In today’s digital world, the most valuable commodity may not be something you can physically trade, yet its use and how it is regulated affects everyone. The commodity is data.
However, the digital transformation of our world brings the risk of increasingly sophisticated cybercrime. This year’s NotPetya cyberattack on global companies like Maersk as well as the Ukrainian Government is just one example, and it put a spotlight on protection of consumer data. It is against this backdrop that new EU rules which govern the maintenance and ownership of data are set to come into effect.
The General Data Protection Regulation (GDPR) provides a common framework for the use of personal data in Europe. In particular, it has far reaching implications for banks, which handle and store vast amounts of data. Failure to meet its requirements will come with potentially hefty penalties. Adding to the urgency, firms face a tight deadline to meet its requirements as it comes into effect in May 2018.
The GDPR poses several regulatory challenges that are unique to the financial services industry which, if left unaddressed, could make it practically impossible for financial services firms to comply with the new regime by the May deadline. Yet, if policymakers can clarify the grey areas, with some preparation, firms could actually benefit from earlier implementation of some of the GDPR requirements, and at the same time, provide greater protection and better services to clients.
GDPR another obstacle in an already complex system
In January 2018, banks will face new specific data requirements under the second Markets in Financial Instruments Directive (MiFID II). MiFID II will affect how the industry records and stores communications, requiring all communications, including personal data, that could lead to transactions to be stored for up to five years. Yet, when the GDPR comes in, merely 4 months later, personal data should only be kept for as long as is necessary. How will banks comply with both the GDPR and MiFID II? Questions like this will require clear guidance from regulators and then will take time for compliance departments to resolve.
Policymakers need to identify the areas of cross-over of such huge pieces of regulation, and provide clarity, or compliance will likely be hampered. The Financial Action Task Force has recently highlighted the link between data protection and countering financial crime, stating that information-sharing is critical for combatting crime. But such information sharing will breach the GDPR rules unless national authorities utilise Article 23 of the GDPR which allows for countries to issue guidance permitting institutions to share information for purposes of national security. But this has the potential to create fragmentation for financial services firms operating in multiple jurisdictions. It is essential that regulators provide clarity on how firms can maintain compliance on this point.
A further example of a pending regulation which must be clarified in relation to the GDPR, the European Commission’s proposal for an ePrivacy Regulation, also has the potential to present challenges. It is essential that as this proposal develops that it follows the GDPR in respecting privacy while allowing data processing for legitimate reasons.
Brexit adds another level of uncertainty to the mix. The GDPR will come into effect 10 months before the UK leaves the European Union, and thus the UK will need to be fully compliant with the Regulation. The UK Government recently released a statement of intent to continue to comply with the regime and translate the GDPR into UK law. However, whether the UK regime will be determined equivalent at the time of departure from the EU is uncertain. Financial services firms would benefit from greater certainty surrounding this point.
There is no doubt that additional conflicting issues and concerns with the GDPR are likely to emerge as the industry works out how to implement the regulation, transparency and consultation with industry will be essential as the European Data Protection Board (EDPB) finalises its guidelines for implementing the GDPR.
A further example of a pending regulation which must be clarified in relation to the GDPR, the European Commission’s proposal for an ePrivacy Regulation, also has the potential to present challenges. It is essential that as this proposal develops that it follows the GDPR in respecting privacy while allowing data processing for legitimate reasons.
Brexit adds another level of uncertainty to the mix. The GDPR will come into effect 10 months before the UK leaves the European Union, and thus the UK will need to be fully compliant with the Regulation. The UK Government recently released a statement of intent to continue to comply with the regime and translate the GDPR into UK law. However, whether the UK regime will be determined equivalent at the time of departure from the EU is uncertain. Financial services firms would benefit from greater certainty surrounding this point.
There is no doubt that additional conflicting issues and concerns with the GDPR are likely to emerge as the industry works out how to implement the regulation, transparency and consultation with industry will be essential as the European Data Protection Board (EDPB) finalises its guidelines for implementing the GDPR.
Today’s regulatory implementation, tomorrow’s opportunity
Providing clarity on the points made above would ease implementation of the GDPR and would add value to firms who would benefit from early compliance with the regulation. The GDPR is not the only new regulation which is aimed regulating the evolving financial services industry. Another new EU directive, the Payment Services Directive (PSDII), is intended to improve outcomes for consumers by requiring financial services firms to open their data and payments infrastructure to promote increased competition.
PSDII, which will apply from January 2018, actually provides an opportunity for the financial services industry. This directive should allow innovative banks to improve their customer experience, increasing value to corporate customers. At first, the aims of PSDII could appear to be contradictory to the GDPR, but they are not in conflict with one another, as the treatment of data under PSDII is still subject to GDPR requirements. Clearly early compliance with the GDPR presents an opportunity.
Change doesn’t stop here: regulating for future success
The GDPR will not be the last regulatory change necessary to meet the needs of Europe’s changing digital economy. The financial services industry, along with the technology providers that service it, continuously innovate, and regulators must keep pace with this change, providing European consumers with safety and new services as well. Regulators need not face this challenge alone; the financial services industry can provide consultative expertise so that policy outcomes strike the right balance between innovation and protection. One notable example, where regulators have successfully sought industry input, is the European Commission’s consultation paper on ‘Fintech: a more competitive and innovated financial sector.’ This sort of approach to regulatory change marks a significant step for policymakers and the industry, allowing them to explore together how technology can continue to support a stable, competitive and innovative role for capital markets.
The brave new world of data presents many challenges for the financial services industry and regulators alike, but if the right approach to regulating technological change is taken, Europe will continue to be a globally leading centre in the future.
This article was originally published by EurActiv on 6 September 2017