GDPR is set to introduce substantial financial penalties for banks who fail to meet the new rules on the management of personal data of EU residents. Under the new regulation, banks could see fines of up to €10m or 2% of their global turnover or up to €20m or 4% of global turnover (or whichever is greater) depending on the gravity of the offence.
Banks are particularly impacted by GDPR due to the vast volumes of data and documentation collected, held, stored, processed and used relating to private individuals, the majority of which are deemed to be confidential and sensitive in nature. For this reason, banks may find themselves in the immediate line of sight for regulators seeking to set the tone and an example with an early fine or two.
In terms of client offboarding, banks will need to put in place technical and organizational measures to allow them to respond to requests for erasure and right to be forgotten from data subjects in an adequate and timely fashion.
Data controllers and processors will need to keep internal records of the processing which they carry out – including name and contact details for processors, controllers and joint controllers. The regulation includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.
To automate this process, systems should be capable of pulling raw data which in turn can be used to generate MI reporting. In a Client Lifecycle Management solution, any client data held will be easily traceable, providing a full audit history, MI reports, single client view and linked associations.
Should a client request access to records of personal data held and processed on them, banks need to be able to comply efficiently and quickly and provide the data in a usable, machine-readable format.
Banks are fast moving into a digitalized world offering digital contracts, digital signatures and contract lifecycle management processes. Even paper contracts are now digitized with OCR technologies.
Data needs to be tagged and indexed appropriately to ensure easy searching. Documentation should also be saved to the client’s record, as well as be available in a document management system. This will help the easy identification and location of personal information relating to data subjects.
Erasure & Right to be Forgotten
To comply with these obligations, banks will need to decide how they will handle these requests and deletions. In the event that the bank does not have a legal basis to retain the data, then banks will need to put a process in place to delete the data, potentially offboard the client and be able to demonstrate overall compliance to the regulator upon request.
If a data subject decides to withdraw consent, requesting erasure of their personal data, and there is not a legal basis for their details to be held, then the bank will need to offboard the individual’s details.
Client offboarding is defined as the proactive management and removal of redundant, obsolete or incorrect information held on clients, accounts and assets.
As a process, it is quite data and document intensive. Banks must ensure that every piece of relevant data and documentation pertaining to a data subject is identified across a raft of data repositories and erased.
The only way to manage this process efficiently is to automate it. Client Onboarding/Client Lifecycle Management solutions should have the capability to offboard clients and/or their data:
1. Assess Request
Once the request is received from a data subject, the bank must assess the request and determine if it has legal basis to hold onto the data. If not, then the bank must strive to identify all the repositories and systems that contain this personal information on the data subject.
2. Determine the Impact of Offboarding on Reliant Parties
If it is decided to offboard the data, then it is important to check for any interdependencies on the data that may impact other clients, accounts, departments etc. For example, if the data subject is associated with a parent company, other companies or other accounts in different roles (e.g. guarantor). Once a full understanding of the data subject’s associations and activities is gained, the process to disassociate reliant parties can commence e.g. IM funds.
3. Offboarding the Data
To ensure full auditability of the process, the user must add in a reason why offboarding is taking place (e.g. request for erasure by data subject). The offboarding process should, as part of a best practice approach, be approved by a senior manager before being marked as complete.
4. De-activating from IT Systems
The final step in the offboarding process involves ensuring that the information cannot be used by the bank. Given the record keeping rules outlined in the 4MLD (as explored earlier), banks may not be permitted from erasing all data. However, they may be able to perform a soft delete process or mask the data, whilst holding records in a back-end repository that has specific user access rights and entitlements. This should be accompanied by a notification that the data has been successfully offboarded or quarantined from all related systems.
5. Confirm Erasure of Data
The final step involves a confirmation to the data subject that the data has been effectively erased or quarantined from all internal systems in compliance with their request under GDPR.
6. Breach Response
To comply with this requirement within the specified timeframe, banks will need to revisit or enhance their end-user controls and internal reporting processes. Banks must report a breach “without undue delay and where feasible no later than 72 hours once a breach has been identified, except where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In a Client Lifecycle Management process, banks may opt to include details of instances where a breach report has been raised to ensure full client record maintenance.
GDPR constitutes the biggest overhaul in EU data protection rules since its predecessor was introduced over two decades ago. At the very core of this new regulation is the recognition that the ownership of data resides with the individual, not with the data controllers/ processors. This will certainly have a significant impact on Client Lifecycle Management activities, increasing the regulatory requirements related to client and counterparty data protection for banks. Banks now need to undertake a root-and-branch review of how they handle, process and govern the use of client data across their business lines, jurisdictions and organization. If you would like to learn more about best practice guidelines for achieving GDPR compliance, download our dedicated GDPR whitepaper.
Download our whitepaper on GDPR: A Game Changer for Managing Data & Regulatory Compliance
In this paper, we explore the 10 biggest challenges GDPR may pose with respect to the end-to-end Client Lifecycle Process, spanning compliance, onboarding, data management, client outreach and client offboarding. We also outline 8 ways in which banks can implement best practice guidelines when striving to implement for and achieve compliance with GDPR.