A new study led by Dr Sarah Zhang from Alliance Manchester Business School has uncovered how small banks in the United States are reacting to growing concerns about data privacy.
The research published in the Journal of Corporate Finance shows that when US states announce plans for stronger data privacy laws, small banks quickly boost their investment in IT before such laws are even passed. On average, banks increased their IT spending by more than a third in the year following such announcements.
The study examined 7,251 small banks across the US, using data from 2010 to 2021. The findings reveal that banks are not simply preparing to follow new rules but are also responding to market pressure - in other words, competition from rival banks and the fear of losing customers drive much of the investment.
This shows that banks are aware of how seriously the public takes data security. High-profile cases of data breaches in recent years have damaged trust in financial institutions. When banks move quickly to strengthen their systems, it reflects growing pressure to protect personal information such as names, addresses and account details.
This research also highlights that new rules can change behaviour even before they officially come into force. The effect is particularly strong for smaller banks, which face greater challenges because they have fewer resources. While big banks often already have advanced IT systems in place, small banks are forced to catch up quickly, which can be costly.
Interestingly, the study found that although banks are spending more on IT, the benefits are not immediate. Profitability often dips because of the high costs, and there is little clear evidence that the extra spending reduces cyberattacks in the short term. However, the long-term hope is that stronger systems will reduce risks and build trust with customers.
Although the study focuses on the United States, its findings are highly relevant worldwide. In Europe, the General Data Protection Regulation (GDPR) has already transformed how businesses handle personal data. The study suggests that even the early discussion of new laws can spark major changes in how companies prepare for the future.
As more countries and regions introduce stronger privacy protections, the study raises questions about how smaller financial institutions will cope with the cost of compliance. While consumers may benefit from improved protection, the financial burden may be felt most by smaller banks, which could in turn affect the services they provide.
The research provides valuable insights for policymakers, banks and the public. It underlines that the debate over data privacy is not only about regulation but also about competition, trust and the future of banking in the digital age.
