financial adviser talking to a couple

Restrictions imposed by GDPR is making it difficult for banks to provide advisory services. Source: Shutterstock

GDPR made it impossible for banks to provide advisory services

PRIVATE banks are concerned that Europe’s General Data Protection Regulation (GDPR) will prevent them from gathering data for marketing purposes.

The new law implemented in May required private banks to review data usage policies with third parties. Additionally, clients now have the right to withdraw consent towards data being used for marketing, at any time.

GDPR has forced banks to reconsider the data they collect and how it’s being used. At the same time, the regulation has made it difficult, if not impossible, for banks to provide some of the regular services.

Previously, private banks relied on client information to deliver advisory services and product recommendations. Since the implementation of the GDPR, data ownership is no longer with the bank who does the data collection, but rather with the clients themselves.

This means clients have a right to opt out of any services that will need to use their data. In the case of banks, however, this affects their capability to provide advisory services as well.

In the UK, for example, as long as a client has agreed that their personal data can be used by an authorized third-party service provider (TSP), banks no longer have any power over the data.

Banks can only ensure the TSP is authorized by the appropriate authorities or regulators. Depending on jurisdictions, regulations on authorizing TSPs can vary in strictness.

Having said that, if things went wrong, banks are still obliged to make compensations as they likely have the most comprehensive compensation strategy.

Beyond the EU, governments across Asia are also re-evaluating their local regulations relating to data.

In Hong Kong, the Privacy Commissioner for Personal Data is drawing inspiration from GDPR to amend regulations in its current Personal Data (Privacy) Ordinance. This includes rules on regulating data used in analytics.

Similarly, the Singaporean Personal Data Protection Commission (PDPC) released a discussion paper on AI and personal data earlier this year. It looks to encourage ‘data protection by design’ across various industries, starting from the earliest possible design stage.

This approach ensures that measures to protect personal data is embedded in every step of the service delivery process.

In a report by Asian Private Banker, Mark Parsons, Partner at Hogan Lovells in Hong Kong commented, “Overall, there is a case that Singaporean regulation is more strategic and aligned on digital policy when compared to Hong Kong, particularly given that there is only one financial regulator and this regulator has a strategic mandate to promote fintech development.”

Although, Parsons added that Hong Kong regulators are making significant progress in other areas of fintech development.

In addition to fintech developments, Singapore is also noted to be working towards an “European-style” regulation on payments. The framework will be based on the Payment Services Directive (PSD) that was recently refreshed by European regulators, which aimed to encourage competition among banks.

Under the PSD, banks are required to aggregate data in a standard format for third parties. This will help remove the issues of transferring client information should they wish to switch banks.