This Wednesday marks just one month left until the EU’s General Data Protection Regulation (GDPR) takes effect, touching almost every global business. Laura Wadding, Director of Risk Advisory at Deloitte, breaks down the asset manager’s perspective.
- What are some key considerations for asset managers preparing for this new regulation?
At an asset manager, there are many parties who process and/or control personal data for various reasons in a number of ways. Transfer agents collect and process investor data to fulfill contractual requirements and to meet regulatory and tax requirements. Distributors collect and process additional personal data to assess the suitability and appropriateness of investment products in line with the risk appetite and financial objectives of the investor. Asset managers use investor and market data to help design products and make investment decisions that will attract a target market and improve investment performance. GDPR requires parties to identify a valid reason for collecting and processing personal data.
Managers may first see transfer agents as a high-risk sector of fund processing because they process a lot of personal data. But that data is required to complete contracts and meet regulatory requirements, such as anti-money laundering. So, the risk within that categorization is actually lower than other parties, such as marketing and market analysis activity, where the legal basis for processing the data is more difficult to establish.
There is a danger that asset managers will focus solely on their appointed transfer agents when preparing for this regulation, when in fact the ‘riskier’ activity is happening elsewhere.
- Some see GDPR has another regulatory burden with hefty fines for noncompliance, but you’ve said the regulation represents a great business opportunity for firms. What do you mean by that?
There is no doubt that having access to relevant big data and the ability to analyze it effectively increases knowledge, which is power in asset management. Asset managers are using a mix of traditional and alternative data sources to inform themselves of market trends and investor appetite, helping them to make better investment decisions and to design investment products with a target market in mind. Getting the balance right between regulatory compliance and effective data analytics could prove to be extremely beneficial.
- A key provision of GDPR is the issue of consent. While there is no prescribed practical approach, what do you see as the most effective way for asset managers to handle this?
A first step in addressing this question is for asset managers to understand what data they are processing and for what purpose. Are they relying on traditional data sources, such as information provided by investors to fulfill a contract or to meet a regulatory requirement of the investment product? Are they using this same data to fulfill another firm objective, such as marketing? Have they started to look at alternative data as a source of valuable information? Is the person aware of this and have they consented to the use of their data for this purpose?
Based on this assessment, GDPR will force managers to refine data privacy notices and the content of any required consents. If consent is required (and this is not always the case), the challenge lies in the mechanisms used to obtain and manage the consent, the ability to switch the processing off if the subject withdraws their consent, and the processes in place to allow a consent to expire once the purpose is no longer valid. Imagine that the data subject consent is a ball, being passed between the parties to a fund. This ball must be kept in the air at all times. Record keeping is key, and for large scale operations, integrated technology is essential to ensure that data processing systems talk to each other and don’t drop the ball.
- GDPR says entities need to identify, analyze, and report data breaches within 72 hours. How can firms ensure their processes are efficient and timely?
Not all failures will constitute a breach. Awareness, internal controls, and governance are key to identifying all potential breaches. Knowledge and experience are key to ensuring managers acknowledge and deal with actual breaches appropriately. All individuals who process data should be trained to recognize potential breaches and to report them internally without delay. System controls (where available) can also be very beneficial in identifying potential breaches. However, expertise is needed in the second line to identify and manage the actual breaches.
Ownership and accountability are key parts of the process, rather than relying solely on system generated alerts. Scenario testing is an effective way to streamline the process. Role-play what would happen if personal data was lost/damaged/stolen in a processing center. How would it be identified in the first instance, who would perform the second line analysis, how would this identification, reporting, and analysis take place? In a simulated scenario, how long did it take before the manager could submit a report to the authorities and what improvements can they implement to make the process more efficient? Testing potential breaches in this way will help eliminate potential bottlenecks in the reporting process.
- Recent international data breaches are dominating headlines and the use of personal data has never been more in the public consciousness. Do you think GDPR will be the first step in increased regulation in this area? Should managers expect more data protection regulation in the future?
The ability of asset managers to use traditional data sources as a means to improve their knowledge of market trends and fund distribution is a valuable tool. The emerging use of alternative data sources such as search engines, social media, financial apps, and data mining could be potentially extremely valuable to an asset manager if used effectively. However, data protection regulation is just one element of governance in the protection of personal information. The use of alternative data sources does raise many questions for asset managers such as:
- The obvious one: Is this legal?
- The complex one: Is this ethical?
- The technical one: Is this GDPR compliant?
- The analytical one: If the manager answered yes to all the above, they should then ask does the processing of such large amounts of data place any additional obligations on them to protect the rights of the data subjects? In addressing this question, for example, an asset manager might obtain seemingly anonymized data from several independent sources, but when pieced together the data could identity data subjects who would then be afforded the relevant protections under GDPR.
The power afforded to asset managers through the effective use of big data, in addition to the ever-growing use of technology in the distribution of investment funds, increased powers of data protection authorities, and the development of fintech strategies by financial regulators, makes this a space to watch with interest!
Laura is a Director with over 20 years’ experience in financial services. Prior to joining Deloitte, Laura worked with a large European financial service firm, and lead several company and group wide initiatives within the organization, including the development of AML policies and procedures.
Laura held previous roles in the areas of investor services and compliance, including acting as MLRO and DPO, and holds a Degree in Law from the Dublin Institute of Technology and a Diploma in Compliance from the Institute of Bankers. She has been at the forefront of regulatory developments in the financial services sector, in particular with the evolving Anti-Money Laundering landscape for financial institutions and the Investor Money Regulations for Fund Service Providers.
Laura chairs the Irishfunds Operational Steering Group to help coordinate the efforts of several working group, including AML, GDPR, Transfer Agency, Heads of Operations, Reg Reporting, Financial Reporting, Legal and Depository.