Almost two-thirds (65%) of players across the wealth management and private banking market say they are prepared for the EU’s General Data Protection Regulation (GDPR).
This is the key finding of an exclusive survey conducted by Private Banker International (PBI).
GDPR is due to become effective on 25 May 2018. The regulation is set to give consumers more control over their data and will impact every client that is subject to data protection.
GDPR will impact every business that processes or collects data from EU citizens. Failure to meet the regulatory requirements could result in significant penalties of up to €20m or 4% of global annual turnover – whichever is higher.
The legislation will require firms to adhere to a multitude of new rules governing how their customers’ personal data is handled, processed and secured.
To effectively address upcoming obligations, including the need to respond to information requests within specified time frames, firms will need to ensure they protect their customer’s data in a standardised, complete and readily accessible manner.
Asked how prepared their firm is for GDPR, it is clear that 25% of organisation are making progress, but have some distance to go before being fully prepared for GDPR.
Some 10% of respondents say their company is unprepared for GDPR.
A total of 60% of respondents say the biggest expected consequence of GDPR will be greater transparency for consumers.
While a primary objective of GDPR is to protect clients’ data, only 35% of respondents say they expect the directive to reduce the number of cyber attacks on businesses.
Although respondents expect companies to be more transparent in informing their clients of a cyber attack, this does not mean cyber attacks will necessarily stop.
Data protection officers
One consequence of GDPR may lead companies to appoint Data Protection Officers (DPO), and this was covered in the PBI survey.
The poll asked whether firms were likely to appoint a DPO. The results to the question were inconclusive.
More than half of the respondents, 55%, say they are unsure; 15% say they would not hire one; and 20% say they already have a DPO. Only 10% of respondents say they will hire a DPO.
PBI’s recent interview with KBL epb’s Luxembourg CEO, Carlo Friob, highlighted the impact GDPR will have on the workforce in financial services. Read the full article by clicking on the link below.
Friob told PBI: “At KBL epb, we have a person in charge of GDPR, someone who was previously in charge of IT security at the bank. Her responsibilities are increasing in her new role – because data protection is a much broader issue than just IT – and so we are strengthening the team around her.”
Meanwhile, the January 2018 issue of PBI featured comments from Dave Elzas, CEO of wealth management firm Geneva Management Group, in which he explained that GDPR is going to involve a whole range of disciplines, and not only the legal area,
Elzas said: “It is not only compliance, but also IT and operations. It involves a number of executives at different levels. So we have to reassess where we are going to put that responsibility going forward.”
Communicating GDPR to clients
In terms of communicating GDPR to their clients, 60% of respondents say they are taking a proactive approach and have already discussed the regulation with their customers.
However, 25% of clients say they had not discussed GDPR with their clients. Meanwhile, 15% were unsure if they had, or had not.
Half the respondents comment they have adapted their IT systems for GDPR, but 45% admitted they have not. Some 5% say they are unaware whether any changes have been implemented to IT systems in readiness for the regulation.
Friob recently told PBI: “We have outsourced our IT platform [in] collaboration with Lombard Odier, including as it pertains to GDPR. Lombard Odier has created a structure to manage such third-party IT services for us and other bank clients.
“As they add other banks to that IT platform, the cost per unit will decline. Keep in mind that we do not share client information with Lombard Odier. Everything is anonymous; they don’t see who our clients are.”
Respondents to PBI’s GDPR survey were also asked to consider if GDPR would mean
- Less cyber attacks
- More transparency for consumers
- Greater organisational spend on compliance
- None of these
More than half the respondents- 60%- say GDPR will inadvertently lead to greater transparency for the client.
But 20% of respondents think “None of these” consequences would emerge as a result of GDPR.
Some 15% say there will be greater spend by firms on compliance, meanwhile only 5% think that none of these outcomes are likely due to GDPR.
PBI respondents were encouraged to comment during the survey on condition of anonymity. One respondent tells PBI: “Complying with GDPR offers clients a higher level of service with more guarantees and thereby gaining more trust.”
“I see two major opportunities regarding GDPR compliance, it will (hopefully) reduce regulatory adjustment costs and make operations more transparent, especially in the wake of digitisation” said another.
But another respondent is less optimistic. “[GDPR] will create more workload and maybe more job opportunities.”
Reaction to GDPR fines
Under GDPR, firms may have to pay €10m or 2% of company turnover, whichever is greater; and up to €20m or 4% of company turnover for more significant breaches.
Yet only 40% of respondents think fines as high as €20m are sufficient to deter non-compliance, according to PBI’s GDPR survey.
In PBI’s January 2018 article, Elzas said bigger firms that may be unable to comply with the GDPR deadline, might be willing to pay fines – temporarily – in order to buy themselves more time.
“They might take a different view and say the cost of organising is such that we will take a risk for a limited period of time and gradually try to improve our processes so that [we] will be compliant by later date.”
But a London-based senior private banker, who asked to remain anonymous, recently told PBI: “Big banks have, of course, much deeper pockets and they will make sure that every bit is compliant. And the work has already started in the background in terms of the budget that has been allocated.
“Whether it is small or big, it is the reputational damage that it does to the firm. Just because it is a small €10m fine, big banks will not shrug it off. It is a reputational damage.”
PBI survey breakdown
Of those that responded to the PBI survey, 70% work at private banks wealth managers. Other contributors included wealth management solutions providers and advisory companies.
The majority of respondents (70%) polled in PBI’s GDPR survey are based in the UK; with 10% in the EU and 20% in the rest of the world.
PBI conducted the survey between December 2017 and February 2018.