Data protection compliance: the biggest hurdle facing the back office?
In an effort to improve the protection offered to consumers, and to harmonise data practices, the EU is currently in the process of passing two pieces of legislation: the Cybercrime Directive and the General Data Protection Regulation (GDPR). Few people have given much thought to how these will align with international financial regulation but, if passed, both will have far-reaching consequences for banks and financial services. And with severe penalties for non-compliance – up to 2% of global turnover – firms will want to plan ahead.
To deal with the Cybercrime Directive first, this is a fairly straightforward piece of legislation which will compel large institutions in high-risk industries to make a public disclosure when their data security measures have been breached. As financial services is one of the industries in scope, this will have an impact on banks, but the effects are likely to be felt more in the market in the form of negative feedback loops than in the back office and compliance. However, banks may still need to broaden their stress tests to include a relevant scenario, similar to SIFMA’s recent system-wide drill: Quantum Dawn 2.
The GDPR, on the other hand, gives rise to a number of clear implementation issues, especially when considered alongside other legislation, such as the 4th Anti-Money Laundering Directive. The Regulation is currently subject to debate between the Council and the Parliament and so remains subject to change. However, assuming that all the proposals make it through, there are five issues that stand out for banks:
Known unknowns
- Will the EU Data Protection Regulation make it through legislative process before next year’s elections?
- Which of the proposals made by the Parliamentary committee will be part of the final Regulation?
- What will be the impact on market stability of reporting under the Cybercrime Directive?
Firstly, banks will have to think about how data protection is a part of their system design and testing process. Under the Parliament’s current proposals, data protection will have to be considered as a part of any new system design. This has significant implications for vendors and banks’ own in-house IT functions, especially at a time when systems are undergoing a number of other revisions in order to remain compliant elsewhere.
Secondly, new regulatory reporting requirements are being discussed. Under these proposals, similar to the Cybercrime Directive, institutions will have to report breaches of data confidentiality to regulators, even where this is accidental. This means that firms may have to revisit their end-user controls and internal reporting processes.
Thirdly, the new regulation will see a strengthening of the rule requiring institutions to have a ‘legitimate interest’ in the data they collect. This means that banks will have to have a justification for all the data items they collect on customers, which comes into direct conflict with requirements to sift through large amounts of customer data (such as for financial crime purposes). It is hoped that a pragmatic and flexible approach will be taken in relation to this exceptional reason for collecting client data, but regulators have yet to acknowledge this as an issue.
Fourth, the Regulation will have an extra-territorial impact. The requirements will attach to the data of EU citizens, not just to companies based in the EU, meaning that the changes have global reach.
Themes
- Data protection regulation is developing on a parallel track from financial services regulation
- Banks have to hold increasing amounts of data on customers for anti-financial crime, client suitability and regulatory reporting purposes
- Vendors beware – you are subject to the changes as well as banks themselves
- Early warning signs: data protection barriers ahead
Finally, in addition to the extra-territoriality dimension referenced above, there is a potential conflict emerging with non-EU law. Under the regulation, third country authorities will not be allowed access to data except where this is covered by a bilateral treaty. As a result, banks may find themselves caught between a rock and a hard place when being asked to render up transaction and customer data to non-EU regulators. Of course, major jurisdictions are likely to have such a treaty but this may disproportionately affect firms that focus on emerging markets.
Given that banks are currently focused on other regulation coming out of Europe at the moment, these particular initiatives may be sitting in firms’ blind spots. This means that, when digging up the road this time around, firms will have to be careful not to embed data protection potholes, or risk going through the whole process again in the near future.
As the title suggests, this is a very early warning: the regulation is still in the early stages and there is the potential for it to be derailed altogether with the summer recess and the elections next year. However, due to the potential for it to interfere with present compliance efforts, the effect of these proposals may be felt long before the implementation date (if one is finalised). And even if this particular piece of legislation does not make it through, data protection is a growing issue. As such, IT and procurement professionals are likely to benefit from flagging issues up to senior management early, before the requirements begin to land in earnest.