Contact Chris or subscribe to updates for free - here

The GDPR changes headed towards us

Late last year I attended an event in London on compliance and control within the Collections and Recoveries area.

The question was asked, “By show of hands, how many of you have heard of or are preparing for the implementation of GDPR?”; about three hands went up.

It was quite a shocking sight, both given the audience and the level of potential fines that could be applied. Clearly greater awareness was needed.

Since then, visibility for GDPR has increased.  With the legislation proposed this month by the UK government, there has even been greater interest and coverage within the media – a positive development.

However, data is the lifeblood of the Collections and Recoveries industry. With such potential for significant impact, GDPR is a topic that we need to be fully aware of –  understanding and safeguarding against the potential impacts on business.

GDPR origins and meaning

GDPR is the General Data Protection Regulation. It is EU legislation, due for implementation in May 2018.

This legislation is an enhancement to existing data protection legislation (e.g. UK DPA 1998). The intention is to bring the rules up to date for the modern environment (e.g. cloud computing, data processing, social media, ‘big’ data). It is applicable to any company that exchanges or holds data with someone within an EU member state.

This is applicable in the UK, which will still be an EU member in May 2018. However, the UK is introducing legislation, so it will also be embedded in UK law too.

Either way, if you are in the UK, this applies to you.

The GDPR key requirements

The legislation builds upon many existing requirements, strengthening where required. A useful summary of changes under GDPR has been provided, summarised below.

  • Consent: Consent needs to be clear and accessible, being as easy to withdraw as to give.
  • Data breaches: Breaches of data need to be notified to the regulator within a 72-hour window and to customers ‘without any undue delay’ once discovered.
  • Right to Access: Customers will have the right to access a copy of their personal data, free of charge.
  • Right to be Forgotten: Customers also have the right to be forgotten and have their data erased, where the data is no longer relevant or the customer withdraws consent (this is with some constraints around legitimate interest).
  • Data Portability: Data can be received in a format that can be sent elsewhere.
  • Privacy by Design: Privacy needs to be included within the system design, not an add-on.

Penalties for non-compliance

Under GDPR, organisations in breach of regulations can be fined up to 4% of annual global turnover or €20 Million (~£17m), whichever is greater. The fines are tiered depending on the specific details of non-compliance, however still significant vs the previous regime which had a limit of only £500,000.

Getting your organisation ready

The ICO has already released a good paper on steps organisations need to take in order to be prepared. They are as follows:

  1. Awareness: Ensure there is awareness of GDPR across your organisation.
  2. Documentation: Document the information you hold on customers.
  3. Review of current privacy notices: Ensure they are compliant.
  4. Individuals’ rights: Review of processes to ensure rights, such as provision or deletion of personal data, can be covered.
  5. Access requests: Ensure suitable processes are in place to handle access requests within the timescales (30 days).
  6. Lawful basis: Ensure lawful basis for processing personal data.
  7. Consent: Review processes for seeking, recording and managing consent per the new regulations.
  8. Children: Ensure there is ability to record and identify a customer’s age (if children).
  9. Data breaches: Ensure procedures are in place in advance, for action, should a data breach occur.
  10. Data protection: Needs to be included by design.
  11. Data protection officers: Appoint a data protection officer.
  12. International: Understand the implications if you work in more than one EU member state.

Impacts for Collections and Recoveries

Over the last ~20 years, data has increasingly become the lifeblood of Collections and Recoveries.  We have become more and more reliant on digital, electronic interaction, and the data trail it leaves, to inform and guide our processes.  It has driven efficiency, increased the accessibility of credit, brought down costs and enhanced interactions with the customer.

In part GDPR places some limits and controls around these processes.  It has the objective of providing a higher degree of consumer protection, which is undoubtedly positive for the customer base.

However, with the current reliance on data, it is not without potential for impact.

Losing data or consent

The big fear for the collections industry is that, either through withdrawal of consent or by request of erasure, there could be a reduction in level of information and data available.

This data is currently used on a daily basis to inform actions, efficiently tailor solutions for customers and trace those that have moved.

Loss of this data would have impacts to the cost of credit, increasing operating expense and the impairment charge.

Obviously, with such potential for impact, this generated some discussion during the consultation period (particularly for credit reference agencies).  As a result, there are some safeguards to allow this information to be processed under the legitimate interest wording.

Similarly, the view is that customer account details will still be able to be passed to third parties e.g. DCAs, as this is in the legitimate interest and on balance a reasonable course of action.

However, the company will still have the requirement to inform the customer of the legal and legitimate interest pursued.

Customer profiling limits, increasing transparency

Additionally, within the data science industry (the good folks that build our risk scoring models) there are a couple of further impacts.

GDPR will place some limits around customer profiling, ensuring greater transparency on automated model decisions. The customer will need to be aware of and understand the consequences of such profiling.

There are also provisions to provide the right to an explanation of any automated decision (e.g. why a credit application was declined) and safeguards for bias/discrimination.

In short, we could see changes to the volume and level of detail of data available for Collections and Recoveries processes.  This is something we need to monitor for.

Action for now

The exact size, speed and extent of these impacts are still to be determined; however, what is certain is that changes are underway that will impact us all.

It is going to be critical to have the infrastructure to monitor and prepare for any changes in data quality within the collections and recoveries process.

Additionally, consent and transparency need to be included within our processes, linking into any wider organisation process for data breaches and changes.  This is a ‘must ask’ question for any new system implementation or pending change.  It will be important to have infrastructure ready and in place.

Lastly if your organisation does not have a data protection officer and/or you have not heard about GDPR at work, you need to raise this now and take advice.

These changes are coming down the road for us all, at speed, and are something we cannot avoid.  With scope for such large fines, complacency is somewhat dangerous with such short time frames.

Be ready, be informed and be prepared.

Also published at

Posted in Blog | Tagged , , | Leave a comment

Are you responsible? The widening of the regulatory net and treating customers fairly

butterfly-757960_1920The other week the FCA have formally launched their consultation paper on extending the Senior Manager & Certification Regime (SM&CR) to all firms they regulate.  Up to now, this has only applied to the banking sector.

From summer 2018, this is expected to apply to all FCA authorised firms.

The Purpose

The Senior Manager & Certification Regime is an evolution of the previous Approved Persons process and includes expectations and specific conduct rules. It has been live in the banking sector since March 2016.

This regulation has had the aim of ensuring a high degree of accountability for those in positions of influence, ensuring on an annual basis they are certified and fit to hold those roles.

Impact on all of us

Yet this is not just applicable to those in a Senior Management Function.  It also includes a catch-all for all other staff in non-standard functions.   This includes all the management, wider team and staff as well (with the exception of administrative staff); all employees of the authorised person.

FCA aims:

  • Encourage a culture of staff at all levels taking personal responsibility for their actions.
  • Make sure firms and staff clearly understand and can demonstrate where responsibility lies.

The changes mean there will now be a much wider group of financial services firms requiring compliance and adherence to the FCA Code of Conduct.  We are all impacted. Obviously the businesses moving to the new regime will be, but even those currently covered will have to deal with changes to be introduced as the coverage increases to all FSMA authorised firms.

Code of Conduct Rules

Under the regime, there are some specific standards of behaviour that apply to everyone, with some additional conduct rules for those in a Senior Manager function.


Individual conduct rules:

  1. You must act with integrity.
  2. You must act with due skill, care and diligence.
  3. You must be open and cooperative with the FCA, the PRA and other regulators.
  4. You must pay due regard to the interests of the customers and treat them fairly.
  5. You must observe proper standards of market conduct.

Senior manager rules:

  1. You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
  2. You must take responsible steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
  3. You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
  4. You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

Certainly, within the collections and recoveries industry, there is already considerable focus on each of these items today – integrity, skill, care and in particular treating customers fairly.

In this sense, there is no change; we are still expected to operate at a high standard.

There is a key change, however, as all financial services firms are now to be regulated, monitored and backed by sanctions for non-compliance.  The bar to diligently do the right thing, every time, is being raised.

Treating customers fairly

In Collections and Recoveries, we are commonly on the frontline of these situations, often talking with customers in difficult circumstances, trying to help and provide solutions. Treating customers fairly is at the forefront of our thinking and the code provides some examples of what could be considered a breach of standard.  For example:

  • Failing to inform a customer of material information in circumstances where they were aware or ought to be aware of such information, including:
    • Failing to disclose to a customer details of charges or penalties (esp. Investments)
    • Providing inaccurate or inadequate information to a customer about a product or service
    • Failing to process a client’s payment in a timely manner
    • Failing to acknowledge, or seek to resolve, mistakes in dealing with customers.


There are also prescriptive measures to monitor and assess situations of non-compliance.

  • Reviewing the individual circumstances of the case, considering the function where the person works and if there was personal culpability
  • Was the failure against the code of conduct deliberate, or below that deemed reasonable in all circumstances?

The Collections Perspective

Those of us in the collections and recoveries function are already at the sharp end of treating customers fairly and the industry has made great progress solidifying  our approach.  It is in many ways already ahead and embedding the culture needed.

However, this new legislation further widens the regulatory net, heightening the attention and focus on compliance.  It is expected to result in increased disciplinary action for those who do not comply.

All of a sudden all of the good work that has been done becomes more real, with very real-world consequences for non-compliance.   It is critical everyone in our teams is aware of the rules, and continues the good work started.

In some way though, this is also an opportunity.   Rather than generating fear from non-compliance, everyone in financial services with a good customer approach now has the regulator more clearly on side.

Doing the right thing, which is what most of us want to do already, has strong regulatory backing, hopefully opening the door to more positive changes for the Collections and Recoveries process.

Previously published at


Posted in Blog | Tagged , , | Leave a comment

IFRS9… looming changes

paper-clips-2205135_1920There has been quite a bit written about IFRS9 recently. It seems as if the Collections and Recoveries world is waking up to the fact this is not just an accounting standard but will also impact our process. Implementation is suddenly seeming imminent.

For those who do not read international accounting standards for fun, IFRS9 is a pending change to how impairment for loss is calculated. We are ticking down to implementation in January 2018.

So what is changing?

Under the previous accounting standard (IAS39), recognition for credit losses was delayed until there was evidence of impairment. Additionally this was calculated only on past events and considered only current conditions.

Broadly, under the new standard, credit losses will need to be recognized at each stage of the customer lifecycle, even if no credit loss events have actually taken place. Market conditions will also now need to be taken into account. The portfolio will be split into two stages for the reserve calculation.

  1. No significant increase in credit risk since inception – Impaired at 12 month expected credit loss
  2. Significant increase in credit risk (a risk event) – Impaired at lifetime expected credit loss

This is all designed to enable the financial accounts to better reflect the inherent future inherent losses for customers on the book today. In some ways, this really does make a lot of sense as it should be more accurate.

But what does this mean?

Broadly speaking this means that losses will be recognised and more greatly provided for, much earlier in the collections cycle. There will be a greater cost of holding customers deemed to be higher risk. For these customers, there will be a significant step increase in provision (even at 30days past due).

As a result, generally the guidance being given is ‘contact earlier’, ‘more intensively’, to prevent customers moving to lifetime credit losses at this higher rate.

And, this makes sense. Contacting earlier, including pre-arrears, will undoubtedly prevent some forgetful customers falling 2 months in arrears and being deemed having increased in risk.

But this is not the entire story. Although 30dpd is being used as a general criteria, any external indicator can be used to indicate increased risk, Credit Reference Agency data, debt load, flagging of financial difficulties. The exact criteria organisations will use to determine an increase in risk (or indeed return to low risk) will require some judgement.

As collections and recoveries professionals, close to the portfolio on a day to day basis, it is one we will need to be involved in. For example, flagging a customer who has affordability issues may now result in a greater hit to the P&L. All of these dynamics need to be understood, it will be an interesting conversation.

Previously published at

Posted in Blog | Tagged , | Leave a comment