GDPR in financial services - the overlooked issues

Working as a business transformation consultant for over 10 years, I have been engaged in multiple regulatory changes and market initiatives, across a variety of regulations; from EMIR to SFTR to MiFID II.  These are driven by regulators with the intention of creating more transparent and secure financial markets.

The upcoming General Data Protection Regulation (GDPR) is a great example of such a regulation which has a strategic impact, that can drive cost and data efficiencies within firms. Given the impact is spread across multiple functions, including front office, treasury, operations and risk management, it’s pragmatic to help firms approach these regulations in a synchronised and coordinated manner. Businesses should look to identify the strategic opportunities presented rather than simply seeing regulatory hurdles as an additional constraint, costs or obligation for the compliance officer.

It’s surprising that many firms are still rushing to put plans in place to comply with GDPR, with less than 100 days until the regulation go-live (May 25 2018). It is worth noting that similar to the UK’s 1998 Data Protection Act, most EU countries have similar legislation in place, with GDPR seeking to harmonise these rules, while mandating firms to place additional controls around the data of EU citizens.

In the race to compliance, Austria and Germany are considerably ahead, having transcribed into national laws many of the GDPR requirements with the UK expected to do so prior to go-live date, thus ensuring alignment with the EU, post-Brexit.

Some of the key considerations for financial firms that arise through GDPR are:

• Holistic client lifecycle management and offboarding – Financial firms often do not have a holistic view of the client lifecycle: across on-boarding, cross-selling, regular maintenance and off boarding. Too often the focus is on on-boarding and cross-selling while maintenance and off-boarding aspects simply get over-looked. Appropriately archiving customer data is as much an important requirement of GDPR as collecting and using it.

Off-boarding will now also need become a priority, as appropriate processes need to be in place to ensure clients’ data is not used without appropriate consent, and beyond expiry of their association with the firm.

• Training and accountability of internal staff – Despite formal appointment requirements for a Data Protection Officer, GDPR currently does not provide sufficient clarity around the accountability and ownership of internal compliance and staff training requirements. It could be argued that this should sit with Sales, Compliance, Operations or Change. In practice, the regulation has business-wide implications that should involve or implicate all areas of the business. Appropriate training of all internal staff within these functions is key to ensure client data is not used inappropriately.

• Not just an EU matter – Although GDPR has always been referred to as an EU-wide regulation; in today’s financial markets where business operations and customer activities routinely take place across continents, it’s near impossible to avoid the remit of this regulation. According to a recent EY study, around 60% of businesses in Europe have a compliance plan in place as compared to just 13% in the Americas, pointing to lack of global awareness and uptake.

It would be hard to find any US or APAC investment bank which does not have a UK or EU client, or doesn’t deal with EU Front Office counterparts. These institutions would need to consider a review of KYC processes and client data controls, not only across their investment banking business, but also internally across legal, retail, wealth management

Treasury and the correct approach

Treasury, as a cross-business function, plays a key role in financing needs for trading desks. Implementing GDPR will notably impact the operating model of this function, including appointment of a Data Protection Officer and appropriately actioning data breaches. Notably, since an EU citizen’s data cannot be used unless explicit consent is obtained, the treasury business will need to ensure data is not used across business lines, unless explicitly permissioned to do so.

To get the most value out of these mandatory changes, firms need to start looking at GDPR not as an additional cost and burden to deal with, but rather as a business opportunity to provide additional and improved customer service, across functions and services. They should consider using customer data strategically to:

• focus the right amount of resources,
• develop the right kind of client-centric analytics; and
• deliver the right level of service depending on the customer type.

This, in turn, will help firms understand the return on investment across markets and optimise client servicing costs. Never before has it been a more opportune time to get a handle on a firm’s client data – GDPR is the right excuse to take action.

Comments are closed.