Phil Rolfe, Financial Services Director at P2 Consulting
Two giant pieces of legislation are facing the financial industry this year. This is nothing new for financial organisations – banks, pension funds, asset managers, amongst others. They’re old hands at regulatory adherence. The difference with GDPR – which comes into effect in May 2018 – and PSD2, which became a legal obligation in January 2018, is in some respects, they are two sides of the same coin.
The data protection angle…
GDPR is all about understanding the risk and exposure around customer data, which is crucial for financial institutions. Most firms hold records that are of real value to the customer, so any breach has a massive impact from a reputational perspective and also financially, as they are liable to giant fines if they are found to have poor controls.
GDPR will have a significant impact on the sales and marketing functions of financial firms, which will be challenged to prove customers have given their absolute consent that they are happy to be marketed to. Simple enough on the surface, but actually poses a massive challenge, given the over reliance of many organisations, banks particularly, on legacy architecture and the fact they have multiple data repositories. It’s not only data stored in the UK – many firms have offshored business processes, so customers’ data can be stored or accessed in different jurisdictions around the world. Wherever the data of European customers is stored, GDPR applies. GDPR compliance is complex and its implications are far reaching.
GDPR may also test our ‘special relationship’ with the USA, as an American based company selling to a European customer is caught by GDPR, so has to meet the standards, even when data is held outside Europe. Some of our colleagues from across the pond are already asking questions and the answer will be a nasty surprise to many.
PSD2 – the ying to GDPR’s yang?
One of the biggest challenges for the safe implementation of GDPR processes is PSD2, the legislation aiming to boost competition in financial services. PSD2 dictates financial firms have to open up their architecture, using Application Programming Interfaces (APIs), to share relevant information with third parties.
This may conflict with GDPR and as a result, there is a complex Venn diagram emerging between the two regulations. Everyone understands the need to increase competition in financial services, but PSD2 could be seen as in conflict with the core principles of what GDPR is attempting to do. An interesting dichotomy between data control, risk awareness, competition and being compliant has arisen.
Do customers care?
Of course not – to them it’s just white noise. Customers don’t understand the different directions firms are being pulled in – they just want to access their savings, pensions, investments and accounts in an easy way and they want protection from criminals, in their many guises. Financial companies are really trying to improve the customer experience, but it is a challenge within the realms of this complex regulatory environment.
There is a real desire to improve – firms are introducing measures such as iris and retina scanning, face, fingerprint and voice recognition – great for millennials, but seen as gimmicky by more mature customers. There is a big generational push and pull which influences the security measures implemented to satisfy GDPR requirements.
Last year’s Uber security breach was a lesson for everyone – if the company had been penalised under GDPR, it would have cost 4% of the company’s turnover, over £0.5bn. Uber paid the hackers’ ransom on the understanding they would destroy the customer data – it was a complete breach of lots of different regulations.
The Information Commissioner’s Office (ICO) isn’t making everyone jump through GDPR hoops for fun. We need to learn from hacks, like the Uber breach – if we don’t, hackers can use that same technique again and again. Corporate governance and security are struggling to keep pace with advances in hacking as the prize for cyber criminals is enormous– you need to invest for GDPR, because if you don’t, hackers, customers, competitors and the regulators will come after you.