The GDPR changes headed towards us

Posted on September 4, 2017 by Chris Warburton

Late last year I attended an event in London on compliance and control within the Collections and Recoveries area.

The question was asked, “By show of hands, how many of you have heard of or are preparing for the implementation of GDPR?”; about three hands went up.

It was quite a shocking sight, both given the audience and the level of potential fines that could be applied. Clearly greater awareness was needed.

Since then, visibility for GDPR has increased.  With the legislation proposed this month by the UK government, there has even been greater interest and coverage within the media – a positive development.

However, data is the lifeblood of the Collections and Recoveries industry. With such potential for significant impact, GDPR is a topic that we need to be fully aware of –  understanding and safeguarding against the potential impacts on business.

GDPR origins and meaning

GDPR is the General Data Protection Regulation. It is EU legislation, due for implementation in May 2018.

This legislation is an enhancement to existing data protection legislation (e.g. UK DPA 1998). The intention is to bring the rules up to date for the modern environment (e.g. cloud computing, data processing, social media, ‘big’ data). It is applicable to any company that exchanges or holds data with someone within an EU member state.

This is applicable in the UK, which will still be an EU member in May 2018. However, the UK is introducing legislation, so it will also be embedded in UK law too.

Either way, if you are in the UK, this applies to you.

The GDPR key requirements

The legislation builds upon many existing requirements, strengthening where required. A useful summary of changes under GDPR has been provided, summarised below.

  • Consent: Consent needs to be clear and accessible, being as easy to withdraw as to give.
  • Data breaches: Breaches of data need to be notified to the regulator within a 72-hour window and to customers ‘without any undue delay’ once discovered.
  • Right to Access: Customers will have the right to access a copy of their personal data, free of charge.
  • Right to be Forgotten: Customers also have the right to be forgotten and have their data erased, where the data is no longer relevant or the customer withdraws consent (this is with some constraints around legitimate interest).
  • Data Portability: Data can be received in a format that can be sent elsewhere.
  • Privacy by Design: Privacy needs to be included within the system design, not an add-on.

Penalties for non-compliance

Under GDPR, organisations in breach of regulations can be fined up to 4% of annual global turnover or €20 Million (~£17m), whichever is greater. The fines are tiered depending on the specific details of non-compliance, however still significant vs the previous regime which had a limit of only £500,000.

Getting your organisation ready

The ICO has already released a good paper on steps organisations need to take in order to be prepared. They are as follows:

  1. Awareness: Ensure there is awareness of GDPR across your organisation.
  2. Documentation: Document the information you hold on customers.
  3. Review of current privacy notices: Ensure they are compliant.
  4. Individuals’ rights: Review of processes to ensure rights, such as provision or deletion of personal data, can be covered.
  5. Access requests: Ensure suitable processes are in place to handle access requests within the timescales (30 days).
  6. Lawful basis: Ensure lawful basis for processing personal data.
  7. Consent: Review processes for seeking, recording and managing consent per the new regulations.
  8. Children: Ensure there is ability to record and identify a customer’s age (if children).
  9. Data breaches: Ensure procedures are in place in advance, for action, should a data breach occur.
  10. Data protection: Needs to be included by design.
  11. Data protection officers: Appoint a data protection officer.
  12. International: Understand the implications if you work in more than one EU member state.

Impacts for Collections and Recoveries

Over the last ~20 years, data has increasingly become the lifeblood of Collections and Recoveries.  We have become more and more reliant on digital, electronic interaction, and the data trail it leaves, to inform and guide our processes.  It has driven efficiency, increased the accessibility of credit, brought down costs and enhanced interactions with the customer.

In part GDPR places some limits and controls around these processes.  It has the objective of providing a higher degree of consumer protection, which is undoubtedly positive for the customer base.

However, with the current reliance on data, it is not without potential for impact.

Losing data or consent

The big fear for the collections industry is that, either through withdrawal of consent or by request of erasure, there could be a reduction in level of information and data available.

This data is currently used on a daily basis to inform actions, efficiently tailor solutions for customers and trace those that have moved.

Loss of this data would have impacts to the cost of credit, increasing operating expense and the impairment charge.

Obviously, with such potential for impact, this generated some discussion during the consultation period (particularly for credit reference agencies).  As a result, there are some safeguards to allow this information to be processed under the legitimate interest wording.

Similarly, the view is that customer account details will still be able to be passed to third parties e.g. DCAs, as this is in the legitimate interest and on balance a reasonable course of action.

However, the company will still have the requirement to inform the customer of the legal and legitimate interest pursued.

Customer profiling limits, increasing transparency

Additionally, within the data science industry (the good folks that build our risk scoring models) there are a couple of further impacts.

GDPR will place some limits around customer profiling, ensuring greater transparency on automated model decisions. The customer will need to be aware of and understand the consequences of such profiling.

There are also provisions to provide the right to an explanation of any automated decision (e.g. why a credit application was declined) and safeguards for bias/discrimination.

In short, we could see changes to the volume and level of detail of data available for Collections and Recoveries processes.  This is something we need to monitor for.

Action for now

The exact size, speed and extent of these impacts are still to be determined; however, what is certain is that changes are underway that will impact us all.

It is going to be critical to have the infrastructure to monitor and prepare for any changes in data quality within the collections and recoveries process.

Additionally, consent and transparency need to be included within our processes, linking into any wider organisation process for data breaches and changes.  This is a ‘must ask’ question for any new system implementation or pending change.  It will be important to have infrastructure ready and in place.

Lastly if your organisation does not have a data protection officer and/or you have not heard about GDPR at work, you need to raise this now and take advice.

These changes are coming down the road for us all, at speed, and are something we cannot avoid.  With scope for such large fines, complacency is somewhat dangerous with such short time frames.

Be ready, be informed and be prepared.

Also published at arum.co.uk

Posted in Opinion | Tagged , , | Comments Off on The GDPR changes headed towards us

Trends influencing Credit and Collections

Posted on August 28, 2017 by Chris Warburton

A recent Arum round table focused on wider trends in the credit and collections industry and in particular what this means for the future.

There were some interesting common themes, ones that continue to resonate today.

  • Regulation: Discussed at some length at the time, both in terms of requirements for increased control and also with upcoming changes such as the senior manager and certification regime, IFRS9 and GDPR. This trend is clearly expected to continue, generating more changes (and requirements for evidencing controls). 
  • The Economy: Obviously, having a direct impact on a wide portion of the sector, it is continuing to re-enforce a drive for cost effectiveness and changing investment conditions. The jury is still out on whether we have or have not seen the full impacts from items such as a UK exit from the EU. Either way change in the operating environment is expected.
  • Customer Focus and Demographics: There have been some interesting data points around communication preferences by age within the customer base. Companies it appears are increasingly needing to appeal to different groups with different needs, different expectations and using different communication tools. This trend continues and it will be interesting to watch the impact of upcoming changes, such as PSD2, on this sector. There is scope for significant disruptive technology here in the next 2-5years.
  • Technology: Always a popular theme, however is seen as a route to solve both some of the control and cost challenges whilst meeting customer expectations. Automation and associated process re-engineering/streamlining is still key.

Lastly, at the time there was some some lively debate about the ‘unknowns’and the considerable uncertainty in the world. Sadly this has not changed. Any of these could generate a significant shock impacting customers, business economcs and the industry.

2016 was an interesting year with 2017 no less so, so far. Getting and being prepared still seems the prudent course of action.

Posted in Opinion | Comments Off on Trends influencing Credit and Collections

Are you responsible? The widening of the regulatory net and treating customers fairly

Posted on July 28, 2017 by Chris Warburton

butterfly-757960_1920The other week the FCA have formally launched their consultation paper on extending the Senior Manager & Certification Regime (SM&CR) to all firms they regulate.  Up to now, this has only applied to the banking sector.

From summer 2018, this is expected to apply to all FCA authorised firms.

The Purpose

The Senior Manager & Certification Regime is an evolution of the previous Approved Persons process and includes expectations and specific conduct rules. It has been live in the banking sector since March 2016.

This regulation has had the aim of ensuring a high degree of accountability for those in positions of influence, ensuring on an annual basis they are certified and fit to hold those roles.

Impact on all of us

Yet this is not just applicable to those in a Senior Management Function.  It also includes a catch-all for all other staff in non-standard functions.   This includes all the management, wider team and staff as well (with the exception of administrative staff); all employees of the authorised person.

FCA aims:

  • Encourage a culture of staff at all levels taking personal responsibility for their actions.
  • Make sure firms and staff clearly understand and can demonstrate where responsibility lies.

The changes mean there will now be a much wider group of financial services firms requiring compliance and adherence to the FCA Code of Conduct.  We are all impacted. Obviously the businesses moving to the new regime will be, but even those currently covered will have to deal with changes to be introduced as the coverage increases to all FSMA authorised firms.

Code of Conduct Rules

Under the regime, there are some specific standards of behaviour that apply to everyone, with some additional conduct rules for those in a Senior Manager function.

 

Individual conduct rules:

  1. You must act with integrity.
  2. You must act with due skill, care and diligence.
  3. You must be open and cooperative with the FCA, the PRA and other regulators.
  4. You must pay due regard to the interests of the customers and treat them fairly.
  5. You must observe proper standards of market conduct.

Senior manager rules:

  1. You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
  2. You must take responsible steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
  3. You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
  4. You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

Certainly, within the collections and recoveries industry, there is already considerable focus on each of these items today – integrity, skill, care and in particular treating customers fairly.

In this sense, there is no change; we are still expected to operate at a high standard.

There is a key change, however, as all financial services firms are now to be regulated, monitored and backed by sanctions for non-compliance.  The bar to diligently do the right thing, every time, is being raised.

Treating customers fairly

In Collections and Recoveries, we are commonly on the frontline of these situations, often talking with customers in difficult circumstances, trying to help and provide solutions. Treating customers fairly is at the forefront of our thinking and the code provides some examples of what could be considered a breach of standard.  For example:

  • Failing to inform a customer of material information in circumstances where they were aware or ought to be aware of such information, including:
    • Failing to disclose to a customer details of charges or penalties (esp. Investments)
    • Providing inaccurate or inadequate information to a customer about a product or service
    • Failing to process a client’s payment in a timely manner
    • Failing to acknowledge, or seek to resolve, mistakes in dealing with customers.

Non-compliance

There are also prescriptive measures to monitor and assess situations of non-compliance.

  • Reviewing the individual circumstances of the case, considering the function where the person works and if there was personal culpability
  • Was the failure against the code of conduct deliberate, or below that deemed reasonable in all circumstances?

The Collections Perspective

Those of us in the collections and recoveries function are already at the sharp end of treating customers fairly and the industry has made great progress solidifying  our approach.  It is in many ways already ahead and embedding the culture needed.

However, this new legislation further widens the regulatory net, heightening the attention and focus on compliance.  It is expected to result in increased disciplinary action for those who do not comply.

All of a sudden all of the good work that has been done becomes more real, with very real-world consequences for non-compliance.   It is critical everyone in our teams is aware of the rules, and continues the good work started.

In some way though, this is also an opportunity.   Rather than generating fear from non-compliance, everyone in financial services with a good customer approach now has the regulator more clearly on side.

Doing the right thing, which is what most of us want to do already, has strong regulatory backing, hopefully opening the door to more positive changes for the Collections and Recoveries process.

Previously published at arum.co.uk

 

Posted in Opinion | Tagged , , | Comments Off on Are you responsible? The widening of the regulatory net and treating customers fairly