With MIFID II currently top of the regulatory agenda for private banks and wealth managers, research by Private Banker International (PBI) indicates the industry is underestimating the impact of the EU’s General Data Protection Regulation (GDPR) – and is unprepared for the directive.
In just over four months, GDPR kicks off on 25 May 2018.
The law is set to give consumers and clients more control over their data and will impact every client that is subject to data protection.
And GDPR particularly impacts private banking and wealth management.
Guenther Dobrauz, Partner and Leader at PwC Legal Switzerland Dobrauz says: “Segments of business which are directly client related, such as wealth management/private banking and retail ranking, are more impacted by the regulation than other segments.
“As a rule of thumb, wealth management with its high level of individualised services and client interaction will be most affected by the GDPR.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataGDPR matters to the wealth management industry as any non-compliance will result in hefty fines. Smaller breaches can lead to a fine of €10M $11.9m –or a fine worth 2% of annual company turnover being levied or €20M – or 4% of annual turnover for more drastic breaches.
Unprepared
Dobrauz adds: “What we by and large see in the market is that a significant number of players are significantly behind the recommended time plan for GDPR implementation.
“The main reasons for this are that firstly they were all, and some indeed still, are quite busy with MiFID II, and GDPR often got overlooked as a consequence and secondly GDPR, its impact and complexity in most instances were underestimated.”
“In terms of GDPR , there hasn’t really been any noise made,” a senior London-based private banker tells PBI on the basis of anonymity due to the sensitivity of the topic.
GDPR will replace the previous 1995 data protection directive in Europe and in the UK it will replace the current Data Protection Act.
“At least within our private bank, we have not discussed [GDPR] with private bankers as of yet,” the banker says.
While GDPR virtually impacts every business, industries that revolve around client relationships could be more severely impacted, due to a great scale of information being held about people.
Under GDPR, a consumer or client can request companies to reveal any information held about them, with a maximum of 30 days to do so once requested.
Any data breaches must be reported to impacted clients within 72 hours of knowledge of the event and to the country’s data protection regulator.
Geneva Management Group’s CEO, Dave Elzas, says: “I don’t think we are completely prepared.
“We might have to make some changes internally. Either internally the way we store information, encrypted information or going further how we outsource some of the electronic communications that we use through third parties.
Third Party-Data
“This currently falls under the responsibility of [our operations and compliance [team]. We will have a look at this and we might decide to appoint an individual just for this function going forward.”
“As you can imagine GDPR is going to involve a whole range of disciplines. Not only legal, it is not only compliance but also IT and operations. It involves a number of executives at different levels. So we have to reassess where we are going to put that responsibility going forward.”
Dobrauz says: “Many private banks cooperate with a significant number of third parties to deliver, market and enrich their services which more often than not requires the sharing of information in scope of GDPR and hence such models may be significantly impacted by the new regulation and should be timely evaluated.”
Elzas also reinforces this point private banks often involve third-party providers and this will be impacted by GDPR.
He says: “I think the biggest difficulty [for smaller firms] is the not so much the way [they] deal directly with information of clients but with [third party- data].
“For example marketing software that certain individuals might have downloaded and used personally for management of their client appointments outside of the corporate environment.
“It is on us to make sure that the data that we manage, and that we outsource is all compliant.”
GDPR requires companies with more than 250 employees to document why clients’ information is being collected and processed.
Moreover, companies that have “regular and systematic monitoring of individuals” may need to appoint a data protection officer (DPO).
Elzas says his firm still has not decided whether to appoint DPO or not and is still in the process of reviewing its options.
Consolidation
Most of those providers polled by PBI say that GDPR could exacerbate consolidation in the wealth management industry.
Elzas says: “This [GDPR] is just one more push to consolidation in the industry where smaller participants will find it too expensive, too complicated to remain compliant and they may have to amalgamate so that businesses may have to quit their activities.”
He says a key reason smaller wealth managers have been successful in managing clients’ wealth is “because they have been able to manage the information they have at hand quite closely”.
But the more onerous requirements mean they might find it more difficult to manage information closely and may have to expand their compliance department, something that mid to larger sized wealth managers typically already have done so.
Elzas says firms that find the cost of compliance too high may prefer to wind down operations or be acquired by competitors.
Neil Moles, managing director of UK-based Progeny group, which specialises in legal and wealth management services for private clients, says: “It is assumed that the financial services industry is better prepared than other sectors for GDPR.”
But he warns: “It won’t be an easy transition for the behemoths of wealth management. Years of consolidation have led to these firms inheriting a mishmash of outdated back office systems likely to creak worse under the rigour of GDPR.”
He argues while wealth managers have been involved in rapid consolidation over years, they have done little to merge the IT systems of the firms they are acquiring.
“GDPR should help this,” as all data systems will have to be renewed, he says.
The private banker says: “We are already seeing consolidation in the market. A lot of the fund houses that can’t even comply with MIFID II are stopping. So I think it will be the same [for smaller wealth managers and boutique investment managers due to GDPR]. “
Dobrauz warns: “Smaller operations which do not have an experienced transformation team and deep pockets will struggle and further upwards consolidation will have to be expected.”
He adds: “[But] we also expect to see the emergence of platform solutions which boutiques and smaller houses may be able to use and thus lower cost and complexity, but these usually only emerge with a delay.”
Opportunities
Elzas says GDPR will also be another incentive for private bankers and asset managers to move towards platform based solutions.
In the case of Geneva Management Group, in October 2017 it launched a platform called Investment Management Solutions based in Switzerland as an alternative to traditional private banking and to provide respite from regulatory strain.
The platform provides all the infrastructure, compliance and regulatory requirements, facilitating a smooth client on boarding process.
Smaller asset managers and wealth managers may find it difficult to comply with recent and forthcoming regulations such as FIDLEG and GDPR, hitting their profitability Elzas warns.
The Financial Services Act known as FIDLEG, is the Swiss equivalent to MIFID II which was due to come into effect in 2017, but has now been delayed to 2019 at the earliest.
Investment Management Solutions aims to solve the issue “of compliance, by providing the entire regulatory framework needed, and halving the profits earned with the bankers”.
Dobrauz adds: “A key side effect of GDPR implementation is that structuring data effectively will open up new opportunities for further industrialisation and digitalisation efforts.
“Finally, the reputation for security and integrity of established banks will remain a competitive advantage difficult to match by the new competitors from the fintech industry.
“Going forward, those banks and wealth managers will in the long-term substantially benefit of the GDPR as they reap the benefits of industrialisation and digitalisation in the banking industry and match them with their already strong reputation for security and integrity.”
Compliance
The question then is, will all firms manage to be compliant in time for GDPR to avoid exorbitant fines?
Elzas thinks bigger firms who may not be able to comply by the deadline may be temporarily willing to pay fines in order to buy themselves more time.
“They might take a different view and say the cost of organising is such that we will take a risk for a limited period of time and gradually try to improve our processes so that [we] will be compliant by later date.
“In the meantime we will run with the drift [may be what those firms may think].”
But the London private banker takes a different view. “Big banks have of course much deeper pockets and they will make sure that every bit is compliant. And the work has already started in the background in terms of the budget that has been allocated.
“Whether it is small or big, it is the reputational damage that it does to the firm. Just because it is a small €10M fine, big banks won’t shrug it off. It is a reputational damage…I don’t think the amount matters.”
Debrauz also highlights that at present GDPR compliance is only handled in legal teams as opposed to being a cross-functional initiative.
“This is problematic due to the high impact of operations and the management of data processing as a daily business. Implementation of GDPR needs to be a joint initiative from all lines of service and all functions,” he warns.
The first step for wealth managers should be to take a breather from MIFID II and actually understand the implications of the GDPR.
Then firms can decide whether to increase headcount and how to share the burden among all lines of business.
Love it or loathe it, GDPR will come into effect and presents private banks and wealth managers the opportunity to optimise their data processes, win greater trust of their clients and give traditional private banking a chance to regain lost market share to new fintechs.
For those that invest properly in preparing for GDPR certainly there will be more benefits than pain. But the industry needs to make GDPR a priority. Better late than never.