Are advisers GDPR ready?
By Katie Marriner
Fresh research shows advisers may be underprepared for new rules around data
More than half of advisers are unprepared for the incoming General Data Protection Regulation, Money Marketing can reveal, as fresh research sheds light on how advisers store and use information.
Advisers will have to comply with the GDPR from 25 May. The wide-ranging legislation is the latest in a long line of regulatory changes impacting advisers in recent months, including Mifid II, increased FCA scrutiny on pension transfers, and getting to grips with the upcoming changes outlined in the FCA’s asset management market study.
A number of advisers speaking to Money Marketing say that preparing for the GDPR is proving costly and time-consuming, with many seeking advice from outsourced compliance specialists.
Yet some who have recently made changes to their back office say that this has inadvertently proved beneficial in being ready for GDPR.
With less than a month to go until GDPR is brought in to force, what key concerns remain for advisers?
Protect or regret
Tenet GDPR project assurance officer Joseph Darley says the incoming regulation has caused “fear and confusion” for many advisers. However, Darley says, the reality is many of the changes that will impact financial advisers are just an extension of what is already in the Data Protection Act and the Privacy and Electronic Communications Regulations.
Tenet GDPR project assurance officer Joseph Darley says the incoming regulation has caused “fear and confusion” for many advisers.
However, he says, the reality is that many of the changes that will impact financial advisers are just an extension of what is already in the Data Protection Act and the Privacy and Electronic Communications Regulations.
Some of the key changes for advisers relate to marketing and storage of data. Marketing activity can only take place if clients have given their consent to receive material from an advice firm. The client must opt in and they must be able to withdraw their consent at any time.
Clients can also request to have their data deleted, as well as ask for information about how and why their data is processed, or demand their data be moved to another data controller. Advisers will not need to delete a client’s data where there is a regulatory requirement to hold it or where there is an interest in keeping it against the possibility of a future claim, however.
Rowley Turton financial adviser Scott Gallacher thinks this rule could kick-start a debate over just how long advisers are allowed to hold on to data. Gallacher says: “That is where IFA businesses with a lack of a longstop have a problem, in the sense that ex-clients might want to be forgotten. But from an adviser perspective the last thing you want to do is delete all of the data and have a complaint you can’t defend.”
Despite the new rules being considered an update by some, exclusive data from an Iress survey of 50 advice firms, ranging in size from one to more than 10 advisers, shows that less than half of those surveyed think they are ready for the implementation of GDPR.
With less than a month to go, 30 per cent say they are not ready, while 28 per cent say they are making progress or part of the way to being ready for the legislation.
Threesixty managing director Russell Facer agrees that, just as with Mifid II, firms are at different stages of being ready for GDPR.
Facer says: “Some have engaged and looked into what data they are holding. Some are using it as an opportunity to reassess their service proposition and policy of sharing documents, looking at what data they hold and why they hold it.”
He adds that some advisers have even employed ‘ethical hackers’ to understand what issues their business might have and to see if people can access their systems.
Gallacher says the workload of complying with the GDPR is proving to be a large time-cost for the business. He says it is also coming at a time when his firm is working on other large compliance-related projects, including applying for professional indemnity insurance with a new provider.
Gallacher says: “A lot of it is not only complying, but also to provide evidence that you are complying. The rules do make a lot of sense but the issue is that you then have to have a lot of documentation behind the scenes so if there was ever a query you can demonstrate your business is GDPR ready.”
Rowley Turton has sent new privacy notices to clients who sign up for its printed newsletter, which it sends four times a year, and its weekly email newsletter. On the email side, Gallacher says the firm retained around 35 per cent of clients who had previously signed up to receive the mailing.
Tenet’s Darley says marketing is one area in which non-compliance with the GDPR will be obvious.
He says: “Marketing to those who have opted out or where you have no valid grounds to make contact is high risk, and should be avoided at all costs.”
Gallacher says that the firm has upgraded to the latest version of its back-office system, Adviser Office, and has also used outsourced compliance to prepare.
Worldwide Financial Planning IFA Nick McBreen says that his firm changed its back-office systems to Intelliflo last year, which has helped with preparing for GDPR.
He says: “We moved to Intelligent Office [so] that has been part of the process anyway. Having done that, along the way the data has been cleaned up. Firms that have been stuck with old legacy customer relationship management systems will have a challenge.”
McBreen says clients have not asked about GDPR but the rules have sparked interesting conversations with professional introducer firms, particularly accountants.
McBreen says: “[Those introducers] are having to create their own portals to secure communication and transfer documents. That is a positive because it makes it easier to communicate and get information between introducers and advisers.”
Time is money
Like Gallacher, McBreen says GDPR comes with a significant time-cost, which will largely be felt by smaller advice firms.
He says: “You’ve got people having to go through data sets to do all the work necessary to make sure they are clean, robust and accurate. I am not sure how you quantify it because it is done over a period of time.
“For smaller firms that is a drag on time and resources, as well as an extra layer of work and responsibility. A lot of work has been done for people in terms of compliance to make sure their systems are robust and up-to-date. Coming on the back of Mifid II, it is a lot of manpower.”
Verve Investment Planning principal Steve Buttercase is taking guidance to make sure his business is interpreting the new rules correctly.
Verve is an appointed representative of The Online Partnership, but Buttercase says being part of a network while preparing for new regulation has both pros and cons.
He says: “The trouble with being part of a network is that you have to delegate responsibility a bit more than you might be comfortable with sometimes. But they have got teams of people looking at it and sorting it out.”
IS ADVISER TECH GDPR READY?
How advisers use technology in their firms has been revealed through new data collected by Iress.
Fifty firms were surveyed by the technology provider, 23 per cent of which had 10 or more advice firm staff using their back office system.
The research found that more than half (52 per cent) of those surveyed do not hold all client details in their back office system, which has a GDPR impact.
Iress executive general manager for wealth Mark Loosmore says there are GDPR risks with data held in potentially less secure places, for example, paper files or cloud-based storage through office laptops.
Loosmore says: “Advisers are using external storage solutions due to a number of factors. For some, there’s an associated cost of storage in the back office or nervousness of committing to a single solution; also some back office solutions make saving data challenging. For others, it’s simply habit.”
The survey also found that 92 per cent of firms do not have integrated planning tools, which can save advisers time on re-entering information. An almost equally high proportion, 82 per cent, say they use provider extranets for quotations.
Loosmore says: “This is not an efficient use of time. It’s yet another set of rekeying, another log on and data process. It disrupts the audit trail of the advice journey.”
According to the research, 46 per cent use their practice management system to manage their compliance.
Loosmore says: “Almost all respondents identified they managed compliance around rather than through their back office. This has a number of implications: gathering compliance data is costly and time consuming, with a high potential of making mistakes as a result.”
He adds 56 per cent of those surveyed say they can’t reliably produce Gabriel reports from data held in the back office or automatically through it.
A third of those surveyed say their back office does not let them segment clients.