The controversy surrounding Facebook and privacy issues has made news headlines. However, data brokerage and the miss-use of information is nothing new.
The subtle manipulation of the way in which users respond to certain information stimuli is currently a hot topic of conversation. This after the recent Facebook/Cambridge Analytica scandal literally broke the internet in a way that no amount of funny cat video footage has ever managed to do. Whilst it certainly is no surprise that Facebook users find this kind of intrusion on privacy and thought manipulation to be exceptionally disturbing, it is interesting to note that many people consider this to be news, when in fact, it has been going on for a very, very long time. The only difference being that it was called by a different name.
The truth is, data, or information brokers have been around and doing business for almost as long as what the internet is old. It’s a multi-billion dollar industry and its not bound to come crashing down anytime soon. In many ways, the need for this type of intellectual trade is fuelled by everything from over-supply to economic recessions.
Companies have become increasingly more desperate to get a grip on effective marketing in order to sell their products to the best possible target market. Making the most profit from the least amount of effort and capital input has become the driving force behind every conceivable marketing strategy under the sun.
Information Is Money
Data brokers collect everything from census information, motor vehicle and driving records, court reports and voter registration lists, to medical records and internet browsing histories. The idea is to gather as much information about every conceivable human profile as possible.
This information is then categorised and grouped into typical market profiles, providing an in-depth analysis on everything from religious affiliation, political affiliation, household income and occupation to investment habits and product preferences.
It doesn’t require a technological genius to see why this information is worth thousands of dollars.
No Control
Individuals are usually not able to determine exactly what is known about them by data brokers. Most data brokers hold on to the information that they have obtained for an indefinite period of time. Loosely translated: the information may very well never go away. Part of the efficacy of the gleaning process is that historical information can be compared with the latest information in order to better determine customer trends as well as the rate at which certain dynamics evolve.
A very scary thought indeed, especially considering the fact that entities like social media giant Facebook still consider allowing companies like Cambridge Analytica to continue trolling its pages from an insider’s perspective, knowing full well that this is the case.
More Than Marketing
Moving away from the manipulative marketing point of view, information in general can be a very sensitive issue. The truth is, somewhere along the line, many of us have dabbled outside the borders of a marriage or relationship or have even discussed sensitive information relating to criminal behaviour and activities with contacts via instant messaging apps.
It’s safe to say that most of us would pay considerable amounts of cash in order to protect information of this nature, especially since the leaking of this information to interested parties can have dire effects on the very quality of our lives.
When considered in this light, blackmailing activities become a real and imminent danger, no longer something found only in crime and drama series on television. There’s also the risk of users information being used in scams, and con-artists are well versed in identity theft and assuming other peoples data as their own.
Its Free For A Reason
People have long been aware about the many dangers of over-sharing information on social media. Many people have fallen prey to identity theft and have lost everything but the clothes on their backs due to this. Imagine now the dire nature of the situation now that the problem is no longer criminals trolling social media pages that have not been sufficiently hidden from the public eye, but instead, are being handed sensitive information on a silver platter, for a minimal fee.
The question begs: is Facebook more than just a social media platform? Or has it been headed towards being a modern-day surveillance tool all along?
Perhaps there is a more sinister reason behind the fact that its free, and always will be, than what meets the eye.
With one in three bank staff now employed in compliance, and financial institutions groaning under the pressure of an ever-increasing regulatory burden, 2018 is set to be the year that RegTech rides to the rescue, stripping out huge cost from banks’ processes.
In the same way that nimble start-ups introduced FinTech to the financial sector, the stage is now set for the same tech-savvy entrepreneurs to apply the latest technology to help tame the regulation beast.
The challenge is even more pressing now, with the arrival of an alphabet soup of blockbuster regulation including GDPR, MiFID II and PSD2, which will stress institutions like never before.
What is RegTech?
Deloitte has set high expectations for RegTech, describing it as the use of technology to provide ‘nimble, configurable, easy to integrate, reliable, secure and cost-effective’ regulatory solutions.
At its heart is the ability of ‘bots’ to automate complex processes and mimic human activity. And RegTech start-ups are already using robotic process automation to translate complex regulation into API code using machine learning and AI.
The holy grail of RegTech, however, is to strip out huge layers of cost and dramatically lower risk by developing and applying complex rules across all business processes in real-time, automating what can otherwise be an expensive and highly labour-intensive job. Simply put, RegTech promises to do the job faster, cheaper and without human error.
Behavioural analytics
Just like its FinTech cousin, RegTech is already being used for a surprisingly wide range of applications, for example banks are using behavioural analytics to monitor employees, looking for unusual behaviour patterns that may be a tell-tale sign of misconduct.
Brexit will also present a golden opportunity for agile RegTech start-ups whose tech solutions can adapt and transform quickly according to the new regulatory landscape, while traditional institutions struggle with the pace of change.
Unlike FinTech however, which has largely been focused on B2C solutions, RegTech start-ups have to work much more closely with traditional financial institutions. That’s because capital markets are a highly complex, regulated area, where institutions are cash-rich and where access to funding is critical if vendors want to disrupt.
Bespoke solutions
Traditional institutions are also more likely to need solutions that are specifically tailored to the challenges they face, rather than the one-size fits many approach developed by FinTechs. For example, they rely on many different data systems, and this torrent of data often makes it difficult to compile reports to deadline for regulators – a perfect challenge for a RegTech start-up.
RegTech could well be the cavalry, riding in to save the investment management industry from the increasing amount of data being produced that financial regulators want access to. A significant amount of this data is unstructured, making it difficult to process, which adds a greater level of complexity. The flow and complexity of this data is only going to increase, and with it the challenge for banks.
Financial institutions are increasingly pulling out all the stops to crunch data and meet the regulator’s next deadline and in this high-pressure environment teams are not necessarily developing the strategic overview needed to streamline their IT architecture in order to reduce operational risk.
Compliance at speed
RegTech promises to automate these processes, making sense of complex interconnected compliance rules at speed, making compliance more cost effective, while reducing the chance of human error.
It also promises to dispense with the current time lag between a period end, the collection of data by the institution and assessment by the regulator – a process that is always backwards looking.
Under the RegTech model, powered by data analytics and AI, information is in real-time and self-correcting to ensure the regulatory process remains dynamic and relevant.
The scale of the advantages promised by RegTech, are such that banks successfully harnessing its power will strip out huge amounts of cost from their processes, which can then be invested in business-critical innovation, giving early adopters a clear competitive advantage over the rest of the market.
-
John Cooke, Managing Director
Sharing confidential information is a data protection issue with more and more red tape every day. With more and more apps differentiating encryption methods, this becomes even harder to manage for authorities. Below Finance Monthly hears about the potential for banking fraud via apps such as WhatsApp from Neil Swift, Partner, and Nicholas Querée, Associate, at Peters & Peters LLP.
As ever greater quantities of sensitive personal data are shared electronically, software developers have been quick to capitalise on concerns about how susceptible confidential information may be to interference by hackers, internet services providers, and in some cases, governmental agencies. The result has been an explosion in messaging apps with sophisticated end-to end encryption functionality. Although ostensibly designed for day to day personal interactions, commonplace services such as WhatsApp and Apple’s iMessage use end-to-end encryption to transmit data, and more specialised apps offer their users even greater protection. Signal, for example, allows for its already highly encrypted messages to self-destruct from the user’s phone after they have been read.
The widespread availability of sophisticated and largely impregnable messaging services has led to a raft of novel challenges for law enforcement. The UK government, in particular, has been outspoken in its criticism of the way in which end-to-end encryption offers “safe spaces” for the dissemination of terrorist ideology.
Financial regulators are becoming increasingly conscious of the opportunity that these messaging services present to those minded to circumvent applicable rules, and avoid compliance oversight. 2017 saw Christopher Niehaus, a former managing director at Jeffries, fined £37,198 by the Financial Conduct Authority for sharing confidential client information with friends and colleagues via WhatsApp. Whilst the FCA accepted that none of the recipients needed or used the information, and the disclosure was simply boasting on Neihaus’ part, it was only his cooperation with the regulator that saved him from an even more substantial fine.
That same year saw Daniel Rivas, an IT worker for Bank of America, investigated by the US Securities and Exchange Commission and plead guilty to disclosing price sensitive non-public information to friends and relatives who used that information. One of the means of communication was to use Signal’s self-destructing messaging services. Rivas’ prosecution saw parallels with the 2016 conviction of Australian banker Oliver Curtis, an equities dealer, for using non-public information that he received from an insider via encrypted Blackberry messages.
These examples are likely to prove only the tip of an iceberg; given that encrypted exchanges are by definition clandestine, understanding the true scale of the issue, outside resorting simply to anecdote, is itself an unenviable task for regulators and compliance departments. Whilst those responsible for economic wrongdoing have often been at pains to cover their tracks – perhaps by using ‘pay as you go’ mobile phones, and internet drop boxes to communicate – access to untraceable and secure communication is now ubiquitous. It is difficult to imagine that future regulatory agencies will have access to the material of the same volume and colour that was obtained as part of the worldwide investigations into alleged LIBOR and FX manipulation.
How then can regulators respond? And how are firms to discharge their obligations both to record staff business communications, and monitor those communications for signs of possible misconduct? Many firms already ban the use of mobile phones on the trading floor, but such edicts – even where rigorously enforced – will only go so far. Neither Mr Rivas, nor Mr Neihaus, would have been caught by such a prohibition.
There may be technological solutions to technological problems. Analysing what unencrypted messaging data exists to see which traders are notably absent from regulated systems, or looking for perhaps tell-tale references to other means of communication (“check your mobile”), may present both investigators and firms with vital intelligence. Existing analysis of suspicious trading data may assist in identifying prospective leads, although prosecutors may need to become more comfortable in building inferential cases.
Fundamentally, however, such responses are likely to be both reactive, and piecemeal. Unless the ongoing wider debate as to the social utility of freely available end-to-end encryption prompts some fundamental rethink, the need to effectively regulate those who participate in financial markets – and thus the regulation of those markets themselves – may prove increasingly challenging.
So here we are in 2018, year in which, if the deal-junkies at Citi are to be believed, portends to be a ‘monster year’ for M&A. Given the globally-synchronised economic upturn, continuing low interest rates, suppressed inflation and roaring capital markets, they could very well be right. Below Carlos Keener, Founding Partner at BTD Consulting, talks Finance Monthly through some of the most anticipated M&A activity of the year.
Indeed the deal frenzy has already begun, with the final half of 2017 witnessing GVC’s takeover of Ladbrokes Coral and the Standard Life/Aberdeen Asset Management merger among others. But a word of caution, at least for those considering acquisitions in the UK: Brexit – soft, hard, or otherwise, is now less than 13 months away, and still we’re without (at time of writing) any certainty on even the outline shape of our future relationship with Europe.
No doubt the lawyers and bankers will continue to talk up the Brexit boom, but the reality on the ground may be rather less clear. At a recent conference, a leading M&A professional representing a FTSE100 organisation disappointingly stated "I think someone in the company is looking into the likely impact of Brexit, I’m sure they’ll tell us if we need to do anything differently as soon they’re ready.” While we all can sympathise, that’s not nearly good enough.
Making a rational assessment of the likely risks UK firms may see over the coming years doesn’t require a crystal ball view of what form Brexit will ultimately take. A look at some upcoming or predicted deals for 2018 illustrates this well.
1. Prompted by its recent struggles, Capita, the outsourcing and professional services group, has just announced that it will be disposing of its less profitable and strategically-central assets and services. Firms heavily reliant on professional service revenue are typically the first to be hit hard in a downturn or in times of uncertainty, and even with a clear, decisive Brexit, lack of business certainty may extend for many years as post-Brexit regulatory and trade conditions – and how they are to be applied – crystallise and settle.
Divesting in an effort to return to core is a traditional approach when the future is relatively predictable and fairly speedy recovery is anticipated. But that’s not exactly the scenario ahead of us. Capita will need to prepare its balance sheet for an extended period of uncertainty while retaining sufficient service diversity and operational agility to accommodate new market demands, conditions, constraints (and yes, opportunities) as they emerge. It is adaptability and not strength which may win the day.
2. The global Pharma sector is likely to see significant M&A activity in 2018 as new drug pipelines soften and US corporate tax reductions take effect. One of the most prominent deals in recent years in this sector was the asset swap and joint venture creation between GlaxoSmithKline and Novartis. And last month GSK’s new CEO, Emma Walmsley, expressed an interest in acquiring Pfizer’s Consumer Health division, estimated to be valued at over $15bn.
Like any global manufacturing organisation with highly-complex supply chains in which materials may cross borders multiple times before reaching the market as a finished product, GSK will need to be extremely careful to scenario-plan the potential impact of new hard, soft or otherwise cross-border tariffs and associated regulations as they come into force.
Business cases that assumed free trade across the EU should be re-examined, and supply chains reviewed to minimise any potential increased cost. Acquisitions of EU-based manufacturing capabilities with the ability to serve local markets may help buffer the firm against any emerging trade barriers.
3. News appeared in January that Fox still wants full control of Sky, despite rejection of the deal by British regulators. The rejection shows the growing importance of political and economic nationalism which can trump investor returns, competition or corporate tax repatriation.
A report in October 2017 by Latham & Watkins describes governments and regulators taking an increasing interest in ’foreign’ acquisitions of nationally important companies in the name of national security. In a twist on this, at the time of writing GKN, the FTSE100 aerospace and automotive giant was fending off an unsolicited £7bn takeover bid by Melrose. While a ‘UK only’ deal, politicians including Vince Cable were commenting on the risk the deal may pose to the UK’s industrial strategy.
Economic nationalism begins at home. So, any UK business looking to buy or sell across borders will need to consider how the deal would look to the public and politicians, not just the shareholders.
4. One area in which everyone agrees change is upon us is FinTech. 2017 deals included Vantiv/Worldpay and JPMorgan Chase/WePay. Brexit’s impact on London’s financial sector will accelerate M&A in the coming years within a sector that’s evolving at warp speed. It will be more important than ever to predict the effects of changes. How will the financial regulatory landscape diverge between the UK and the EU post-Brexit? How will GDPR, data protection and safe haven legislation and practices impact market opportunities and operational challenges across borders? And more tactically – if the FinTech gravity moves or disperses (say to Paris), how will FinTech firms find and retain the top technical talent they need?
As ever, change provides an opportunity and a threat to businesses doing M&A. Size alone will not guarantee success. The successful organisation will pull ahead through a clear strategy and use M&A to expand or adapt their propositions and capabilities in the market. Whatever form Brexit takes, one thing is certain – interesting times lie ahead.
Darren Craig is an Associate Partner within Northdoor plc- an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes involved in meeting GDPR legislative requirements. The Northdoor Rapid Response programme allows clients to quickly define their strategy, clarify their existing position around data and data security and create a clear roadmap to allow them to progress towards meeting their GDPR target. Once the roadmap has been defined, Northdoor has a combination of consultancy services and a series of solutions to detect, encrypt and secure client data to ensure that their environment meets their needs. Here Darren tells Finance Monthly more about the GDPR-related services that Northdoor offers and the challenges that UK businesses are faced with less than 6 months before the looming deadline.
With the European Union General Data Protection Regulation coming into effect in May 2018, in your opinion, what are UK companies doing in terms of preparing for GDPR?
I think that so far, many companies have spent a lot of time educating themselves and building their awareness of what GDPR is. We’re finally beginning to see companies that are starting to implement programmes of work. However, there's still a large percentage of companies that we talk to every day that haven't even started their formal programmes yet and don't expect to start one until January next year.
Do you think that this will give them enough time?
It depends on the size of the company, but I think that there will be a lot of British companies that won’t manage to be fully compliant by 25th May 2018.
Why do you think so many businesses in the UK have yet to initiate a GDPR compliance programme?
I think it's a mixture of reasons. One of them is connected to the lack of marketing in relation to GDPR that the Information Commissioner’s Office (ICO) has done. I’m under the impression that a lot of companies think that GDPR is just another version of the Data Protection Act, which is not the case. It is in fact a very significant change, when compared to what the Data Protection Act expects them to do.
What are the first steps towards GDPR compliance?
The first step is understanding the gaps within your business. It is fundamental for businesses to accept that data protection is not just an IT issue - it's a cross-business challenge that requires all departments to come on board as part of the GDRP project and identify the data protection gaps they have between their current processes.
What does a typical GDPR compliance project entail?
As mentioned, the project itself starts off with a gap analysis where companies identify the gaps they have. This is then followed by a discovery exercise in order to identify all the personal data information that the business currently processes. The third stage of the project is then taking that data and mapping it back to a process within the business. Finally, companies have to carry out a Privacy Impact Assessment (PIA) against the process - only then they fully understand the amount of work that they need to do in order to become GDPR compliant.
When assessing compliance, what areas do you find businesses commonly struggle with?
The most common challenge relates to marketing. Traditionally, companies use marketing data from lots of different sources, but under GDPR, they will require explicit consent to be able to use this information going forward.
The other challenging area is HR - the requirements are for Human Resources to make sure that they have the right legal basis in place to process their employee information.
The third area where we see companies struggle is third-party supply chains. Under the Data Protection Act, the supply chain wasn't liable, however, under GDPR, the supply chain and the owner of the data are equally liable. Thus, there's a legal requirement for every company to ensure that the third-party supply chains that they work with are also fully compliant.
Can you tell us more about the work you’re doing in the field of GDPR?
The work we're primarily doing at the moment is advisory work where - helping companies understand how much work they need to do around GDPR compliance and establish their project plan.
Why should companies choose Northdoor to help them with their GDPR compliance projects?
Northdoor is not a company that's just jumped on the GDPR band wagon – we have been a business for over 28 years and our key priority is to advise clients and help them manage their information assets effectively. We not only advise them in relation to compliance of data, but we also help them secure their data and get value from it. We manage the whole lifecycle of information assets throughout the business and this has always been our core focus.
For more information, please go to: https://www.northdoor.co.uk, email: info@northdoor.co.uk or call 0207 448 8500.
With plenty of change coming in 2018, here Emmanuel Lumineau and Thomas Schneider, Founders of BrickVest, delve deep into the future of real estate for the coming year, prospects of growth and challenges ahead.
2017 was a strong year for the real estate industry. Despite a number of external factors that could have easily affected market performance, low interest rates remained stable and demand in real estate investment products continued to rise.
Brexit
Brexit has clearly had an effect on the UK but we believe that across Europe, there remains strong deal flow levels and investment opportunities. Our recent research1 showed that one in three (33%) commercial real estate investors highlighted Germany as their preferred region to invest in. This is the first time that Germany has been chosen as the number one region to invest in and ahead of the UK which was selected by a quarter (27%).
The UK saw a drop from 31% in the last quarter and from 32% in the same Barometer 12 months ago. The Barometer also revealed that UK, French, German and US investors are now less favourable towards the UK since last year. 45% of UK, nearly a quarter (21%) of US, a fifth (19%) of French and 18% of German investors suggested they favour the UK this quarter, representing a decrease from last year across the board from 46%, 26%, 28% and 21% respectively.
Despite investors seemingly focussing away from the UK, there has been an abundance of international capital flowing into real estate, almost every major institutional investor globally has been increasing their portfolio allocation to real estate over the last five years mainly because of lack of alternatives.
Moreover the average risk appetite of BrickVest’s investors continues to rise to 52% from 49% last quarter and from 48% this time last year, meaning a sentiment shift from low to balanced risk
Interest rates
The Bank of England’s decision to raise interest rates in the UK in November was momentous for the economy and should signal the start of a series of gradual increases. The Bank decided that inflation is potentially getting out of control and the economy now requires higher borrowing costs. In contrast, the ECB’s decision to unwind its QE programme to €30 billion a month is a glowing endorsement of healthy Eurozone growth and falling unemployment, which will more than likely mean that interest rates will stay at historic lows until at least 2019 in order to help financial markets adjust.
Increasing interest rates has a direct impact on real estate. Higher interest rates and rising inflation make borrowing and construction more expensive for owners, which can have a constraining effect on the market but can also lead to an increase in property prices. In a low interest rate environment, European real estate yields will continue to look attractive and real estate serves as a good alternative to fixed income.
Value in 2018
We expect to see increasing demand for real estate in 2018. Indeed our research2 showed that two in five (40%) institutional investors plan to increase their allocation to European commercial real estate while 44% expect commercial property yields to increase in the next 12 months, just 22% believe they will decrease.
We believe that the best value can be found in real estate deals that are not too sensitive to price erosions. Investors should keep a close eye on the risk of high leverage and DSC ratios. We believe that the best investment options for 2018 will most likely be found in value-add real estate in combination with a conservative financing policy.
Investment strategy 2018
Given the fact that we believe demand will remain relatively high in 2018, one of the main challenges will be to find good deals.
Investors will have to find the right balance of higher leverage (due to continually low interest rates) and being able to handle potential price corrections in the event that the market cools off due to external factors such as Hard Brexit, escalation in the US vs. North Korea conflict, etc…
Institutional investors are investing in less liquid secondary and third level cities to achieve acceptable going-in cap rates (cap rates in major markets such as Paris are historically low). Investors will also be forced to look at less traditional investment products such as student housing, services apartments, and senior housing or industrial to get better returns. The overall risk of these investment is that they are in general less liquid and if the market bounces back, cap rates will also increase much faster than in downtown Paris.
In order to manage this problem, some institutional investors are now investing in real estate debt products so that they a.) have their exposure to real estate but b.) also have an achievable exit (i.e. when the loan maturity is reached). We think this might be smart strategy in 2018 given real estate prices are already very high and might fall in the long term (so no upside opportunity but also no real downside risk).
Sectors to watch
We continue to see the highest level of volatility from the office sector as many international firms put decisions on hold over their long-term office space requirements. Our research2 with institutional investors highlighted that more than a third (34%) believe the biggest real estate investment opportunities will be found in the office sector and the same number in the hotel & hospitality industry over the next 12 months.
Three in ten (31%) thought the industrial sector would present the biggest commercial real estate investment opportunities over the next 12 months while one in five (19%) cited the retail & leisure sector.
Mifid II
When implemented in January 2018, revisions to the EU’s Markets in Financial Instruments Directive (MiFID II) will radically change the regulation of EU securities and derivatives markets, and will significantly impact the investment management industry. It will have a significant impact for wealth and asset managers on profitability, product offer and their distribution across Europe, operating models and pricing and costs.
As a consequence, we expect MIFID II to widen the gap between global, infrastructure-based players, and local players. Crowdfunding platform may be affected by these changes.
General Data Protection Regulation (GDPR)
GDPR comes into force on 25 May 2018 and represents the biggest change in 25 years to how businesses process personal information. The directive replaces existing data protection laws and will significantly tighten data protection compliance regulation.
Like other industries, real estate companies will have to conduct a risk analysis of all processes relevant to data protection.
The Top 5 Impacts of GDPR on Financial Services
The clock is ticking to the 2018 deadline to comply with the EU General Data Protection Regulation (GDPR). Acting now is critical for firms to avoid risking fines of €20m (or 4% of annual revenue) so advance planning and preparation is essential. Here Nathan Snyder, Partner at Brickendon, lists for Finance Monthly the top five considerations and impacts GDPR will have on financial services.
Amidst growing concerns around the safety of personal data from identity theft, cyberattacks, hacking or unethical usage, the European Union has introduced new legislation to safeguard its citizens. The EU General Data Protection Regulation aims to standardise data privacy laws and mechanisms across industries, regardless of the nature or type of operations. Most importantly, GDPR aims to empower EU citizens by making them aware of the kind of data held by institutions and the rights of the individual to protect their personal information. All organisations must ensure compliance by 25th May 2018.
While banks and other financial firms are no strangers to regulation, adhering to these requires the collection of large amounts of customer data, which is then collated and used for various activities, such as client or customer onboarding, relationship management, trade-booking, and accounting. During these processes, customer data is exposed to a large number of different people at different stages, and this is where GDPR comes in.
So, what does the introduction of GDPR actually mean for financial institutions and which areas should they be focussing on? Here Brickendon’s data experts take a look at five key areas of the GDPR legislation that will impact the sector.
1. Client Consent: Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as name, email address, IP address, social media profiles or social security numbers. By explicitly mandating firms to gain consent (no automatic opt-in option) from customers about the personal data that is gathered, individuals know what information organisations are holding. Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third-parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data.
2. Right to data erasure and right to be forgotten: GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as Data Portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.
3. Consequences of a breach: Previously, firms were able to adopt their own protocols in the event of a data breach. Now however, GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach, the categories and approximate number of individuals impacted, and contact information of the Data Protection Officer (DPO). Notification of the breach, the likely outcomes, and the remediation must also be sent to the impacted customer ‘without undue delays’.
Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20 million, or 4% of their global turnover (whichever is greater), while lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of 2% of global turnover. These financial penalties are in addition to potential reputational damage and loss of future business.
4. Vendor management: IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, thus significantly increasing the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. GDPR in effect imposes end-to-end accountability to ensure client data stays well protected by enforcing not only the bank, but all its support functions to embrace compliance.
5. Pseudonymisation: GDPR applies to all potential client data wherever it is found, whether it’s in a live production environment, during the development process or in the middle of a testing programme. It is quite common to mask data across non-production environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data-masking, or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need-to-know’ obligations.
Given the wide reach of the GDPR legislation, there is no doubt that financial organisations need to re-model their existing systems or create newer systems with the concept of ‘Privacy by Design’ embedded into their operating ideologies. With the close proximity of the compliance deadline – May 2018 – firms must do this now.
Failing to do at least one of the following now: a) identify client data access and capture points, b) collaborate with clients to gain consent for justified usage of personal data, or c) remediate data access breach issues, will in the long run not only cause financial pain, but also erode client confidence. A study published earlier this year by Close Brothers UK, found that an alarming 82% of the UK’s small and medium businesses were unaware of GDPR. Recognising the importance of GDPR and acting on it is therefore the need of the hour.
With just six months until GDPR hits Europe hard, Finance Monthly has heard from Nigel Edwards, SVP of Insurance Europe & Head of UK at EXL Service, on the threat GDPR poses to emerging technologies, fintech, regtech and so forth.
For insurers, the General Data Protection Regulation (GDPR) promises to be a difficult hurdle to overcome without the right strategic approach and expertise. Businesses in the insurance industry are some of the most vulnerable to being caught wrong-footed by the incoming GDPR rules because of the data rich environment they naturally operate in. The widespread use of third party administrators means that data flows can be difficult to control in a way that keeps firms compliant with the new regulation. Another question that is high up on the agenda for industry decision-makers is the effect that GDPR will have on future technology adoption.
In recent years, the insurance sector has undergone an unparalleled degree of technological disruption. Telematics technology, for example, has dramatically changed how insurers price policies by gathering data on individuals’ driving habits and behaviour. The use of social media analytics is making the claims process more straight forward and the use of technologies such as geo-location is creating better conditions for underwriters to evaluate pools of risk. One thing that these technologies have in common is their reliance on large amounts of collected customer data to function effectively. Will these techniques be hamstrung by the demands placed on companies under the GDPR regime?
Assessing the data ecosystem
For the most part, GDPR will not force insurers to curtail technology adoption, so long as precautionary steps are taken to better manage the data inputs and outputs on which new technologies rely. All of the existing InsurTech solutions that are on the market or close to arriving will remain options for brokers and underwriters to incorporate into their strategic spend - but only if the underlying infrastructure is in place to enable the rigorous management of client data.
Perhaps one of the most onerous demands placed on businesses due to GDPR is the so-called ‘right to be forgotten,’ which will grant EU residents the right in some places to request a full removal of their personal details from any company’s systems. For many insurance firms, of which a large proportion will have been trading since the start of the age of digitisation, large caches of over 30 years’ worth of client data have been accumulated. This is data which may not be in a single standardised format and spread across siloes in multiple locations – posing a considerable challenge when it comes to compliance to right to be forgotten guidelines.
Aligning with a long-term strategy
For new technologies to remain viable, steps must be taken to ensure that the core infrastructure upon which data is stored and transferred is responsive to frequent requests for deletion or transfer. This may result in the overhaul of legacy IT systems which are not fit for purpose and a more selective retention of customer information, as opposed to a policy which swallows up large pools of data indiscriminately.
Whilst this may entail some capital outlay, the decision to update legacy systems should be taken in the context of a new stance towards regulatory compliance. The GDPR is just one regulatory hurdle that must be overcome by insurers next year, but it can serve as a starting block for a more agile approach to data handling – especially for firms who have historically neglected the task. In the long term, laying the foundations for new technology adoption will not only facilitate better business agility but also a more intuitive approach when interacting with clients and their data.
Research from leading information security company Clearswift has shown that the education sector is rivaling technology for the top spot when it comes to GDPR preparedness.
The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia. When asked whether firms currently have all of the necessary processes in place to be compliant the top five performing sectors included technology and telecommunications (32%), education (31%), IT (29%), business services (29%) and finance (29%).
The survey has also revealed, of all the sectors, healthcare is the least likely to be ready for the upcoming GDPR, with only 17% of private and public sector bodies claiming to have the processes in place to comply with the legislation. Following closely behind is the retail sector with a mere 18% of the industry ready for GDPR, and marketing at 19% and legal at 21%.
Overall, the research has shown that only a quarter (26%) of businesses are currently ready for General Data Protection Regulation (GDPR). However, with the deadline fast approaching, a further 44% are putting processes in place and expect to be ready in time for May next year, when the legislation comes into force.
Dr Guy Bunker, SVP of Products at Clearswift, said: “With 64% of UK businesses currently making moves towards GDPR compliance, the outlook is not as bleak as previously thought.
“It is clear that the regulation has grabbed the attention of businesses, but what is important is that their focus is in the right place. Those viewing GDPR as an opportunity will be in the best position to not only comply, but evolve their organisations, enhance their security posture and achieve business growth.
“Educating employees about how to safeguard critical information, introducing data protection guidelines and instilling a culture of data consciousness in the workplace will not only bring organisations closer to compliance but help reduce the chances of a data breach.”
Although the majority of businesses may not currently be ready for GDPR, employers have begun to identifying the departments within their organisations where data protection is needed most. The most common departments to have budget allocated for spend on GDPR are finance and IT (31%). This is particularly relevant as most businesses believe their critical data predominantly lies in the finance department (55%), suggesting that finance will be under the spotlight in the coming months as organisations look at how they can prepare for GDPR.
When looking at the size of an organisation, 46% of the businesses that reported they are ready for GDPR had between 500 – 999 employees. Compared with larger corporations of 5000 or more employees, only 19% reported they are ready, suggesting that bigger is not necessarily better. Smaller enterprises are leading the way over their larger counterparts in putting processes and technology in place ahead of May 2018.
While many organisations are expecting to be ready for GDPR, our research has shown that a typical company-wide IT project takes around six months to roll-out, meaning those that aren’t ready now are running out of time to introduce new technology which could help them comply with the legislation.
Dr Bunker added: "The key focuses for GDPR compliance are educating employees and understanding where your data lies. However, organisations that are still looking at how they can prepare should focus on security solutions that can be integrated within existing infrastructures, such as Data Loss Prevention (DLP) tools and content inspection software, which are the biggest priorities in preventing data loss and can be used to demonstrate compliance with GDPR legislation. This can save time and costs by adding these to existing security investments instead of the removing old technology and replacing it with completely new solutions.”
(Source: Clearswift)
The upcoming EU Data Protection Regulation has created opportunity in an underserved marketplace. Earlier this month, the Finance Monthly team spoke with David Williams, the Founder and CEO of the online onboarding and document management solution – Shuttle, which is helping businesses realign how they work with consumers, and their key business introducers.
Headquartered in Shoreditch, London with a satellite office in Sofia, Shuttle is a graduate of the Entrepreneurial Spark accelerator programme, and current members of the Barclays RISE community. The company recently launched its cloud-based Introducer Portal – the first platform of its kind, specifically designed to provide a secure online vault for multi-party transactions. Shuttle manages personally identifiable information (PII) and commercially sensitive data between customers, introducers, banks and other financial institutions.
With GDPR coming into effect in less than seven months, now is the time for organisations to secure their customers’ PII during the application process. This is where Shuttle comes to the rescue with their unique Introducer Portal. Key Business Introducers, both internal and external such as brokers, accountants and intermediaries now collaborate in the customer application process. Together, with the company’s partners and clients, Shuttle transforms the first impression businesses makes with their customers.
Introduced channels drive more than 60% of new business in the financial services space. Additionally, the sharing or ‘gig’ economy, self-employment and start-up initiatives are driving increased demand for small business banking services. To meet this burgeoning demand, company formation agents and accountants are increasingly advising on and setting up business bank accounts for their new customers. Shuttle Introducer transforms how information is captured, managed and shared in the introduced business channel.
“Shuttle is helping financial institutions to take the lead in providing collaborative technology to their key business introducers. Simplification of processes is growing their existing business lines and opening new introduced channels.”
David said, “ Our research showed that the introduced business channel is underserved with affordable enabling technology. Organisations using Shuttle are taking the lead in providing collaborative technology solutions to their key business introducers, growing their existing business and opening new introduced channels.’
How does the Shuttle Introducer Portal work? |
Financial services institutions appoint approved introducers who are authorised to originate applications using bespoke digital forms and templates. |
Applicants complete forms and upload supporting documentation through omnichannel access point. |
All documentation and communication are time-marked and stored in a single repository providing a full audit trail. |
Providers, introducers and applicants can interact in real-time to progress business through the native Shuttle Message application. |
The applicant’s personal information (PII) is protected and controlled by them through their unique access portal in accordance within GDPR guidelines. |
To find out more:
Website: www.shuttleon.com
Email: info@shuttleon.com
Tel: 020 3287 0950
“Shuttle is helping financial institutions grow their existing SME business and open up new channels to market by taking the lead in providing collaborative technology solutions to their key business introducers.”
By Adam Oldfield, Vice President Sales EMEA Financial Services at Unisys
The financial services market continues to evolve digitally to meet the rising expectations of customers, particularly in relation to their experience with digital and in-store services. Consumers expect banks to be accessible 24/7, from any location, and any device. As a result, security of access continues to be front of mind for everyone in the financial services industry, and the challenges that come with it.
Multifactor authentication built into modern applications, the use of biometrics or analytics as well as artificial intelligence are all needed to be interwoven in the modern environment to keep security capabilities at a high – but why is cybersecurity such a pressing factor in the market over the last few months?
Legislative drivers
It is widely known about the multitude of financial, and reputational, incentives tied to increasing security standards in order to be compliant with a variety of legislative drivers, with the biggest and most impactful deadline being the General Data Protection Regulation. The GDPR brings consistency to the current data protection laws across EU member states, and provides guidance on how customer data should be stored and how companies must respond in the event of a data breach.
It is widely known about the multitude of financial and reputational incentives tied to increasing security standards in order to be compliant with a variety of legislative drivers, with the biggest and most impactful deadline being the General Data Protection Regulation.
The GDPR brings consistency to the current data protection laws across EU member states and provides guidance on how customer data should be stored, as well as how companies must respond in the event of a data breach. As we move towards the 2018 deadline a large proportion of companies including financial services, are still unsure on what they need to specifically do in order to be as compliant as possible.
Therefore, we are continuing to see the demand for cybersecurity advisory services, personnel as well as solutions at an all-time high - demanding higher and higher shares of annual and quarterly budgets within financial institutions.
The threat landscape and impending legislation has meant cybersecurity has moved from a once discretionary spend to a mandatory one in recent months. Financial services organisations are rapidly restructuring teams, hiring new talent and most importantly seeking advisory services to manage the journey to compliance. Cybersecurity maturity levels held with each organisation in the market also fluctuate, meaning each company has a different set of requirements, goals and timeframes to abide by.
However, legislative drivers forcing financial institutions to treat customer data with the utmost care are not withheld to just the GDPR. The Payment Services Directive (PSD2) and the 2018 mandate set by the Competition and Markets Authority (CMA) are some of the key drivers to raising data protection and security requirements as well as market standards, having a particular impact at the decision making, forecasting and budgeting level.
These legislative drivers will continue to move security up to a boardroom discussion, with advisory services taking the front line of demand as well as budget. As we move towards 2018, the stopwatch is on for new entrants, as well as established players to restructure teams, align ecosystems and improve data management. They must also fine tune effective cyber breach response strategies to ensure the legislations and regulations put in place have a positive impact on their business and customers.
No organisation is immune
Many financial services organisations are aware of technological developments taking place throughout security, as well as the evolving security postures needed to combat threats and reduce routes to entry. Biometric authentication is an example of this that adds an additional layer of personalised security for data and account protection purposes. The plethora of high-profile attacks, such as Petya and Wannacry, highlight how no organisation or industry, including financial services, is immune.
The need for flexibility and responsiveness is paramount in this ever-changing landscape, not only legislatively but operationally, driving companies to pull together best in breed solutions to ensure capabilities match fluctuating threats. Legislatively the PSD2, for example, forces organisations to contract and conduct payments in a certain way, as well as effectively store and protect sensitive data. In comparison, the CMA 2018 mandate is forcing all financial services providers to offer customers the ability to manage their products, regardless of provider, via a single mobile application of their choice. Operationally, customers are demanding seamless payment and verification options with a 24/7 responsive service. A best in breed and reactive approach is capable of managing these demands, meaning flexible and intuitive ecosystems for application roll out can be the route to success, and gone are the days of using one provider for everything.
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
With only 12 months left until the new GDPR regulations come into force, many organisations are already busy, preparing for May 2018. But for others, the challenge is still about getting started with a proportional approach that will enable sufficient progress in the time remaining, and provide a defensible position in the event of any breach or incident. Unfortunately, there is no blueprint for easy compliance and no easy, plug-in solution. Each firm will have a different starting point and will therefore need to determine its own approach.
The ICO has described GDPR as a “journey”. This is very true, however, it is one that is best prepared for by taking into account some practical advice.
Give GDPR the level of sponsorship it deserves. Compliance with GDPR regulations, and data protection more generally, should be regarded as a key operational risk. As such, the board should appoint a member of the management committee to oversee progress. The potential for significant fines, exposure to legal action, and the inevitable bad publicity and reputational impact, should an incident occur, necessitates the need for senior management oversight. However, GDPR is also about the rights of the individual, and the expectations individuals have of the firms holding their data and acting as custodian. Therefore, GDPR is also an issue of ‘conduct’ which, as Financial Services firms know all too well, can cause significant problems with the regulator if not taken seriously.
As with any business change, the direction, drive and tone from the top can be one of the main differences between success and failure, so it is worth ensuring you have the right sponsorship in place.
Getting started. There are many reasons why plenty of firms are struggling to get started. However, one of the key issues is that GDPR is a principles based regulation and, in addition to detailed guidance on a number of key areas still being work in progress, the regulation is, quite simply, open to interpretation. As a result, in the absence of a more prescriptive GDPR “instruction manual”, organisations need to determine for themselves what GDPR means. This includes the organisation deciding where to set the “bar”, especially in areas where the regulations refer to rather unhelpful terms such as “appropriate” or “sufficient”.
Really understand what happens to data across the organisation. This is such a simple statement to make, yet it is an absolutely critical starting point. Organisations have to be brutally honest about the personally identifiable data they have, why they need it, where it came from, how it is used, where it is stored and where it goes. For many organisations, performing this step is a daunting prospect. However, firms do not need to take a ‘scorched earth’ approach to understanding their data - even some high level work will most likely reveal where the key areas of concern exist.
Gaining this understanding as early as possible will prove extremely insightful, and should form the basis of many other areas of work over the next twelve months.
Identify the areas of greatest impact. Although GDPR introduces a number of new requirements, for example in relation to gaining consent, or customer requests such as the right to ‘erasure’, much of it is not actually new and it is really just an extension of the core principles of the existing Data Protection Act (DPA). An organisation’s existing maturity against the DPA will therefore have a significant bearing on the breadth and depth of scope that needs to be addressed under GDPR. In the absence of a detailed or recent DPA gap analysis, almost every organisation will have one or more open audit points relating to data protection, which is usually a good place to start.
Invest time upfront in developing formal data protection related polices and standards. Strong governance is important for lots of reasons, and well written policies and standards provide the foundations of good governance. In the case of GDPR, investing time early on to revise existing data protection policies to ensure they address the requirements of GDPR will help create clarity and focus for the organisation, and a point of reference against which compliance can be assessed. The exercise will also inevitably produce some surprises in terms of other related polices that will need to be amended to address GDPR, such as HR, Procurement, Outsourcing, and Information Security.
If in doubt, complete a Privacy Impact Assessment (PIA). The principle of embedding is key to successfully implementing any change, and in support of this aim for data protection, the ICO published guidance in 2014 on the use of PIAs as a business-as-usual (BAU) “tool”. In effect, a PIA is a structured assessment of a given business situation with the explicit purpose of assessing the level of data protection related risk. Though originally conceived as a tool to be used in BAU, completing a PIA against areas of concern or uncertainty as you work towards compliance can be a very powerful, and extremely revealing, approach.
Model your response to Customer Requests. Subject Access Requests (SARs) are not a new concept. But GDPR means they will become free of charge for members of the public. GDPR also introduces new customer rights, around areas such as portability and erasure. Therefore, it is reasonable to expect that volumes of customer requests will increase after May 2018. To address this situation, it is key to establish what would be involved in providing the information outlined in the regulations, including for the new request types. Also key is the testing of scenarios where volumes significantly increase from historical levels, in order to understand their potential operational impact.
Don’t forget Third Parties. The changes in accountability and liability regarding Data Processors are significant under GDPR. While Data Controllers remain liable for infringements caused by their Data Processors, those Processors now also have direct duties under the GDPR. It is therefore critical for both Controllers and Processors to understand what has to happen to keep processing operations compliant. As most organizations have tens, if not hundreds, of third parties that they rely upon, this can be no small task and needs to be sized and tackled with the priority it deserves.
Information Security is key. This won’t be a surprise to most people, however, too often organisations seem to “miss the wood for the trees” when it comes to information security. There is little point spending small fortunes on leading edge IT protection systems if a firm isn’t sure it has the basics in place – as an example, look no further than the recent attack on the NHS and issues caused by the lack of recent Windows patches. Also, information security is not just about the structured data held in core systems, it equally needs to apply to physical data and the unstructured or “dark” data that resides in emails, on network drives and the Excel downloads from core systems that all organisations possess.
Staff training and awareness. Kicking off a gradual programme of awareness and training around the principles of data protection, and explaining to staff how the organisation is addressing the needs of GDPR, is essential. How staff handle data related queries with customers and third parties will be a key factor in mitigating data protection risks, and demonstrating to customers, and the regulator, that the organisation takes data protection seriously. Organisations need to be careful not to neglect the ‘people’ side of things in favour of more tangible areas such as IT.
Complying with GDPR. Complying with new regulations is almost always harder than originally expected - vague requirements from the regulator, a fixed end date and a lack of in-house experience don’t tend to mix well. In reality, given the breadth of impacts from GDPR, most organisations will struggle to address every last detail before May 2018. Though this may be true, what is key is that organisations can demonstrate they understand the size and nature of the gaps they have to address, they have a plan in place and are making good progress, and they can show the regulator, and other key stakeholders, that they are in control and are taking GDPR seriously.
Crowe Horwath is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR.
For more information, please email justin.baxter@crowehorwathgrc.com, neil.adams@crowehorwathgrc.com or neil.mockett@crowehorwathgrc.com