A few months ago, I'd posted the following update on social media:
Privacy does not equal Security: Privacy is refusing to give out your mobile #. Security is refusing to give out your debit card PIN #.
To which a friend had replied, "You made it so simple!!"
Then I thought of bank account numbers and realized it wasn't so simple.
If I told you my BAN, it'd only be a question of privacy in India. But in the USA, you could pull out money from my account only on the basis of this info* - *T&C applicable - so it'd turn into a matter of security!
Adding to the complexity is that privacy- and security-consciousness of the average John / Jane Doe vary from one country to another (if not across different regions within the same country).
In my observation, America is not so security-conscious. Millions of people are willing to share their Online Banking credentials with Mint, Geezeo and the new breed of Mobile Money Management Apps (MoMMAs)
ostensibly in return for tips to save a few $$$ a year. This is unimaginable in a security-conscious culture like India (apart from being expressly forbidden by banks).
Where, on the other hand, people are not so privacy-conscious and happily give out their mobile phone numbers to virtually anyone who asks for it. Including their banks. Given that so many transactions rely on mobile numbers, I wonder if it's even possible
to get a bank account in India without a mobile phone connection (I've never tried). But I digress. Because they have their customers' mobile numbers on file, banks are able - and mandated - to send an SMS Alert every time a credit or debit card is used. This
is a great way to control card fraud in India.
Such a regulation is unimaginable in a privacy-conscious culture like USA, where customers are not required to share their mobile numbers with their banks. As a result, alternative approaches to detecting card fraud have cropped up. Like BillGuard. This
approach works in the United States because enough people seem to be ready to hand over their credit card account credentials to this and other third party services like it.
This is unimaginable (and forbidden) in India!
To avoid going around in any more circles, let me just say that, while privacy surely does not equal security, the distinction between the two is perhaps more complex than I'd made it out to be in my aforementioned post. Just one more thing that makes life
interesting for banks and fintech companies designing and building banking systems in different parts of the world!