Banks have just under a year to overhaul the way they handle customer data if they are to avoid big fines. But many of them are privately warning that the challenge is already looking insurmountable.
All companies will need to work out what data they hold on their customers, where they hold it, if they have permission to do so, whether it is stored safely, and how they can extract it in an easily “portable” form or delete it if requested.
These are the main requirements of a new European data protection law that comes into force on 25 May 2018. It affects all companies holding data about EU citizens.
Yet consultants say banks face the biggest challenges to comply in time because of the difficulty of changing their ageing and complex IT systems.
“Banks are struggling with legacy systems,” says Chris McMillan, a partner at Oliver Wyman. “From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go.”
“At some banks, a customer’s data may be held on more than 100 systems, and each of these take a long time to change, even for a simple change,” says Mr McMillan. “Sometimes even the simplest changes take months and months. Multiply that by a hundred and it becomes a very complicated task.”
He says the smartest banks will try to turn the new law to their advantage by becoming the main data hub for their customers, for instance by offering to check if they are getting the best deal from their mobile phone or electricity provider.
“A bank could see you have a direct debit to a telco and ask you for permission to request the data from the telco to check you are getting the best deal,” he says. “That would be a compelling proposition for a customer, knowing their bank is trying to save them money.”
The stakes for banks are high. Breaches of the rules could trigger fines of up to 4 per cent of a company’s global turnover or €20m, whichever is higher.
Oliver Wyman calculated that FTSE 100 companies could have been fined up to £25bn for the publicly known data breaches they have suffered in the past five years.
Scott Vincent, managing partner at consultants Parker Fitzgerald, says that added to the alphabet soup of other financial regulations coming into force soon — including Mifid 2, PSD2 and IFRS 9 — banks face “an enormous challenge” in complying with the EU’s General Data Protection Regulation. He describes a growing sense of “industry panic” about the data protection law.
Some bankers complain they are being pulled in different directions by contradictory regulations. “Your head will be spinning,” Vivenne Artz, global head of privacy at Citigroup, told a conference last week
She said data protection laws restricting the amount and type of information that can be shared could conflict with requirements to disclose details of any cyber attacks.
Three-quarters of companies believe they face serious challenges in becoming compliant with GDPR, according to a recent survey of 500 IT executives across different sectors for Varonis Systems. At financial services firms, the figure is higher at 76 per cent.
However, financial firms seem to be taking these challenges more seriously. Only a third of IT executives in the sector say their company has not made it a priority to comply with the law by the deadline. That compares with an average of 42 per cent across all sectors.
Banks also seem to have most to lose. When asked which sector was likely to be made an example of for breaching GDPR, over a quarter of respondents chose banking — more than any other sector.