Data Protection Implications of the New UK FCA Consumer Duty

August 2023: Updated to take into account: (1) the new FCA Consumer Duty coming into force on 31 July 2023 for new and existing products or services that are open to sale or renewal; and (2) the Joint Letter from the Information Commissioner’s Office and the Financial Conduct Authority to the UK Finance and Building Societies Association titled “Data protection and effective communications to savings customers” dated 18 July 2023

With its wide-reaching impact on the retail financial services sector in the UK, we set out some of the key data protection considerations of the UK Financial Conduct Authority’s (FCA) new Consumer Duty.

Brief overview of the Consumer Duty

Bird & Bird produced a detailed analysis when the FCA set out its final rules and guidance for a new Consumer Duty to be introduced into the FCA’s principles for businesses.

By way of quick recap, the new Consumer Duty aims to increase the current levels of consumer protection in the retail financial services sector in the UK. The Consumer Duty applies to firms’ regulated activities and the products and services sold to ‘retail clients’. The FCA has explained that this term includes all clients other than professional clients (such as large corporate entities and government bodies) and eligible counterparties.

The new Consumer Duty rules came into force on 31 July 2023 for new and existing products or services that are open to sale or renewal and will come into force on 31 July 2024 for closed products or services.

The 3 key components of the Consumer Duty are:

Consumer Duty and data protection

1. Complying with Consumer Duty obligations involves the processing of personal data and will likely require additional processing activities

The Consumer Duty is underpinned by the concept of reasonableness. The requirements are to be interpreted in line with the standard that could reasonably be expected of a prudent firm carrying on the same activity in relation to the same product or service and with the necessary understanding of the needs and characteristics of the customers in the relevant target market. In order to understand the characteristics and needs of its target market, firms will need to use information which they have about their customers. Section 6.28 of the FCA’s FG22/5 Final Non-Handbook Guidance for Firms on the Consumer Duty (Consumer Duty Guidance) states that “[w]e […] expect firms to take active steps to encourage customers to share information about their needs or circumstances, where relevant. This will practically help firms to understand the needs of customers in the target market”.

The FCA states in Section 11.21 of the Consumer Duty Guidance that “[f]irms will need to develop a strategy to gather the relevant information and data to inform their assessment of whether they are delivering good outcomes for customers and to meet their governance obligations”. The collection of data is therefore central to the monitoring and improvement of customer outcomes.

Some of this data will inevitably be “personal data”, i.e. information relating to an identified or identifiable individual, which is regulated under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The Consumer Duty Guidance gives examples of the types of data that could be monitored including “surveys, net promoter scores, social media rating analysis, focus groups, mystery shopping or other customer research” and “customer response rates to communications which prompt action, broader analysis of whether customers are following instructions in communications, analysis of responses to communications during customer journeys, including responses and drop-out rates at each stage”.

As such, it seems likely that firms will need to carry out additional personal data processing activities in order to meet their Consumer Duty requirements and/or use data they already collect for the additional purpose of compliance with the Consumer Duty. The Consumer Duty Guidance gives the following as some of the example questions which the FCA could ask a firm in relation to its governance arrangements: “What data does the firm have about its customers and how do they use its products? Are there any gaps in the data? What steps is the firm taking to address them?”  These activities are subject to the requirements of UK data protection law, including the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR). PECR will come into play in respect of electronic communications that constitute direct marketing (see point 3 below) and the use of cookies and similar technologies (see point 4 below). The FCA sets out the following in Section 1.31 of the Consumer Duty Guidance: “[t]he Duty does not replace other requirements. Firms will also need to consider any other applicable law. This will include but is not limited to: […] data protection regulation, such as the General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (the DPA 2018)”.

2. It seems likely that special category personal data will need to be processed for the purposes of compliance with the Consumer Duty

Section 11.11 of the Consumer Duty Guidance states that “[t]he Duty is intended to improve outcomes for all customers, and we would expect firm monitoring to identify where distinct groups of customers, such as customers with characteristics of vulnerability or customers who share protected characteristics (as defined by the Equality Act 2010 or equivalent legislation) get worse outcomes than other customers.”

Whilst the Consumer Duty is targeted at improving outcomes for all consumers, the FCA clearly expects the analysis and monitoring to look specifically at the outcomes of certain groups of customers (including those who share “characteristics of vulnerability” or “protected characteristics”). 

The FCA’s view of vulnerability is as a “spectrum of risk” and that all customers are at risk of becoming vulnerable but that this risk is increased by having “characteristics of vulnerability”, such as certain issues relating to health.  ‘Protected characteristics’ under the Equality Act 2010 include disabilities and race. As such, personal data processed for these purposes could include the processing of special category personal data.

The Consumer Duty Guidance states that firms are not required to “systematically collect data or to collect new data about customers’ protected characteristics” in order to satisfy the monitoring requirement and that “the requirement to monitor outcomes does not interfere with the requirement for firms to comply with the relevant data protection legislation”. Though the Guidance goes on to say that “where firms do already collect data about customers’ protected characteristics, [the FCA] expect[s] them to use this data to monitor differences in outcomes between different groups”, this is only “where possible”. The guidance also acknowledges the possibility that the data processed could be special category data and notes that a lawful basis under Article 6 and Article 9 of the UK GDPR must be identified. The FCA points to Appendix 1 of its Guidance for firms on the fair treatment of vulnerable customers for information about data protection considerations that firms should take into account.

3. Firms should consider if Consumer Duty-driven communications with customers constitute direct marketing

The new Consumer Duty will result in increased regulatory communications, given the FCA’s expectation that firms should actively communicate with customers about products and services as part of the “understanding your consumer” outcome and the requirement to ensure that there are suitable communications throughout the lifecycle of a product.

If a regulatory communication constitutes direct marketing, the firm must give individuals the absolute right to object to being sent such direct marketing. Depending on the communication method of the direct marketing, requirements under PECR may apply. For example, in relation to electronic mail direct marketing (e.g. by email or text message), PECR imposes a consent requirement (unless the requirements of the ‘soft opt-in’ exemption apply).

The ICO issued new guidance on direct marketing and regulatory communications on 28 March 2023 targeted at private sector organisations operating in regulated industries like financial services.  The guidance is intended to help these organisations decide when a ‘regulatory communication’ (i.e. where a statutory regulator such as the FCA requests or requires the industry which it regulates to send specific messages to individuals) might qualify as “direct marketing”. The ICO guidance is worth a read: it explains how to draft regulatory communications and contains several useful examples.

The FCA and ICO published a joint letter to the UK Finance and Building Societies Association on 18 July 2023 stressing the importance of firms communicating with their customers to make them aware of the best interest rates available to them so they can achieve a good financial outcome. The letter explains that some firms have queried whether data protection regulations prevent them from telling savings customers about better deals.  The FCA and ICO emphasise that data protection regulations do not prohibit firms from providing communications to their customers when requested or required by a statutory regulator, such as under the FCA’s Consumer Duty. To help avoid a regulatory communication being deemed direct marketing, the FCA and ICO advise firms to (i) use a neutral tone in their regulatory communications; (ii) use factual information about the savings product the customer holds, the terms of other products which may be available to them and what their options are for moving to another product; and (iii) avoid active promotion or encouragement when communicating this factual information.  The letter highlights that there are other approaches available for firms to consider - for example, displaying the regulatory communication on a firm’s website.

It is important to remember that the requirements under UK GDPR and the DPA 2018 still apply if a firm is processing personal data even if the firm’s regulatory communication message is not direct marketing. 

4. Tracking and testing customer actions could potentially engage the cookie rules under PECR

Could firms use cookies or similar tracking technologies to track and test user engagement and action during the customer journey or in customer communications for the purpose of the Consumer Duty? If yes, this will trigger certain requirements under PECR. Under PECR, opt-in consent is required to use these technologies, unless their use is “strictly necessary” for the provision of an information society service requested by the subscriber or user. The ICO guidance on cookies sets out that this exemption “includes what is required to comply with any other legislation that applies to you” although: (i) the use of the technology must be essential to provide the service requested by the user - it is not clear if that would be the case here; and (ii) even if one use of a cookie or similar tracking technology is strictly necessary, if it is used for additional purposes that are not strictly necessary (e.g. marketing analytics), consent would need to be obtained regardless. The Data Protection and Digital Information (No. 2) Bill proposes that analytics cookies and similar technologies used for statistical purposes to improve services be used on the basis of notice/opt-out only. It is not clear at this point if this would apply to the use of these technologies for the purposes of the Consumer Duty.

5. The Consumer Duty requires firms to consider the impact on customers and this could overlap with considerations under UK data protection law

Firms are required to avoid foreseeable harm to customers and to act in good faith under the overarching cross-cutting rules listed above. Foreseeable harm could involve the unfair use of personal data. One of the examples given by the FCA under the price and value outcome is the following: “We have seen evidence of customer data being monetised to derive income and benefit for firms. Some firms routinely engaged with third party providers by buying and selling customer data. We found that firms were unable to articulate how the customer was receiving fair value in the provision and use of their personal data. Firms should make explicit consideration of consumers’ data if this is being monetised. While we do not necessarily expect non-tangible costs and benefits to be monetised, we do require firms to make at least a qualitative consideration of how this affects the overall value proposition for the consumer”. As an example of not acting in good faith, the FCA includes “[u]sing algorithms, including machine learning or artificial intelligence, within products or services” that lead to consumer harm, for example “where algorithms embed or amplify bias and lead to outcomes that are systematically worse for some groups of customers, unless differences in outcome can be justified objectively”.

UK data protection law requires controllers to ensure that any processing subject to the law is fair and lawful. In addition to this general obligation, controllers need to factor in the impact on the rights and interests of individuals in a number of specific ways, for example when applying the legitimate interests lawful basis, when considering privacy by design and default and when carrying out data protection impact assessments.

As such, there could be situations where the considerations under the Consumer Duty and the considerations under UK data protection law dovetail. Firms should consider how they can align these different workstreams.