely to lead to new measures being put in place to protect user anonymity, whatever entrepreneurial freedom governments might be offering businesses now. (And UK-based banks are kidding themselves if they think Brexit will exempt them from the EU's General Data Protection Regulation: unless the UK can offer adequate assurances around privacy, other countries will stop allowing data to be transferred to British shores.)
To cope with differing requirements as they apply across different countries, banks need to be able readily and intelligently to segment data, so they can observe the respective rules, stay compliant and maximize market opportunity. The only way most institutions can separate data today is by writing custom scripts to partition it - a laborious and complex task which requires that all the criteria are known ahead of time. Without getting too technical, a better approach is "selective replication" - where it's possible to choose and readily control which data can be moved or replicated somewhere else, for example for disaster recovery or analytics purposes. It's certainly something banks should be looking into as they consider broadening their options.
No one really knows how any of this will pan out, so being ready to adapt is banks' best risk mitigation strategy.