What should wealth managers do to be fully compliant with GDPR rules that take force in just under a month's time?

Wealth managers have just under a month to go before the European Union’s GDPR data protection rules kick in. A sector which has been preparing for the rules, wealth management, has a great deal to consider, as demonstrated by a recent WealthBriefing conference. 

In this article, Daniel Roberts, who is principal sales engineer at MarkLogic, a data storage and security firm, explores the issue and what are the stakes for wealth managers. The editors of this news service are pleased to share these views and invite readers to respond. The editorial team do not necessarily endorse all views of guest contributors. (For feedback, email tom.burroughes@wealthbriefing.com)

Wealth management firms are not unfamiliar with regulations. The recent MIFID II regulation and the Dodd-Frank Act, signed in 2010 by President Barack Obama and now under review, are among some notable examples. But one of the most important regulations facing professionals who manage the financial needs of high-net-worth individuals, companies and families is the European Union’s General Data Protection Regulation (GDPR), which is set to come into effect on 25 May 2018.
 
The GDPR ruling defines the rights of EU citizens around the privacy and protection of their personal data. From May, any organisation using and storing EU customer data will be responsible and accountable for the storage and processing of it. Failure to comply can result in fines of up to four per cent of global revenue or €20 million ($24.4 million), depending on which is higher. Considering that some of the largest wealth management funds can reach beyond $5 trillion in value, generating billions in revenue for a firm, the sum of any fine will be eye watering for the unprepared. The EU’s aim is to ensure each company operates a policy of “security by design” for its data.

Despite the pending deadline, many firms remain uncertain about their ability to secure client data. Some are concerned about moving data out of silos to ensure they have a 360-degree view for reporting and security purposes. Others are figuring out how to comply with the customer’s right to be forgotten or when unambiguous consent has truly been given. For most wealth managers, it’s a case of working out all these factors. Becoming compliant with MIFID II is known to have placed a significant strain on costs and resources for many wealth management companies, but becoming GDPR compliant need not be so stressful.

By proactively preparing for GDPR to mitigate risk and maintain compliance, wealth management companies have a golden opportunity to profit from getting their data in better shape. Doing so will enable them to gain valuable and potentially revenue-generating insights into their business processes or customers’ preferences by building a single, consistent and persistent 360-degree view of their employees or customers.

One of the biggest issues currently preventing this is that most wealth management customer data currently lies in multiple, unconnected data silos, which are often a legacy from earlier initiatives. The volume of third parties involved in the process of managing wealth also adds to this complex network of data storage.

The ability to aggregate this data from disparate sources is an essential component in the new financial regulatory environment, and there is an easy way to bring all these silos of data together to become GDPR compliant and improve overall data processes. Using an operational data hub - a virtual filing cabinet, built on a flexible, enterprise-grade NoSQL database with integrated Google-like search, which can hold a single, unified 360-degree view of all data - can pay dividends for data challenges where the data and requests from regulators change over time.

GDPR goes beyond trade data, as seen with MiFID II compliance, by setting out new responsibilities for the financial sector to adhere to regarding any personal data. This means that wealth management organisations will need to identify the personal data they have, work out whether they are able to store and process it, and then decide how it can be processed and used. Consent management - a key tenet of GDPR - is crucial here.

With GDPR, wealth management companies will need to provide customers with a mechanism to easily give or withhold consent for the use of their data. This process needs to clearly and unambiguously state how consent is given and how any data acquired will be used. 

This may mean that different types of consent are needed. It may be that general consent has been given for the use of some customer data, but when it comes to specific use of that data, such as sharing of marketing content with a customer email address, GDPR stipulates that there will need to be explicit consent. This difference between general and explicit consent must be recognised and taken into account by any data protection officers working with wealth management firms to ensure compliance with GDPR.

This presents a complex data processing task, but by using an operational data hub to record, organise and index both the systems that contain personal data and the data itself, wealth management companies can ensure compliance. In doing so, they could also reduce the risks associated with not being able to find the data or action a specific request by a given deadline. Or alternatively, they could automate many of the steps required, saving considerable time and effort.

Having this central reference of personal data - stored in one place, with a single view - will not only assure compliance with GDPR, it will give wealth managers valuable insights into the touch points for every individual. This can be leveraged to give customer service, marketing and sales teams a joined-up view of customers and prospects, where appropriate consent is given. Essentially, it becomes a valuable record of everything relating to a customer or individuals working for each customer. It will also make the process of the removing customer data via the right to be forgotten - in instances where consent for the use of data is not given - a much simpler process.

Organisations that view GDPR as merely a compliance exercise will likely cement their company’s failure. It is vital that wealth management companies establish a sound application framework that will not only model and bend to meet GDPR’s requirements, but which will also act as a single reporting platform to help them meet any regulatory need in the future, be it MiFID II, amendments to the Dodd-Frank Act or a new regulation we do not yet know about. An operational database can do just this, meaning what may have started out as a GDPR risk reduction exercise is in fact a recipe to create new revenue-generating applications and services for your business.