Advisers with an eye on upcoming regulation already have one date circled in next year’s calendar: on 3 January Mifid II comes into effect, meaning a substantial amount of work is currently under way for intermediaries and other industry participants in areas such as client reporting.
But those losing sleep over this should not forget to prepare for another sweeping piece of regulation due in 2018.
Mifid II requirements have become a focus of growing concern within financial services, particularly as many firms appear to have left just a handful of months to prepare for the changes. The associated clamour is likely proving a distraction from a challenge of equal significance: the EU’s General Data Protection Regulation (GDPR) rules, which come into force on 25 May 2018.
This piece of regulation gives individuals new rights surrounding their personal information, including the ability to demand such data be erased in specific circumstances. GDPR also significantly increases the level of scrutiny on how this data is treated by companies. The EU regulation will be enshrined into UK law next year, meaning it will not be affected by Brexit.
The effect of the regulation on advice firms will be substantial, given the amount of information such businesses hold on customers past and present.
“This could have a really serious impact on this industry when you think of how much data is involved and how it’s stored,” explains Rob Walton, chief operating officer at Intelliflo, a provider of business management software.
He adds that his firm has only had “a few interactions” with advisers about the regulation in recent months, suggesting many are unaware of the task ahead.
The regulation is daunting in its scope. Under accountability and governance principles, firms will be responsible for how they collect, store and use personal data. This includes keeping evidence that adequate processes are in place, including data protection policies, impact assessments and relevant documents showing how such information is processed.
Scrutiny will be applied to whether consent has been granted by individuals for their data to be used – meaning clients must grant explicit permission to companies that use their data, with a demand that this consent be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”.
Key guidelines
Box 1 outlines four important points for advisers, but these are just some of the requirements. For intermediaries, the initial process of working out whether their activity is compliant with the new rules could be a mammoth task in itself.
One requirement indicating the potential size of the workload involved relates to whether data is stored, and shared, in a secure manner. Jamie Vale, of technology firm StayPrivate, warns that one common way for clients to send personal information to advisers – via email – falls short of requirements for secure storage. This method of sharing data can lead to copies of information proliferating rapidly, meaning advisers may need to make a large backlog of information secure before the deadline.
“If you are sharing information with a customer you need to do it in a secure and anonymised way. Most advisers share that via email, which is not secure,” he says.
“They are missing the point that if you ask a client to send you a utility bill, there are two copies of that email – one in the outbox of the client, and one in the inbox of the adviser. When you send that to a paraplanner or provider, that’s two new copies [every time]. It’s hard to know where that information is held.”
Given the sheer bulk of client data that already exists, together with the numerous requirements placed on firms by the new rules, identifying the areas where advisers are falling short may prove arduous.
Jon Bartley, a partner at professional services firm RPC, says advisers should begin with a “data-mapping” process, assessing what data is held, and whether proper processes are in place. This could be carried out by the firm, or using external providers.
“Before you work out what your steps could be, you need to know what you currently have by the way of personal data and say ‘what am I holding and what do I do with it across the different functions of the business?’” he says.
A further requirement, for all data breaches to be reported to the Information Commissioner’s Office (ICO) within 72 hours, increases the pressure on businesses.
Erasure: A little respect
Others have pointed to the importance of prioritising different areas. A working group led by Intelliflo has identified the “right to erasure” and its ramifications as a key area of focus for intermediaries.
While this right does not extend to a blanket entitlement for data to be wiped upon request, individuals can expect to have personal data erased in certain circumstances. This includes situations where the information is “no longer necessary in relation to the purpose for which it was originally collected/processed”.
As such, there are clear instances where advice firms should be prepared to erase data after a certain period of time. This includes the personal information of any individuals who made enquiries with a firm but failed to proceed any further. An alternative solution could be to anonymise the data, a move that would ensure it falls out of the scope of GDPR.
“You should only keep data for use as long as you have a legitimate reason to keep it,” Mr Walton says. “You can’t keep anything that you have for perpetuity.”
The flip side of this is that firms can defend the retention of information in various instances. For example, they can justify holding on to data provided they have a valid legal ground to do so. One example would be where the data is needed ‘for the performance of a contract’, including circumstances where an adviser relies on the information to provide a client with portfolio updates.
However, Mr Walton warns that “grey areas” remain around this right. These include cases where firms that have advised individuals against taking action may need to store this data in case they face legal action related to the advice. The ICO has suggested the right to erasure may not apply in cases where advisers require that data to help defend against legal claims. It intends to clarify individuals’ rights in the coming months.
Mr Walton explains: “Telling [the client] not to do something is the same as telling them to do something. Someone could still sue you. Those firms are going to have to manage that.”
Another concern highlighted by the working group relates to data accuracy. Under GDPR, firms will have to ensure data they hold on individuals is accurate and up to date. For advisers, this means care must be taken around the information used in financial plans and portfolio valuations.
“This would appear to be an obvious area to highlight, but inconsistencies going forward could lead to big problems for financial advisers further down the line,” the group said in a recent white paper.
“Clients and regulators alike would reasonably expect such data to be accurate and up to date, since it can easily be made so.”
Tackling GDPR is likely to be a work in progress for advisers, with some specialists suggesting smaller firms with limited resources deal with the most contentious areas before turning attention to less urgent elements of the regulation. The latter may include the introduction of a ‘right to data portability’, allowing individuals to obtain and reuse their personal data for their own purposes across different services.
Larger companies can expect to face greater scrutiny around their level of compliance.
In any case, those falling foul of the rules face some eye-watering penalties. The ICO can impose fines of up to €20m (£18m), or 4 per cent of group worldwide turnover, against non-compliant firms. With little more than six months to go, the clock is ticking.
