Three FinTech Companies That Used Privacy By Design Principles To Offer A Unique Value Proposition To Customers

Photo by Matthew Henry on Unsplash

Privacy By Design Principles

In the 1990s, Anne Cauvokian introduced privacy by design (PbD) principles that could strike a balance between big data analytics and individual privacy. The principles are outlined below (A. Cavoukian, Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices):

  1. Proactive, not reactive; preventive not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality –  positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user-privacy – keep it user-centric

Next, I will highlight some privacy-focused innovation start-ups that have adopted Privacy by Design (PbD) principles to innovate and offer a unique value proposition to customers.

Let’s look at MY PINPAD, iProov, and Privitar.


MY PINPAD has strong PbD principles such as user-centric PbD and full end-to-end security. MY PINPAD offers a PIN-based authentication system that is not reliant on PCI-certified payment hardware, reducing complexity and transaction costs. MY PINPAD solution resides on smartphones and tablets and is a convenient way to pay. A report by LexisNexis (2015) showed that while mobile payments accounted for 14% of the online payments in the US, but they also accounted for 21% of payment frauds.  Further, mobile is growing as a preferred platform for eCommerce, and customers are demanding a better customer experience with higher confidence in privacy and safety. Hence, FinTech’s have a unique opportunity to provide a connected experience in a multi-channel digital age. MY PINPAD achieves this high level of security and ease of use by doing two things well (MYPINPAD):

  • Bypassed the need for a hardware solution where a PIN can be stored in memory buffers or captured via keyboard buffers
  • Tokenization of PIN on the personal mobile device renders the PIN unreadable and unrecoverable

The solution provided by MY PINPAD opens doors to use other forms of authentication (e.g., biometrics) in the future through its solution. PSD2 (the second Payment Services Directive) in EU states made way for a third party to access and authenticate customers via their bank account to make payments. This directive broke the monopoly of banks on customer’s private information and suppered innovative business models to reduce payment frauds and online identity thefts (Nexus Group).


iProov has privacy embedded in the design. iProov offers an online identity system that ensures that the online person is the right person, a real person, and is genuinely present now. iProov’s facial recognization system uses facial recognization technology to create a one-time biometric of the person. It is simple to use and relies on flashing multi-color lights while taking facial biometric. The picture taken is checked against the one stored in the cloud to grant or deny access to services. iProov follows PbD principles as it doesn’t need to know who the person is; the personal information is stored with the bank. Hence, privacy is embedded into the design. Two key benefits of iProov’s technology:

  • Protects the user against “reply attacks” for facial recognization, also, the technology is capable of recognizing deep fakes and hence it protects user identity
  • Enhances customer experience as it does not rely on the user to move face or change direction while taking the facial biometric

Facial recognization technology (FRT) depends on both privacy and consent. The use of FRT is a grey area in many jurisdictions; for example, in the UK, FRT retains such data for only those who are on the watchlist. A bigger problem with FRT is that it is not without problems, and could be error-prone with gender and racial bias (Ruppert). iProov claims that no competitor has been able to crack their technology, and as such, it complies with the laws (GDPR, AML, and PSD2 standards) for customer authentication.


Privitar complies with PbD principles and offers a solution that anonymizes the customer’s sensitive data. Privacy and trust are related. A customer trusts a company to keep his/her information private, but not wants to make sure that his personal information is not used for any secondary purposes. Often consent is assumed by a company, and data is utilized for secondary marketing purposes. For example, Target utilized historical data of a teen girl and analyzed it to send her coupons for various stages of pregnancy, and this was a big invasion of customer privacy as Target knew that the girl was pregnant before her father did (Hill). Privitar reduces data exposure at a minimum at various stages of the data lifecycle. The company achieves this in two ways:

  • Tokenizing the data
  • Restricting access to it via APIs

The company offers a data privacy platform that meets the regulations and internal privacy policies to anonymize data for machine learning and artificial intelligence purposes. With GDPR, companies have to use customer data responsibly or face fines and other legal consequences. Privitar solution two key benefits:

  • Compliance with GDPR and HIPAA (Health Insurance Portability and Accountability Act)
  • Data is watermarked to facilitate auditing and data lineage. In case of data leak or theft, the source of the leak (whether internal or external) can be traced.

Privitar solution ensures that data utility is maintained while ensuring customer privacy and respecting customer consent.


Therefore, privacy and security can be key drivers for the success of FinTechs, and the laws and regulations that pertain to privacy and cybersecurity can act as a catalyst for developing innovative business models.

#FinTech #DataScience #Privacy #Innovation #CX #CyberSecurity

A Guide to Implementing Strong Privacy Practices by Ann Cavoukian
General Data Protection Regulation
Hill, Kashmir. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.”
Ruppert, Kendal. “Clearing up the facial recognition debate identification vs. authentication.”
Nexus Group. “PSD2 (the second Payment Services Directive) explained in 3 minutes”
LexisNexis.”True Cost of Fraud Study”
Image Credit: Cover Photo by Matthew Henry on Unsplash