Financial firms have been given fresh clarity on how to balance customer communication obligations with data protection rules, following a joint statement from the FCA and the Information Commissioner's Office.
The statement reiterates that data protection rules do not prevent firms from collecting, recording and sharing customer vulnerability data.
The statement provides fresh clarity for financial services firms, confirming that GDPR and the Data Protection Act do not stop firms from delivering good outcomes and should not be seen as a barrier to identifying and supporting customers in vulnerable circumstances.
In the statement, the regulator has repeated its expectations for firms to recognise indicators of vulnerability, record the issues and monitor and review them over the lifetime of products. It also calls on firms to respond to the needs of vulnerable customers and report on this with clear evidence.
Meanwhile, the ICO reiterates that data protection rules do not prevent firms using personal information where it is appropriate and necessary to protect individuals or provide them with vital support. It sets out several lawful bases for firms to process data to identify consumers in vulnerable circumstances.
Crucially, the FCA and the ICO also emphasise the importance of collaboration between manufacturers and distributors, calling on firms to share information where necessary to ensure customers receive appropriate support throughout the product lifecycle.
Andrew Gething, managing director of MorganAsh, said: “The fear of non-compliance with GDPR has stalled progress on Consumer Duty and its requirements for customer vulnerability management. This joint guidance from the FCA and the ICO not only reiterates that firms can hold and process vulnerability data in line with data protection laws, but they are actively encouraged to share it within the distribution chain to improve outcomes.
“To do this, firms need good data that can be transferred and in a structured format. Holding vulnerability data that is subjective, inconsistent and found in free text boxes in CRMs will make this far harder to achieve. Robust IT systems will enable firms to not only gather the necessary information in an objective and consistent way, but ensure its up to date, secure and fully auditable, ready for reporting to the regulator or for any future subject access requests."
