Customer vulnerability specialists MorganAsh have welcomed a joint statement from the FCA and the Information Commissioner’s Office (ICO) reiterating that data protection rules do not prevent firms from collecting, recording and sharing customer vulnerability data.
The statement provides fresh clarity for financial services firms, confirming once again that GDPR and the Data Protection Act do not stop firms from delivering good outcomes and should not be seen as a barrier to identifying and supporting customers in vulnerable circumstances.
In the statement, the regulator has repeated its expectations for firms to recognise indicators of vulnerability, record the issues and monitor and review them over the lifetime of products. It also calls on firms to respond to the needs of vulnerable customers and report on this with clear evidence.
Meanwhile, the ICO reiterates that data protection rules do not prevent firms using personal information where it is appropriate and necessary to protect individuals or provide them with vital support. It sets out several lawful bases for firms to process data to identify consumers in vulnerable circumstances.
Crucially, the FCA and the ICO also emphasise the importance of collaboration between manufacturers and distributors, calling on firms to share information where necessary to ensure customers receive appropriate support throughout the product lifecycle.
To achieve this, MorganAsh argues that firms need robust processes to gather the quality of data required to share and transfer in a structured format. Given the requirement of firms to keep this data accurate and secure, MorganAsh believes firms must invest in the necessary IT systems to manage and store this information properly.
The statement reinforces key principles set out by both the FCA and ICO in previous communications – dating back as far as 2015, as well as from MorganAsh, which is now embedded into recent guidance from the CII and the PFS.
MorganAsh is currently working with the Chartered Insurance Institute as part of its data sharing taskforce, bringing the learnings from the MorganAsh Resilience System (MARS) to help develop standardised data formats that firms can use to share such data. Following the guidance on customer vulnerability management, MorganAsh is also contributing to further guidance on sharing vulnerability data.
Andrew Gething, managing director of MorganAsh, said: “The fear of non-compliance with GDPR has stalled progress on Consumer Duty and its requirements for customer vulnerability management. This joint guidance from the FCA and the ICO not only reiterates that firms can hold and process vulnerability data in line with data protection laws, but they are actively encouraged to share it within the distribution chain to improve outcomes.
“To do this, firms need good data that can be transferred and in a structured format. Holding vulnerability data that is subjective, inconsistent and found in free text boxes in CRMs will make this far harder to achieve. Robust IT systems will enable firms to not only gather the necessary information in an objective and consistent way, but ensure its up to date, secure and fully auditable, ready for reporting to the regulator or for any future subject access requests.
“We are pleased to be working closely with the CII, contributing to their data sharing taskforce and supporting the further development of practical guidance in this area.”
MorganAsh is a specialist in Consumer Duty and customer vulnerability. The firm launched its multi-award-winning MorganAsh Resilience System (MARS) to help firms understand and monitor vulnerable customers and deliver good outcomes – as required by Consumer Duty. It is in use across financial services and the utilities sector, enabling businesses to adopt a consistent approach to identifying vulnerable characteristics and generate an objective Resilience Rating – much like a credit score.
Not only can this objective measure be shared across the value chain, it provides a top-level indication of a customer’s vulnerability without sharing extensive personal data – answering concerns some have about data protection.
