Data protectionApr 18 2018

FCA rules trump EU data deletion law

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
FCA rules trump EU data deletion law

Advisers won't be expected to delete client information under incoming right to erasure rules if it is subject to a record-keeping requirement set by the Financial Conduct Authority (FCA).

The FCA handbook specifies advisers must keep sufficient client information for the regulator to be able to monitor the firm's compliance, including all services and transactions undertaken by it.

New rules introduced as part of the European Union's General Data Protection Regulation (GDPR), which is to be enforced on 25 May, will allow clients to ask for their personal information to be erased.

This has led to some concern among advisers that clients could abuse this rule to weaken the adviser’s position before bringing a claim for compensation.

But the regulators have clarified that UK regulatory rules would come first when requests for file deletion are received.

The FCA points firms in the direction of the Information Commissioner's Office (ICO), which oversees compliance with these rules, and has issued guidance stating firms can refuse to comply with a request for erasure if this is for the "exercise or defence of legal claims".

It is understood the right to erasure does not provide an absolute 'right to be forgotten'. 

Instead, the broad principle underpinning it is to enable a person to request the deletion of personal data where there is no compelling reason for this to be kept, for instance for marketing purposes.

A spokesman for the Financial Ombudsman Service (Fos) said: "Generally, when a business receives a request to delete data, they should consider whether that request is reasonably in line with their usual data retention policies and if the data is something that can be deleted. 

"It could be that a client had previously provided lots of medical information, that was not related to the services being provided by the adviser.

"If the client then called for their details to be erased, there would be a case for the adviser to delete the unnecessary medical information, but not for instance a suitability report it may have put together for that client."

Mark Loosmore, executive general manager at technology firm Iress, said advisers could be in danger of breaching data rules because they are not organising their back office appropriately.

Recent research carried out by Iress found 70 per cent of advisers were keeping client files on different servers, while almost all the firms it spoke to used paper records for parts of their processes.

He said: "If using paper records there is still the whole question around how a firm would manage the right to be forgotten element of the General Data Protection Regulation quickly and efficiently and within the deadline set by the regulator. 

"In today's world business should have all of their client records safely stored and encrypted in a well-protected data centre.

"General Data Protection Regulation is forcing people to change. Now advisers need to get organised."

Advisers welcomed the ombudsman's "sensible" stance on the matter but warned there was still reason to be cautious.

Scott Gallacher, Chartered financial planner at Rowley Turton, said the Financial Ombudsman Service's example of medical information versus suitability reports was "fine but for the know your client requirements."

He said: "Without access to the full client file, as opposed to a redacted version, it may be difficult for the adviser to recall, and argue why, they didn't recommend [an] alternative course of action."

Paul Stocks, financial services director at Dobson & Hodge, also thought precedent would need to be set on this before rules become fully clear.

He said: "Things like 'there would be a case', 'certain times', 'consider', 'debateable,' etc, suggest it is going to be a grey area."

Iress's Mr Loosmore said there were ways to 'soft-delete' client files, meaning files were effectively hidden but not deleted and could be recalled when needed.

Ricky Chan, director at IFS Wealth & Pensions, said: "Technically it is very easy to do but we also hold at least a back-up copy of files, so we would have to go into our archives to also delete the files if a reasonable request came in."

He said more clarification was needed, alongside a pledge from the ombudsman it will take erasure requests into account when adjudicating disputes.

He said: "I don't expect many erasure requests, but on the off-chance we do, I would welcome support from the FCA and Financial Ombudsman Service to enable us to stand up to these requests if we feel that it is unreasonable or would compromise our duties."

carmen.reichman@ft.com