Firms that are falsely using GDPR as a ‘scapegoat’ for non-compliance with Consumer Duty are risking severe action from the regulator, MorganAsh warns.
The support services provider and customer vulnerability specialist has seen some firms using the data protection laws as a reason to not comply with Consumer Duty. Anecdotal evidence suggests that some firms are avoiding collecting and storing customer vulnerability data to avoid a perceived conflict with GDPR. They argue that the fines and sanctions from the FCA will be far less than those from the ICO.
Andrew Gething, managing director of MorganAsh, argues that this approach puts firms at risk of serious penalties and sanctions - particularly with the FCA’s clear focus on improving outcomes for vulnerable customers. This has been reaffirmed by the regulator in its document “Our Consumer Duty focus areas” on 9th December.
It is noted that the ICO and FCA have already recognised this potential conflict, and provided advice back in 2015 with their consultation paper “Occasional Paper 8”.
Similarly, the ICO itself - with the FCA - recently issued a statement to say that Consumer Duty does not require firms to act in a way that is ‘incompatible’ with any regulatory requirements, including data protection law.
Consumer Duty requires firms to monitor consumer vulnerability over the life-time of the product - and use this data to compare to outcome data, as well as mitigating any potential harms. GDPR requires firms to keep the data accurately and securely, to be able to produce it and delete it if the consumer requests this.
With such challenges, MorganAsh argues that firms need dedicated IT systems to store this data. Firms have the option to develop these themselves or purchase the new VulnerabilityTech that is now available. With some firms still to grasp the necessary data and systems required, some may be choosing instead not to comply.
The warning comes as the FCA continues its review of how firms approach customer vulnerability, with the results set to be published in early 2025. Recently, the FCA has announced hefty multi-million-pound fines for both VW Financial Services and TSB for vulnerability failings, while also shining the spotlight on firms which are yet to demonstrate the change the FCA wants to see. Furthermore, the FCA recently published its review of Consumer Duty board reports, highlighting a lack of sufficient quality data among firms or focus on vulnerable customers.
Andrew Gething, managing director of MorganAsh, said: “We are seeing a worrying trend where some firms use GDPR as a scapegoat for not complying with Consumer Duty. While firms are right to consider data protection laws, the response should not be to forgo such an important requirement of Consumer Duty. This is especially true as the regulator continues to prioritise customer vulnerability and take significant action where it finds serious failings.
“As the ICO has reaffirmed recently - and current vulnerability tech continues to demonstrate - a complementary approach is absolutely possible. We can ensure data rules are respected and followed, while information can be gathered and stored legitimately to demonstrate that poor outcomes are minimal or indeed reducing. Where firms are likely to fall down is when they plan to repackage existing data or they lack the systems or processes to not just gather robust data, but to hold it securely.
“Rather than burying their heads in the sand or choosing one regulation over the other to follow, firms of all sizes absolutely need to act and ensure their customer vulnerability implementation is compliant. Whether it’s Consumer Duty or GDPR, good quality data is fundamental to good governance, and in our view, technology plays an important role in overcoming any supposed conflict, while meeting the requirements in an efficient and cost-effective way.”
MorganAsh launched its award-winning MARS platform to help firms understand and monitor vulnerable customers and deliver good outcomes - as required by Consumer Duty. It is in use across financial services and the utilities sector, enabling businesses to adopt a consistent approach to identifying vulnerable characteristics and generate an objective Resilience Rating - much like a credit score.
Not only can this objective measure be shared across the value chain, it provides a top-level indication of a customer’s vulnerability without sharing extensive personal data - answering concerns some have about data protection.