Firms using General Data Protection Regulation (GDPR) as an excuse for missing Consumer Duty obligations risk regulatory action, MorganAsh has warned.
The customer vulnerability specialist found some firms avoided collecting and storing customer vulnerability data, citing GDPR laws.
Anecdotal evidence showed that firms believed fines from the Financial Conduct Authority (FCA) would be lower than those from the Information Commissioner’s Office (ICO).
Andrew Gething (pictured), managing director at MorganAsh, said firms risked serious penalties for this approach, given the FCA’s focus on improving outcomes for vulnerable customers.
The ICO and FCA, in their 2015 consultation paper, acknowledged the potential conflict between GDPR and consumer vulnerability requirements.
Recently, they reiterated that Consumer Duty does not require actions incompatible with regulations like data protection laws.
Consumer Duty demands firms monitor consumer vulnerability throughout a product’s life-cycle and use this data to mitigate potential harms.
GDPR requirs firms to maintain data accurately and securely and delete it upon customer request.
MorganAsh suggested that dedicated IT systems should be used for data management, noting that many firms had yet to adapt.
The FCA plans to publish a review of firms’ approaches to customer vulnerability by early 2025, following recent fines for VW Financial Services and TSB.
Gething said: “We are seeing a worrying trend where some firms use GDPR as a scapegoat for not complying with Consumer Duty.
“While firms are right to consider data protection laws, the response should not be to forgo such an important requirement of Consumer Duty.
“This is especially true as the regulator continues to prioritise customer vulnerability and take significant action where it finds serious failings.
Gething added: “As the ICO has reaffirmed recently – and current vulnerability tech continues to demonstrate – a complementary approach is absolutely possible.
“We can ensure data rules are respected and followed, while information can be gathered and stored legitimately to demonstrate that poor outcomes are minimal or indeed reducing.
“Where firms are likely to fall down is when they plan to repackage existing data or they lack the systems or processes to not just gather robust data, but to hold it securely.
He said: “Rather than burying their heads in the sand or choosing one regulation over the other to follow, firms of all sizes absolutely need to act and ensure their customer vulnerability implementation is compliant.
“Whether it’s Consumer Duty or GDPR, good quality data is fundamental to good governance, and in our view, technology plays an important role in overcoming any supposed conflict, while meeting the requirements in an efficient and cost-effective way.”
