Europe’s new data regulation, due to come into force in May 2018, places wide-reaching demands on banks to reappraise and revamp their data gathering and storage efforts. Many are struggling with the scale of the task.
For banks and other financial services firms with customers in the European Union, it is an operational challenge of almost unprecedented scope: the EU’s General Data Protection Regulation (GDPR) – due to enter into force in May 2018 – will require all of them to undertake a root and branch review of how they handle, process and govern the use of customer data across their entire organisations, raising a host of operational, legal and technology risks. Several of those affected will not be ready in time.
GDPR represents the biggest overhaul of European data privacy law for 20 years. It replaces the existing Data Protection Directive, brings in new rights for consumers governing how their data is stored and used, and enshrines in law the ‘right to be forgotten’ – the right of a citizen to request that personal data held by a firm is erased. Where firms suffer a data breach, for instance as a result of a cyber attack, they will be required to notify their regulator within 72 hours – something authorities hope will remedy current under-reporting of cyber breaches.
For banks, that is a problem. Given that personal data flows throughout financial institutions, GDPR touches on almost every aspect of how they run their business. Some give an honest assessment of their readiness to comply: “The biggest challenge around GDPR is that the legislation is so voluminous. We did a gap analysis and found we’re not complying with any of it,” says one London-based operational risk specialist at a non-European bank.
Risk.net spoke to around a dozen practitioners at banks, law firms and consultancies to build up a picture of how firms are focusing their implementation efforts. Three key challenges – analyzed below – are mentioned most often: repapering – the redrafting of existing contracts with external stakeholders, including clients and vendors, to take account of the regime’s stipulations around data sharing and retention; governance – who they put in place to oversee compliance on an ongoing basis; and regulatory monitoring and oversight – the challenges they face in meeting regulators’ expectations.
The regulation is explicitly extraterritorial, requiring non-EU firms that process large amounts of data relating to EU customers to comply. To add spice, GDPR comes with potentially enormous fines for non-compliance of up to 4% of an organisation’s worldwide annual turnover.
Work to be done
Advisers say large retail banks, which are used to dealing with and protecting large volumes of sensitive customer data – as well as being more sensitive to the reputational impacts of major data breaches on consumer-facing business lines – tend to be more advanced than investment or corporate banks, for whom personal data protection has been less of a priority. However, across the board, consultants and advisers say there is a great deal of work to be done.
“Our research shows an awful lot of banks are not prepared; or, because of the volume of other regulatory changes they are facing, this isn’t at the forefront of their thinking,” says Nic Gordon, an associate director in the Boston Consulting Group’s technology advantage and financial institutions practices, based in London. “Some of the more advanced banks have plans, but many have an awful lot to do to be compliant in the limited time available.”
For many firms, GDPR will potentially force investments in IT systems running into the hundreds of millions of dollars. For instance, financial institutions must have proper processes in place to classify, track and, if necessary, delete personal data.
“If processes are manual, they might not be sufficient and may need to be digitized,” says Michael Woodson, former information systems security director at State Street. “More broadly, firms may need to re-calibrate processes and re-engineer how they do business to be compliant.”
The first step financial institutions are taking is to understand how compliant they are with existing legislation, including a gap analysis to identify potential holes in their compliance with the provisions of GDPR. For some banks, this will amount to a sober assessment of what elements they can comply with in the remaining time available.
“To comply with everything is effectively like trying to boil the ocean – so we took a risk-based approach, and decided that while we needed to go hard on certain things, we could go a bit lighter on others,” says the op risk banker. He cites the shoring up of controls over sensitive personal data as an example of the former, and the systematic destruction of all paper records kept by staff as the latter.
There are signs some supervisors may adopt a degree of flexibility in their interpretation of the rules, come next May. In the UK for instance, the Information Commissioner’s Office (ICO) – the public body responsible for protecting information rights and data privacy – is understood to have advised firms they need not have redrafted contracts to take account of all GDPR’s data sharing and privacy stipulations by next May, but can instead renew them in the course of regular business.
Will everyone be ready by May 2018? Most of those working with banks think not – and the recent history of financial sector regulation suggests to some that regulators may be seeking an early scalp or two, rather than pushing back the deadline.
“I doubt if regulators will want to delay [implementation] – this is personal data, after all. I suspect regulators will try to make an example of one or two household names,” argues Gordon, recalling recent big fines for anti-money laundering violations and sanctions violations.
Consultants say they expect the German and French regulators to take a relatively hard line on enforcement, while expecting the UK’s ICO to show greater forbearance – at least initially. The ICO declined to comment on its planned approach to enforcing GDPR, stating only that “businesses and organisations should be preparing for the GDPR to come into force on 25 May 2018.”
Fundamentally, regulators are expected to be understanding of those who are well advanced, with plans in place, and who understand what they need to do. That does little to counter the heightened threat of litigation banks could face once the rules take effect, however.
“We’re hearing regulators won’t be treating it as a cliff edge,” says James Drury-Smith, financial services data privacy director at PwC in London. “But, if someone complains, or if there’s a loss of data, they will have to investigate that. If they find you haven’t made significant progress on GDPR, or if they find unforgivable gaps in your controls… they will have to take action.”
Anthony Kirby, a partner in EY’s regulatory reform and risk management practice in London, also cautions that regulators themselves may not immediately be in a position to crack the whip. “It’s an open question as to whether regulatory systems will be ready,” he suggests. “Will member states be able to receive the data and understand the processing requirements sufficiently to ask banks to document GDPR compliance?”
“To comply with everything is like trying to boil the ocean – so we decided that while we needed to go hard on certain things, we could go a bit lighter on others”
It remains unclear how quickly fines will escalate from the current relatively low levels – of a current maximum of GBP500,000 (USD647,000) in the UK – to the enormous potential penalties under GDPR. It is also unclear what other sanctions regulators might apply to banks out of compliance with GDPR.
“Supervisory authorities have really wide-ranging powers in addition to levying fines,” says Drury-Smith. “These include being able to conduct audits, access premises and equipment, and order organisations to provide information and bring their operations into compliance with the GDPR, which can include a ban on data processing, rectifying or deleting personal data. So in addition to the fines, the consequences can be quite serious. This is in addition to the risk of litigation from individuals and/or groups representing them.”
Kirby agrees it is possible – but again unlikely, at least initially – that financial services firms might be forced to suspend the lines of business involved until problems are addressed.
“In practice, if you had a breach, it would cause firms to scrutinize their service-level agreements in place with customers or suppliers, and consider adopting more formal procedures” – such as seeking indemnification for consequential losses in their data processing agreements, he says.