The introduction of the EU Global Data Protection Regulation “GDPR”, which replaces the existing data protection framework under the EU Data Protection Directive, will come into force on the 25th May 2018. This represents a change for financial institutions resembling the recent transformational shift in business operations experienced as a result of the Foreign Account Tax Compliance Act (FATCA), and the Common Reporting Standard (CRS). The introduction of GDPR has similar broad implications across the organization and requires a fundamental shift toward the new business model that full FATCA and CRS compliance commands.
Implementation of the rules may be burdensome and lack thereto puts the organization at risk. However, risks can also mean opportunities. This article explores the advantages of linking GDPR, FATCA and CRS compliance by identifying common challenges and leveraging solutions. The adoption of an integrated data driven strategy supported by new technologies will improve operational business efficiencies, ease interaction with enforcement authorities and maximise positive customer experience.
Seize the opportunity to leverage: Key overlapping GDPR and FATCA/CRS obligations
There are significant operational challenges arising out of new GDPR requirements which overlap with those already being encountered by financial institutions in the quest to maintain full ‘business as usual’ compliance with FATCA and CRS, for example:
FATCA and CRS requirements go hand in hand with GDPR. Indeed, all business lines involved in the on-going compliance with FATCA and CRS are impacted also by GDPR.
It is clear that there is an opportunity to streamline GDPR compliance by leveraging processes required pursuant to FATCA and CRS to design a fully compliant, efficient and sustainable business model around customer information. As such, a great opportunity for financial institutions to optimise their business processes and to implement a digital and data strategy emerges.
How can this be achieved?
Designing a fully compliant, efficient and sustainable business model necessitates getting rid of the traditional approach to compliance. Compliance has traditionally been approached from an as-needed, minimum requirements mind-set, creating multiple competing priorities, teams, and systems. GDPR and customer tax transparency regimes necessitate accountability across many of the same areas of the business – neither will be a ‘one department solution’. Therefore, while existing infrastructure should be leveraged to the fullest extent, streamlining related regulatory and tax requirements via a collaborative governance structure will provide optimal results.
An effective compliance model includes:
An organized and strategic approach to collecting and maintaining customer data could better enable financial institutions to provide tailored products to their customers creating a greater value proposition. Indeed, customer experience can be affected by the insular culture of business units and silo processes. Moreover, as a result of FATCA and CRS reporting, taxpayers may contact financial institutions with information request for reconciliation purposes, for instance to match data being reported through FATCA and/or CRS with data being reported in the taxpayer’s tax return. Realizing the full potential of data analytics provides the opportunity to increase the customer experience and enhance a trusted relationship.
There is no doubt that today’s digital world increases competition. Data analytics should be at the core of financial institutions’ business model. Thanks to advance in technologies – notably digitalization – the way is already being paved.
The GDPR together with FATCA/CRS compliance is an opportunity to build a sustainable business model that is both fully compliant measuring up to the strict enforcement bodies’ expectations as well as good for business strengthening the bond with customers. The benefits of a sustainable business model based on data analytics are twofold:
Similarly to FATCA and CRS, getting to an operational position of GDPR-compliance is the end of the beginning. Compliance is an ongoing responsibility requiring proper governance, procedures, training and internal controls strategies. It could be the inability to execute on the regulatory and tax commitments on an ongoing basis that will put an organization at high risk of issues with enforcement including penalties, bad press and/or customer class action suits.
As the landscape around customer data continues to evolve, financial institutions should endeavour to approach compliance for multiple customer data regimes by leveraging and coordinating their approach across the organization.
This article was written by Robin Riffaud-Lacaze and Amanda Murphy, and was originally published in the February edition of Finance Dublin