Wealth Management and Private Banking

Wealth Management and Private Banking



Expert: Ian de Freitas, Farrer & Co.

Facilitator: Leigh Cotterill 

Key message 

The GDPR comes into full effect in May 2018. The new regulation applies to all organisations and not just the wealth management sector. However, the nature of the wealth management business model means it leaves firms in the industry particularly exposed to data protection issues. The risk  occurs  through collecting and holding extensive data on clients and information often passed around the wider financial services group. 


  • There is a low level of knowledge when it comes to understanding the implications of GDPR, which will directly impact firms and clients, day to day.
  • Organisations have until May 2018 to assess its impact and implement an action plan. The responsibility is on firms to demonstrate the effectiveness of their data protection improvement program.
  • This regulation marks a significant step up in wealth managers’ data protection requirements. Many firms do not yet appreciate the significant impact it will have on their operating models.
  • Penalties for failure to comply are also significantly higher. Fines of up to 4% of annual turnover for firms that suffer a security breach.

Key themes

It is important that wealth managers get to grips with GDPR well in advance of the deadline: 

“Firms have to be more transparent with customers, not just by extending disclaimers.” 

For wealth managers, the key issues will begin with consent. Firms will need explicit permission to use clients’ personal data for any purpose, including marketing. Clients will have a right to be forgotten and to request that all their personal data held on the system is deleted. 

“Firms will need to give clients a more detailed understanding of compliance protocols and how their data is held.” 

The penalties for falling foul of the new regulation are intimidating – fines of up to 4% of a business’s global turnover or EUR20m, whichever is bigger, for non-compliance. 

Critically, wealth managers will need to ensure that systems are in place to enable the transfer of personal data to a competitor if requested – when a client moves their money to another wealth manager, for example. If firms suffer a data breach, they are legally required to disclose it to regulators. 

“One important question facing the industry is whether technology platforms are able to keep up to speed with this significant change in process and protocol.” 

What does that mean in practice for wealth managers? Crudely speaking, it is about “changing the culture and changing the mind-set around data protection.” It might also help to think in terms of compliance for existing customers and new customers. 

“It will affect even the pen and parchment client partnerships that wealth managers have.” 

Wealth managers must be able to prove that they have obtained permission to use client data and know where on the system the data sits. While for on-boarding clients, though the same rules apply, terms and conditions should now openly set out permission procedures and how they relate to your data protection obligations. 

Therefore on an individual client level, something like a “data dashboard” can help to solve consent forms – as clients choose their level of data consent, which can be edited and changed on log-in. Firms will also need to be able to show that data protection safeguards exist into new products and services from the beginning of the process.


Simply understanding GDPR is therefore not enough to ensure compliance. Wealth managers need to ensure their organisational structures and processes keep them on the right side of the law. The GDPR discussion amongst delegates concluded with the following: 

  • Don’t leave it too late. With less than a year until GDPR implementation, there is a short window of opportunity to ensure compliance in May 2018.
  • Consider conducting a “GDPR readiness audit” – a test of the current state of play – either internally or through a third-party consultant.
  • Appoint a senior leader to take charge of ensuring GDPR compliance – someone with authority and credibility to be able to drive change.
  • Map the data flows within the organisation. This can reveal interesting issues that may require some significant change.
  • And finally, consider training employees from across the organisation so that all staff understand their responsibilities.