Addressing GDPR concerns when storing data on vulnerable customers is critical to establishing trust

At first glance, financial services firms face a dichotomy when striving to meet the FCA’s requirements on Consumer Duty and treating vulnerable customers fairly. On the one hand, there is a need to acquire, store and manage sensitive data on health and circumstance. On the other hand, there is also a need to meet GDPR’s requirements on managing sensitive personal data.

One of the challenges faced by financial services firms is meeting their duty in terms of the FCA’s requirements on Consumer Duty, whilst also storing and managing sensitive, personal, vulnerability data in accordance with GDPR.

The FCA’s guidance on vulnerability, FG 21/1 (issued in February 2021), requires any regulated firm to understand the personal circumstances of its clients; this includes health and lifestyle information, which is not generally obtained or stored by financial services firms. Many firms avoid storing such information, because this is ‘sensitive information’ as defined under GDPR. Where medical data is collected, it is typically input into, and stored on, the providers’ systems – and not held by advisers.

Recent Consumer Duty regulations FG 22/5 – whilst not insisting on personal date being acquired on everyone – does require consumer characteristics on:-

  • Any consumer who volunteers to divulge their characteristics/vulnerabilities

  • All vulnerable customers (approx. 50 of the population according to financial Lives survey)

  • All customers who later experience harm or a bad outcome

And to report at a high level of proportions of consumers with protected characteristics and to report on characteristics within actual and target markets. For the majority of firms the most economical way to collate this data will be to assess and collect it for all customers.

Understanding and defining the level at which data should be stored, for all medical conditions and lifestyle issues, is a major piece of work – and then communicating this, and policing it across organisations, a massive challenge. As most staff have been trained on GDPR and are fearful of collecting such data, the default situation is to not store it.

One of the key tenets of GDPR is that data should be stored and used only by those people who need to know it. This is the challenge: firms need to understand and communicate an individual’s vulnerability across the organisation, but clearly it is not sensible to have such personal and sensitive information available to everyone within an organisation (or, in some cases, across organisations). It can’t be Schrödinger’s data: at the same time, both private and available.

For us at MorganAsh, this was a key consideration when building MARS, the MorganAsh Resilience System – a cloud-based tool designed to help financial services organisations manage vulnerable consumers. After all, the data would need to be both secure and accessible – data isn’t valuable if it remains locked away, and it’s at risk when it isn’t.

In MARS, this is overcome in two ways. The first is that we don’t present the data itself under all circumstances. We convert the data in an overall representation of vulnerability – which is the level of detail primarily available. This doesn’t just obfuscate the personal data by necessity, it converts it into something more useful, something more readily understood.

We call this a ‘Resilience Rating’. The Resilience Rating consists of a superficially simple range of 1–10 – with 1 being ‘very vulnerable’ and 10 being ‘very resilient’. Like a credit score, this high-level rating can be used safely and openly across an organisation, to provide a quick and simple measure of vulnerability. We use the term ‘resilience’ rather than vulnerability, because it is a more positive term for consumers. Those people who don’t need to see the personal detail simply don’t have access to it, but they can have a ready understanding of a consumer’s vulnerability.

Secondly, MARS has multiple access layers – every person who logs onto MARS does so at a defined, specific access level. Simplistically, this has two dynamics – what is the level of detail they can access, and what is the scope of data they can access. Level of detail means access to a consumer’s vulnerability characteristics; scope of data means which consumers can be seen. For example, an agent taking inbound calls may need a scope which covers the whole company, so they can see all customers – but they can only see a high level of resilience rating without knowing the reasons for this or seeing any of the data on which it is based. Another example would be an adviser, who should be able to see the detail behind all of the consumer’s characteristics – for example, that they have a gambling addiction – but the adviser will only be able to see this detail with their own clients.

Since the resilience rating is not a piece of identifying information, it can be available to the whole company. The information that is used to get to that rating is only known by the adviser.

In this way, MARS meets both the FCA’s and GDPR’s requirements, enabling detailed personal information to be stored securely, with the appropriate information only being accessed by the appropriate people at the appropriate time.

We’ve also envisaged that there will be a need for firms to share data. Again, this needs to be done with permission – ‘explicit consent’ under GDPR – but if it’s shared from an independent, secure system, then the risk to the consumer is in many ways less than if that consumer provides either the same data, or different types of data, to lots of different organisations. The more places that data exists, the more at risk it is. At a human level, being asked to provide the same data time and time again can, in itself, be stressful for someone who is already vulnerable. It is ultimately a consumer benefit which helps to ensure that the consumer doesn’t come to foreseeable harm.

As an aside, data security should be a given for any system which stores this kind of information. MorganAsh is an ISO 27001-certified company – this is an international standard for managing information security. MorganAsh is also a Cyber Essentials Plus-certified company – this is the highest level of certification offered under the Cyber Essentials scheme.

All of these things help to build trust with the consumer, who may be reluctant to share personal information. And it’s not enough just to do these things – the consumer should be made aware of them, and why they are being done. The drive towards understanding and managing vulnerable consumers and increased data protection are both there to protect the consumer – and should be communicated as the benefits they are.

Firms can trial MARS, free of charge, for a month, without limitations. Pricing is straightforward: MorganAsh charges just for each adviser; administrators and paraplanners can access the system for free, and there is no limit to the number of consumers that can be added. Click here for free access to the MARS tool.

Andrew Gething

Andrew is the founder and managing director of MorganAsh. Andrew, a recognised consumer vulnerability specialist and champion, is the driving force behind the award-winning consumer vulnerability management tool, MARS – adopted in the financial services, credit and utilities sectors.

Previous
Previous

Why sharing individual customer data is the practical solution to meeting Consumer Duty

Next
Next

How to ensure the consistency of vulnerability assessments