This column was provided by Adam Harper (pictured), executive director, Strategy, Advocacy and Professional Standards, CII.
When the Financial Conduct Authority introduced the Consumer Duty in 2023 it said it wanted regulated firms ‘to enable and support retail customers to pursue their financial objectives’. Two essential necessities to achieving that ambition relate to data.
First and foremost, firms must collect the right data. No professional can truly know that they are delivering a good customer outcome without knowing whom they are serving. That was the case before Consumer Duty was introduced, but it has brought into greater relief the importance of identifying customer vulnerabilities. CII colleagues discussed this point with a range of industry practitioners and wider experts at a roundtable event in late 2024. In a summary report, we recommended that firms should place more emphasis on joining data dots around individual customers in real time, challenging assumptions and exploring data insights across multi-disciplinary teams to effect positive change for them.
However, we also identified that to achieve the best possible outcomes for consumers it was essential for firms to share the data they acquire with other firms across the distribution chain. While individual firms could identify challenges with primary data collection that needed addressing, concerns about data processing, retention, and sharing rang even louder. Indeed, some contributors believed that GDPR rules and other legislation were in direct tension with implementing the Consumer Duty. Many firms said they would benefit from greater guidance from regulators.
A similar conclusion was subsequently drawn by the FCA through its review of the first Consumer Duty board reports in December 2024. It found that many firms could not demonstrate that the right types or volume of data were being shared across the distribution chain to monitor and improve customer outcomes. As a result, the FCA emphasised the need for firms to adopt a more comprehensive, joined-up approach to information flows throughout the product lifecycle.
We said we would pursue the matter of data sharing further, and later this month we will be hosting another roundtable to explore this issue in greater depth. We’ll be considering the steps that can be taken to overcome technical barriers to data sharing and the incentives and disincentives that influence the willingness of firms to share information.
In anticipation of that discussion, we invited members of our research panel – comprising financial planning and insurance practitioners – to tell us more about the sources of their concerns. Our results indicate widespread uncertainty about sharing data on vulnerabilities across the distribution chain, and additionally about sharing flags or notes without explicit consent, and concern about the risk of exposing sensitive information to parties who may not need it or be prepared to handle it securely. We have also uncovered tension between collecting minimal data to comply with GDPR and collecting detailed data to meet Consumer Duty reporting obligations. For example, two in five (41%) of our more than 320 respondents said they ‘feared’ breaching GDPR rules, while more than half (56%) said sharing data on customer vulnerabilities with other parties was their biggest challenge in complying with GDPR rules.
We’ve discussed the situation with data protection experts and regulators, and we believe there are answers to a great many of the questions and concerns held by firms about how to manage and share data on customer vulnerability and remain GDPR compliant. We are working with market experts to develop guidance in this space.
