New EU Data Law A Major Hurdle For Financial Firms

By Tom Ivell and Barrie Wilkinson
This article first appeared in BRINK on August 3, 2017.

As the volume of data being generated about individuals increases, technology is making it ever easier for that data to be transferred, and ever more powerful analysis allows valuable insights to be gained from it. How companies collect, process and protect data on their customers, staff and suppliers has turned into one of the biggest debates of our decade.

On the one hand, digitization brings opportunity: to enhance the customer experience, to drive down costs, and to create new business models that make use of digital assets. On the other, digitization creates a raft of new threats, whether from competitors who use their own digital assets to disrupt existing businesses, cybercriminals able to steal or “spoof” digital identities or fraudsters who infiltrate the digital economy to perpetrate large-scale financial crime.

The General Data Protection Regulation (GDPR), due to go into effect in May 2018, is one of the European Union’s legislative responses to this development. GDPR sets a common standard for how firms that operate in the EU should protect the personal data of their customers, employees and suppliers. From 2018 onward, individuals will have a range of rights that give them greater control over their data (such as the “right to erasure,” also known as “the right to be forgotten”), while firms will face new obligations (including capturing and recording unambiguous consent for use of personal data).

GDPR Presents a Major Challenge to Financial Services

The more data a firm collects, processes and shares with other data controllers, the more significant these requirements become. Financial services firms typically serve thousands, if not millions, of clients, deal in complex products that require access to customer data and frequent customer interaction and often employ a large and geographically dispersed workforce.

Financial Services are also beset with a number of historical challenges, including:

  • Outdated and patched-together systems resulting from several waves of consolidation, saddling firms with duplicative customer data across multiple systems.
  • A history of barriers to entry, prompting competition authorities to force banks to open up and give third-party service providers access to customer data.
  • Years of margin pressure pushing firms towards greater use of outsourcing, with sensitive data being sent to third- and fourth-party providers.
  • Record fines and losses for anti-financial crime failings, leading to a culture of collecting as much information on customers as possible.

Financial firms now face the task of reaching regulatory compliance during the short term while preparing themselves for the privacy requirements of the future. This end state can be achieved in manageable, logical stages as outlined in the above graphic.

Read the joint report by Tom Ivell and Barrie Wilkinson (Partners, Oliver Wyman) and Ben Helps (CEO, Factern) on GDPR compliance for networked banking systems.

Future Proofing Privacy

GDPR Compliance in a Networked Banking System