by Eric Crabtree
With the EU Mortgage Credit Directive (MCD) having come into force recently, the financial services sector has reached the end of a period of regulatory change that began with the Mortgage Market Review and the fallout from the 2008 recession. But it is a fact of life in the financial services industry that there is barely time to digest and understand one wave of regulation before another crests the horizon. Accordingly, just as Financial Directors are getting used to working with post-crash legislation, the EU Council and the Parliament have adopted new General Data Protection Regulation (GDPR), which will have far-reaching consequences for the financial services sector.
The GDPR requires institutions handling sensitive data to appoint a Data Protection Officer to act as a semi-independent internal regulator. It also requires them to keep track of data in easily auditable ways. Failure to comply with this new regulatory framework could be incredibly costly – data breaches could see financial institutions facing fines of up to 4 per cent of global revenues or €20 million, whichever is greater.
What will the future hold?
Like any piece of regulation, the GDPR will come into effect and the industry will find a way to comply. The same will go for when PCI DSS version 3.2 comes into place this year and changes the payment landscape. However, we can never be truly sure of what the long-term effects will be and in a few years the regulators may decide that the regulation didn’t have the desired effect and change it again. Such is the nature of compliance in the digital world: the only certainty is uncertainty.
But with both the GDPR and the MCD being EU-driven pieces of regulation, what’s going to happen if the UK exits the European Union? There are those that contend that a Brexit will be the death of both, and indeed of all the EU-mandated directives with which financial institutions in the UK must comply. But if the UK wishes to keep doing business with EU Member States, it will need to comply with these regulations, only without the ability to negotiate or challenge them.
To avoid getting too political, let it just be said that no one really knows what a Brexit will mean for compliance in the financial services sector. Indeed, no one really knows what challenges future regulatory measures will present at all. We can make assumptions that future compliance requirements will revolve around protecting the customer and ensuring the future viability of institutions in the event of another financial crisis. But this is speculation, not prophecy.
In a regulatory climate of such uncertainty, it can be tricky for financial institutions to future-proof against forthcoming requirements. It is generally speaking a good idea to take part in industry forums to share compliance best practice with peers. However, this can often be a double-edged sword. Regulation is rarely black and white, and one institution’s approach to compliance may not necessarily be appropriate for another organisation. That said, there are certainly benefits to engaging in these kinds of best practice discussions.
Technology and consultancy – two pieces of the compliance puzzle
To ease the strain for institutions, there are a number of technology solutions that allow the measurement and management of financial risk and regulations. Compliance measures can even be incorporated into the delivery of technology solutions, providing automated compliance monitoring systems that reveal the potential impact of risks on the goals of the institution.
That said, technology is just one part of the puzzle. The real value in dealing with a vendor for these compliance-ready solutions is the expertise and experience they can offer. Institutions should only be working with a technology vendor that has the right credentials and consultancy pedigree to help manage potential compliance issues.
Ideally, that vendor would facilitate debates about upcoming regulatory challenges. They should leverage their consultancy capability to advise institutions on how to approach compliance issues from a technological perspective. And (if they are worth their salt) they will take requests from clients, discuss and analyse requirements and build them into their offering.
Nobody knows what the future holds when it comes to regulation. When the only certainty is uncertainty, you need not just the technology solutions that will help future-proof against compliance requirements, but a trusted partner that will look out for your interests and offer advice.
The author, Eric Crabtree, is Global Head Financial Services at Unisys.