Companies using GDPR as a scapegoat for Consumer Duty failures risk regulatory action, MorganAsh has warned.
The support services provider and customer vulnerability specialist suggested that some firms are using the data protection laws as a reason not to comply with Consumer Duty.
Its claims are based only on anecdotal evidence, and it suggested that some firms are avoiding collecting and storing customer vulnerability data to avoid a perceived conflict with GDPR.
Such firms argue that the fines and sanctions from the Financial Conduct Authority (FCA) will be far less than those from the ICO.
However, Andrew Gething, managing director of MorganAsh, insisted that this approach puts firms at risk of serious penalties and sanctions.
He stated that the ICO and FCA have already recognised this potential conflict, and provided advice back in 2015 with their consultation paper Occasional Paper 8.
How to support young landlords
Sponsored by BM Solutions
In addition, the ICO, along with the FCA, recently issued a statement to say that Consumer Duty does not require firms to act in a way that is “incompatible” with any regulatory requirements, including data protection law.
Consumer Duty
Consumer Duty requires companies to monitor consumer vulnerability during the lifetime of a product, and to use this data to compare to outcome data, as well as mitigate any potential harms.
GDPR requires firms to keep the data accurately and securely, as well as to be able to produce it and delete it if the consumer requests this.
With such challenges, MorganAsh argued that firms need dedicated IT systems to store this data.
Gething suggested that with some firms still yet to grasp the necessary data and systems required, some may be choosing instead not to comply.
He explained: “We are seeing a worrying trend where some firms use GDPR as a scapegoat for not complying with Consumer Duty. While firms are right to consider data protection laws, the response should not be to forgo such an important requirement of Consumer Duty.
“We can ensure data rules are respected and followed, while information can be gathered and stored legitimately to demonstrate that poor outcomes are minimal or indeed reducing.
“Where firms are likely to fall down is when they plan to repackage existing data or they lack the systems or processes to not just gather robust data, but to hold it securely.”
He continued: “Rather than burying their heads in the sand or choosing one regulation over the other to follow, firms of all sizes absolutely need to act and ensure their customer vulnerability implementation is compliant.
“Whether it’s Consumer Duty or GDPR, good-quality data is fundamental to good governance, and in our view, technology plays an important role in overcoming any supposed conflict, while meeting the requirements in an efficient and cost-effective way.”
MorganAsh launched its MARS platform to help firms understand and monitor vulnerable customers and deliver good outcomes, as required by Consumer Duty.
It helps businesses to adopt a consistent approach to identifying vulnerable characteristics and generate an objective resilience rating – much like a credit score.
The platform provides a top-level indication of a customer’s vulnerability without sharing extensive personal data, answering concerns some have about data protection.
As part of its Consumer Duty review, the FCA called for better quality data and customer analysis earlier this month.