The General Data Protection Regulation (GDPR) will come into force on 25 May, with the aim of prompting a paradigm shift in the way we think about data, and how it is attained, managed, processed and erased. There’s no doubt that this much-needed new governance will pose major challenges for wealth and investment managers, but will this be a complete revolution for firms, or a mere evolution of the processes they have in place?
Wealth Dynamix joined forces with EY to host a seminar with GDPR experts from PIMFA (The Personal Investment Management & Financial Advice Association), the IRTA (International RegTech Association) and a number of client-facing organisations. The panel looked at the complexities GDPR will pose for an industry that has been built on client insight and understanding.
Roopalee Dave, Director, Wealth and Asset Management at EY, noted that since MiFID II went live on 3 January 2018, GDPR has consumed much of the industry’s attention – and presented multiple obstacles and issues from an operational and governance perspective. But with businesses navigating multiple competing challenges, from squeezed margins through to Brexit, many firms are taking a tactical vs strategic approach to adapt to the requirements of this new regulation.
With just over a month until GDPR comes into force, several questions continue to cause concern, which, PIMFA explained, even the regulator is still unclear about the best approach firms should take. Yet as the Information Commissioner’s Office (ICO) assumes investigative powers and the ability to impose sanctions on businesses that do not comply with this impending regulation, the pressure is on for firms to act in the best interests of their clients, regardless of the ambiguities that they face.
Delegates were resolute in the need for this new regulation to catch up with the immense technological advances that took place over the 20 years following the Data Protection Act. As Johnny Beloe, Senior Product Consultant at Wealth Dynamix said, “GDPR isn’t the end game – it’s a much needed response to the complexities of the present data environment; an environment which will further increase in complexity as technology continues to evolve, presenting a host of further challenges that will no doubt require further regulatory response.”
So, with a matter of months until businesses need to be GDPR ready, how are service providers adapting to the requirements of this new regulation? The panel agreed that there has been something of a change in mind-set as financial services firms consider their use of client data – but this is not without its difficulties.
Unlike its predecessors, GDPR requires data to be regulated at the outset. In an industry that is driven by client insight, the exchange of personal data is a natural part of the prospecting process. While at this juncture the individuals in question are not yet clients, the relevance of specific information increases as advice is given in the context of this information.
The panel was largely in agreement that health information poses significant complexities for financial services providers. Giulia Lupato, Senior Policy Advisor at PIMFA said, “The level of insight required for financial planning is very different to that needed for insurance purposes. Whether firms are dealing with comprehensive wealth management or tax planning, the health of the customer does come into play. They need to understand how to manage this.”
So, how can they manage this, when the industry waits to see what GDPR means in practice? PIMFA suggested that, for the time being, and lacking alternative lawful grounds, the only option available to firms processing their customers’ health data appears to be explicit consent – it is unclear whether alternative grounds, such as “substantial public interest”, are allowed. A connected issue is whether the need for explicit consent can be bypassed where a vulnerable customer is involved, by leveraging necessity to protect the vital interests of the customer. This interpretation hangs on whether a person’s financial stability can be considered a “vital interest”. Both the ICO and the FCA have acknowledged that processing of health data is an integral part of a firm’s performance of their duty to act in the best interest of the client and that therefore the issue of what is the appropriate grounds to process it needs to be cleared and ambiguities removed.
The panel discussed the challenges for wealth and investment management firms that typically hold insight not only on individuals but their connected parties, from spouses to children – with additional complexities posed by trusts. Vulnerable clients were a prevalent theme throughout the discussions, specifically the capacity of a power of attorney and the potential to challenge explicit consent due to the data subject’s ill health. When asked whether it would be possible to seek the attorney’s consent in place of that of the individual in question, PIMFA advised that they are seeking clarifications on this point and on the possibility to apply the lawful grounds of protecting a client’s vital interests in these circumstances. While the regulators iron out the questions arising from these complex nuances, the panel underlined the importance of contracts in determining the use of data for the long term.
Roopalee noted that there are differences in clients’ individual requirements and ways in which the industry should respond to these. “Wealth management as an industry, whether investment management or financial planning, the affluent or ultra-high net worth segment, is all about understanding the client and their needs – and this involves a lot of personal client data,” she said.
The panel discussed the breadth of data firms have at their disposal and the importance of considering whether this is fundamental to their ability to provide a wealth management service for clients. In some cases, you’d find out the names, date of birth and details about family members, which are all part of the wealth management experience. GDPR will prompt firms to take stock and determine exactly what they need for their core business services. If firms don’t need this information, then they should not be collecting it.
IRTA’s Head of Strategic Initiatives, Richard Maton, looked at the implications of opt-in functionality for marketing purposes – specifically as these will have typically been selected by one individual, while products and services may cater for multiple family members. The panel also discussed the potential to review pre-existing marketing processes to determine whether they gain opt-in consent now and the consequences around those clients who opt-out.
The panel agreed that while the FCA and the ICO tussle with the finer details of GDPR, compliance is not enough. Johnny said, “Businesses need to think about how they can demonstrate that they’re being compliant. They need to be able to show the regulator what data they hold and why they hold it, in an easy and immediate way. This requires a shift in processes as well as mindset.”
The industry is following suit, as Ian Cornwall, Director of Regulation at PIMFA said: “PIMFA is working hard to encourage the link between compliance and IT teams who hold day-to-day responsibility for automated processes.”
The wealth and investment management industries centre on long-standing relationships and insight that often goes far beyond the client in question. Firms will face multiple challenges and potentially unforeseen scenarios as this new regulation play out in practice.
Our second report on the Wealth Dynamix GDPR roundtable will look at the experts’ view on the breadth of GPDR and the best ways to impart this regulation within organisations.
Please click here to download our GDPR brochure.