August 2023: Updated to take into account: (1) the new FCA Consumer Duty coming into force on 31 July 2023 for new and existing products or services that are open to sale or renewal; and (2) the Joint Letter from the Information Commissioner’s Office and the Financial Conduct Authority to the UK Finance and Building Societies Association titled “Data protection and effective communications to savings customers” dated 18 July 2023
With its wide-reaching impact on the retail financial services sector in the UK, we set out some of the key data protection considerations of the UK Financial Conduct Authority’s (FCA) new Consumer Duty.
Bird & Bird produced a detailed analysis when the FCA set out its final rules and guidance for a new Consumer Duty to be introduced into the FCA’s principles for businesses.
By way of quick recap, the new Consumer Duty aims to increase the current levels of consumer protection in the retail financial services sector in the UK. The Consumer Duty applies to firms’ regulated activities and the products and services sold to ‘retail clients’. The FCA has explained that this term includes all clients other than professional clients (such as large corporate entities and government bodies) and eligible counterparties.
The new Consumer Duty rules came into force on 31 July 2023 for new and existing products or services that are open to sale or renewal and will come into force on 31 July 2024 for closed products or services.
The 3 key components of the Consumer Duty are:
|1. Consumer principle||2. Overarching cross-cutting rules||3. The four outcomes|
|The FCA has introduced a new consumer principle requiring firms to act to deliver good outcomes for retail customers.||
The following cross-cutting rules develop and amplify the standards of conduct which the FCA expects from firms:
These are the four key elements of the firm-customer relationship against which the FCA will measure firms:
The Consumer Duty is underpinned by the concept of reasonableness. The requirements are to be interpreted in line with the standard that could reasonably be expected of a prudent firm carrying on the same activity in relation to the same product or service and with the necessary understanding of the needs and characteristics of the customers in the relevant target market. In order to understand the characteristics and needs of its target market, firms will need to use information which they have about their customers. Section 6.28 of the FCA’s FG22/5 Final Non-Handbook Guidance for Firms on the Consumer Duty (Consumer Duty Guidance) states that “[w]e […] expect firms to take active steps to encourage customers to share information about their needs or circumstances, where relevant. This will practically help firms to understand the needs of customers in the target market”.
The FCA states in Section 11.21 of the Consumer Duty Guidance that “[f]irms will need to develop a strategy to gather the relevant information and data to inform their assessment of whether they are delivering good outcomes for customers and to meet their governance obligations”. The collection of data is therefore central to the monitoring and improvement of customer outcomes.
Some of this data will inevitably be “personal data”, i.e. information relating to an identified or identifiable individual, which is regulated under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The Consumer Duty Guidance gives examples of the types of data that could be monitored including “surveys, net promoter scores, social media rating analysis, focus groups, mystery shopping or other customer research” and “customer response rates to communications which prompt action, broader analysis of whether customers are following instructions in communications, analysis of responses to communications during customer journeys, including responses and drop-out rates at each stage”.
Section 11.11 of the Consumer Duty Guidance states that “[t]he Duty is intended to improve outcomes for all customers, and we would expect firm monitoring to identify where distinct groups of customers, such as customers with characteristics of vulnerability or customers who share protected characteristics (as defined by the Equality Act 2010 or equivalent legislation) get worse outcomes than other customers.”
Whilst the Consumer Duty is targeted at improving outcomes for all consumers, the FCA clearly expects the analysis and monitoring to look specifically at the outcomes of certain groups of customers (including those who share “characteristics of vulnerability” or “protected characteristics”).
The FCA’s view of vulnerability is as a “spectrum of risk” and that all customers are at risk of becoming vulnerable but that this risk is increased by having “characteristics of vulnerability”, such as certain issues relating to health. ‘Protected characteristics’ under the Equality Act 2010 include disabilities and race. As such, personal data processed for these purposes could include the processing of special category personal data.
The Consumer Duty Guidance states that firms are not required to “systematically collect data or to collect new data about customers’ protected characteristics” in order to satisfy the monitoring requirement and that “the requirement to monitor outcomes does not interfere with the requirement for firms to comply with the relevant data protection legislation”. Though the Guidance goes on to say that “where firms do already collect data about customers’ protected characteristics, [the FCA] expect[s] them to use this data to monitor differences in outcomes between different groups”, this is only “where possible”. The guidance also acknowledges the possibility that the data processed could be special category data and notes that a lawful basis under Article 6 and Article 9 of the UK GDPR must be identified. The FCA points to Appendix 1 of its Guidance for firms on the fair treatment of vulnerable customers for information about data protection considerations that firms should take into account.
The new Consumer Duty will result in increased regulatory communications, given the FCA’s expectation that firms should actively communicate with customers about products and services as part of the “understanding your consumer” outcome and the requirement to ensure that there are suitable communications throughout the lifecycle of a product.
If a regulatory communication constitutes direct marketing, the firm must give individuals the absolute right to object to being sent such direct marketing. Depending on the communication method of the direct marketing, requirements under PECR may apply. For example, in relation to electronic mail direct marketing (e.g. by email or text message), PECR imposes a consent requirement (unless the requirements of the ‘soft opt-in’ exemption apply).
The ICO issued new guidance on direct marketing and regulatory communications on 28 March 2023 targeted at private sector organisations operating in regulated industries like financial services. The guidance is intended to help these organisations decide when a ‘regulatory communication’ (i.e. where a statutory regulator such as the FCA requests or requires the industry which it regulates to send specific messages to individuals) might qualify as “direct marketing”. The ICO guidance is worth a read: it explains how to draft regulatory communications and contains several useful examples.
The FCA and ICO published a joint letter to the UK Finance and Building Societies Association on 18 July 2023 stressing the importance of firms communicating with their customers to make them aware of the best interest rates available to them so they can achieve a good financial outcome. The letter explains that some firms have queried whether data protection regulations prevent them from telling savings customers about better deals. The FCA and ICO emphasise that data protection regulations do not prohibit firms from providing communications to their customers when requested or required by a statutory regulator, such as under the FCA’s Consumer Duty. To help avoid a regulatory communication being deemed direct marketing, the FCA and ICO advise firms to (i) use a neutral tone in their regulatory communications; (ii) use factual information about the savings product the customer holds, the terms of other products which may be available to them and what their options are for moving to another product; and (iii) avoid active promotion or encouragement when communicating this factual information. The letter highlights that there are other approaches available for firms to consider - for example, displaying the regulatory communication on a firm’s website.
It is important to remember that the requirements under UK GDPR and the DPA 2018 still apply if a firm is processing personal data even if the firm’s regulatory communication message is not direct marketing.
Firms are required to avoid foreseeable harm to customers and to act in good faith under the overarching cross-cutting rules listed above. Foreseeable harm could involve the unfair use of personal data. One of the examples given by the FCA under the price and value outcome is the following: “We have seen evidence of customer data being monetised to derive income and benefit for firms. Some firms routinely engaged with third party providers by buying and selling customer data. We found that firms were unable to articulate how the customer was receiving fair value in the provision and use of their personal data. Firms should make explicit consideration of consumers’ data if this is being monetised. While we do not necessarily expect non-tangible costs and benefits to be monetised, we do require firms to make at least a qualitative consideration of how this affects the overall value proposition for the consumer”. As an example of not acting in good faith, the FCA includes “[u]sing algorithms, including machine learning or artificial intelligence, within products or services” that lead to consumer harm, for example “where algorithms embed or amplify bias and lead to outcomes that are systematically worse for some groups of customers, unless differences in outcome can be justified objectively”.
UK data protection law requires controllers to ensure that any processing subject to the law is fair and lawful. In addition to this general obligation, controllers need to factor in the impact on the rights and interests of individuals in a number of specific ways, for example when applying the legitimate interests lawful basis, when considering privacy by design and default and when carrying out data protection impact assessments.
As such, there could be situations where the considerations under the Consumer Duty and the considerations under UK data protection law dovetail. Firms should consider how they can align these different workstreams.