An institution may have immaculate technical and organisational measures in place under normal conditions, but we are in uncharted waters with so many wealth management staff working from home. This article looks at what this means for data protection.

Along with being our head of research, Wendy Spires, who is a Certified GDPR Practitioner takes a keen interest in all things related to data privacy in wealth management. This is Part 1 of a three-part feature examining the dangers facing the sector in its new working from home paradigm – and why compliance standards cannot be allowed to slip.

Amid all the gloom, the wealth management industry must certainly be thankful for the fact that the coronavirus pandemic has hit at a fairly well-advanced stage in its digitisation, and that it is at least possible for business to continue as vast numbers of people are confined to quarters all over the world. Health is of course the overriding concern, but worries about wealth are never far behind as markets gyrate and a global recession (or even depression) looms.

Firms should be acutely aware that a lack of responsiveness became a huge source of client dissatisfaction during the Global Financial Crisis and will want to pull out all the stops to keep clients informed and reassured. But the fact that they have to do so while having been bounced into a new working from home paradigm should also have under-prepared firms very worried once they think through all the implications. 

A reckoning to come
Standing only at “the end of the beginning” of this crisis, it may seem perverse to be focusing on what may seem like niceties such as compliance with the EU’s General Data Protection Regulation (and the equivalents on national statute books). We can be sure, however, that when the dust settles there will be a reckoning for any malpractice or negligence that may have occurred. And for those institutions whose houses were not fully in order, the backlash could be harsh indeed.

Working from home en masse is certainly unprecedented, but the fact remains that organisations across sectors have been allowing - and often encouraging – remote working for some years now as mobile devices and cloud-based software have taken off. Untethering workforces so that activities like onboarding and portfolio reviews can occur at anytime, anywhere has greatly enhanced both the client and advisor experience at tech-savvy firms. But this also means careful thought should have already gone into maintaining data privacy discipline beyond the confines of the computer terminal at the office and its secured communication lines. Add business continuity and disaster recovery planning into the mix (like an office building burning down) and not having solid policies and practices in place it starts to look even more negligent.

Financial regulators are relaxing certain strictures for the time being (like MiFID’s 10 per cent portfolio depreciation letters). However, the rules concerning the protection of client data may provide little to no cover. 

Key is the obligation to have “appropriate technical and organisational measures” in place to protect personal data being processed (which encompasses collection, recording, storages, transmission, consultation and so on to include handling of virtually any kind). Under Article 32, these security measures must be appropriate to the risk the processing represents to individuals’ rights and freedoms if data were destroyed, lost, altered, disclosed or accessed improperly. And make no mistake, data processing for wealth management purposes can represent extremely high potential for harm if what privacy practitioners call the “CIA Triad” of confidentiality, integrity and accessibility is compromised. 

Under GDPR, Data Protection Impact Assessments must be carried out prior to the commencement of any processing operations representing high risks to data subjects’ rights and freedoms. Yet best practice dictates that these should be iterative rather than “once and done” exercises (likewise data processing records). Today’s dramatic shift in working practices hammers home this point.
 

Client data: great rewards, but also great risks
Seen from a privacy risk perspective, the holistic nature of good wealth management advice is its Achilles heel. It hardly needs to be said that the simple knowledge that a person is wealthy makes their personal details a high-value asset on the black market, as well as making them and their families a target for blackmail (or even kidnap). 

But the sheer breadth and depth of what wealth managers need to know to give sound - and compliant - advice is incredibly broad, potentially touching on the most intimate details of family set-ups, personal beliefs and individual histories, not to mention sensitive corporate information. 

Technology is enabling firms to gather and leverage ever more information on their clients’ profiles, needs and preferences, and from an incredibly broad range of sources including social media and their behaviour online while using websites, apps and portals. This is naturally done with very laudable aims of providing better advice and more personalised products, services and communications. In fact, it is increasingly acknowledged that client data are firms’ most precious asset and leveraging it well will be the differentiating factor of the future. Yet wealth managers need to always be aware that they could be straying into very dangerous territory indeed where certain data (or potential combinations of data are concerned). 

It should never be forgotten that the final - and overarching - Data Processing Principle prescribed by GDPR Article 5 is that of accountability. Data controllers are responsible for, and must be able to demonstrate compliance with, all the other Principles to which they are bound (inter alia, data integrity and confidentiality). And, although Data Protection Officers are vital to overseeing compliance, they are emphatically not personally liable for it. Data privacy is very much a board-level issue, which is why the DPO is a specially protected, independent role which reports to the highest level of management. 

Article 9 processing
The rules are strict on any data deemed “personal”, but with sensitive information they become very scary indeed. Records that specify a person’s religious or philosophical beliefs preclude certain investments, or that a client is considering a same-sex marriage and so requires specialist cross-border wealth planning advice could easily fit the Article 9 definition of “special category” data processing – and so risk the highest tier fines for breaches under the GDPR (as much as €20 million or 4 per cent of annual global revenue, whichever is higher). 

Even an advisor simply emailing a client who has unfortunately contracted coronavirus to wish them well could too if that sensitive health data were leaked. Nor is seemingly innocuous information like clients’ investment interests free of dangers, as there have been cases reported of this being stolen and used as an aid to fraud. 

Great potential for damage, and damages
Alongside regulatory censure, reputational risk is of course always front of mind in the private client space. But so too should be the judicial remedies data subjects (here, clients) can seek under Article 79. The GDPR, alongside national legislation and case law surrounding it, stresses that harm can be “material or non-material” i.e. to encompass distress as well as pecuniary damage. 

In the HNW space, theft and fraud are top risks. Yet the sheer depth and breadth of what wealth managers must know about their clients to advise them properly should ring many alarm bells about how safe data is with advisors potentially working off unsecured phone lines and Wi-Fi networks, and with unencrypted devices. 

An institution may have immaculate technical and organisational measures in place under normal conditions, but we are in uncharted waters here. And, the alarming truth is that even with the very best technical safeguards in place, the homes of personnel are just that. Dangers lurk all around, as the second part of this feature will discuss.