The general data protection regulation (GDPR) regime comes into force this Friday (25 May) and, to put it crudely, aims to limit firms' ability to hold on to customer data. But in the world of advice where keeping records is vital to fighting future complaints, how have firms struck the balance? New Model Adviser® asked some of the biggest advice businesses and found different approaches to the problem.
The sweeping EU legislation is aimed primarily at minimising both the volume of data stored on individuals and how long it is retained for.
To summarise the legal requirements, Article 5 of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances in which personal data may be stored for longer periods (e.g. for archiving purposes in the public interest, or for scientific or historical research purposes).
Recital 39 of the GDPR states the period for which the personal data is stored should be limited to a strict minimum. Time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.
Organisations must therefore ensure personal data is securely disposed of when no longer needed. This will reduce the risk it will become inaccurate, out of date or irrelevant.
The Financial Conduct Authority (FCA) is not responsible for GDPR. That falls to fellow regulator, the Information Commissioners Office (ICO).
Nevertheless, the FCA has been including questions on GDPR preparation in conversations with the firms it regulates.
But, in a profession in which past advice can result in complaints years later, one might expect advice firms, particularly networks and nationals, to hold client data for as long as possible.
As such, there is some inconsistency among firms as to how to interpret GDPR expectations. New Model Adviser® has discovered the retention policies for client files, where the contract for ongoing advice has been terminated, differ depending on the national advice firm or adviser network.
Lee Simmons, group compliance manager at national advice firm LEBC, said: ‘Our policy will be to retain certain files indefinitely, such as defined benefit transfers, as this is mandated by FCA record keeping rules.
LEBC also plans to do the same with other high-risk areas, such as investments to retail clients. ‘A claim can be brought before the Financial Ombudsman Service (FOS) within three years of the complainant becoming aware they had cause to complain,’ Simmons said.
For other types of business, Simmons explained, LEBC will maintain the file ‘for claim purposes’ for six years after the end of the relationship.
He added: ‘In all cases, after three years all files will be put into “deep” archiving. These will only be accessible by a limited number of individuals in a limited number of circumstances.’
Openwork said its retention policy also depended on the type of product. A spokesman said: ‘For term products and investments, we retain data for seven years after the end of the contract. Some pension contracts require data to be kept indefinitely.’
An Old Mutual Wealth Private Client Advisers (OMWPCA) spokesman said, outside the FCA’s regulatory requirements, the firm could keep client data for up to 50 years following contract termination. But this depends on the product type.
Standard Life-owned national 1825 did not put a definitive timescale on retention. It said: ‘We only retain the required information where a client or former client still has a reliance on the advice given. This is in line with our regulatory obligations and is fully aligned with our Retention and Deletion Policy.’
The FCA’s COBS 9.5 rules mandate firms retain records relating to suitability indefinitely for pension transfers, pension conversions, opt-outs and free-standing additional voluntary contribution. If the advice pertains to a life policy, personal pension scheme or stakeholder pension scheme, data must be retained for five years. For any other business, the regulatory minimum is three years.
However, if intending to retain data beyond that, firms need to provide a lawful basis.
Phil Young (pictured above), director of Zero Support, said there would probably be inconsistency in firms’ interpretation of which lawful basis to apply and under which circumstances.
He said he has noticed different firms pick a different lawful basis for the same data and purpose, all with the best intentions. ‘But not all of them can be right.’ Young added.
The same applies to retention periods, notably for ex-clients where there is a desire by most advisers to retain files for as long as possible, but the justification is not consistent. ‘Some firms look to keep files indefinitely, while others take a view files will be deleted a set number of years after termination of the contract. And some seem to stick to Mifid record-keeping obligations and nothing more.’
OMWPCA said it will apply a different timescale for the retention of ex-client files once the regulatory minimum has expired. It said this is ‘on the basis of the FOS allowing complaints or claims to be reviewed beyond the standard six-year timeframe in exceptional circumstances (e.g. client is incapacitated).’
In certain cases, LEBC said it would be required to keep data to ensure compliance with ‘legal and regulatory obligations’. It will also retain data to ‘keep a clear record of the advice given in the event a complaint should be raised’.
‘This will allow LEBC to fulfil its obligation under FCA Handbook DISP 1.4.1(1) to, “investigate the complaint competently, diligently and impartially, obtaining additional information as necessary”,’ Simmons explained. ‘It will also allow LEBC to comply with DISP 14.4.4 requirement to, “cooperate fully with the FOS”.
‘In our experience, the FOS will ask LEBC to provide it with a full copy of the client file to allow it to investigate a complaint,’ he added.
Openwork said it needed to obtain and retain data to service its contract with clients. It added: ‘We retain data for the specified periods to cover regulatory need and any requests for information or complaints from clients after the contract has ended.’
GDPR also introduces the right to ‘erasure’, the so-called right to be forgotten. Yet again, national firms and networks’ policies demonstrate a variety of interpretations.
Asked how it would respond to requests for erasure from former clients, 1825 said it would ‘look to comply by removing all the relevant information from all storage locations. However, there may be occasions where we believe we are statutorily obliged to retain former client data. When this is the case, it will be clearly communicated as part of the process.’
Openwork also said it would delete data on request for erasure, providing there is no regulatory need to retain it. It added: ‘If we have entered a contract with a client and the product is in force, or has been in force, we’ll retain the data for the period required from a regulatory point of view
‘But in this case we’ll also restrict processing and access to the data so the client is no longer routinely contacted by Openwork.’
Simmons said LEBC ‘will not comply with such a request where to do so would violate any FCA record-keeping requirement’. He added: ‘However, unless LEBC has reasonable grounds to refuse to erase personal data, requests shall be complied with, and the data subject informed, within one month of receipt of the request.’
Old Mutual’s approach is more defensive: ‘Under Article 17 of the GDPR, we will assess any requests for erasure and carry them out where there is a valid basis to do so. Explicitly we will decline any requests where we have a lawful basis for retaining records.’
The nature of firms’ approach to data retention under GDPR is bound to have a knock-on effect on its capacity to respond to potential complaints. Asked how they intended to address this, the firms we spoke to differed substantially in the detail they could provide.
For instance, LEBC said it would retain files, especially those involving higher risk areas, for longer than six years. The FOS has time limits for clients who wish to complain to it. They are six months from the business sending their customer a final response and six years from the event the client is complaining about.
Simmons said: ‘We do not have a great deal of complaints about the quality of our advice. But, when the occasional case does surface from earlier than six years ago, it is important to have the file to assess the complaint. We need to share it with the FOS if the client does not agree with our assessment.
GDPR has made LEBC reflect more closely about what data it holds, how long for and where it stores it; but he does not see it having too great an impact on handling complaints.
Openwork said it is introducing tighter rules around ‘housekeeping’ and data retention for client data. The spokesperson said: ‘The handling of potential complaints is unaffected. We will retain client and product data for the specified retention period, which will include coverage for the regulatory timescales for complaints.
Old Mutual said since GDPR is ‘an evolution of the Data Protection Act’, client record-keeping and the handling of potential complaints ‘won’t alter significantly’ from its current process.
There is an expectation the ICO and the FCA will allow some leeway initially for firms who can demonstrate they have made substantial efforts to adapt to the new rules.
But records can be crucial in deciding whether advice given was suitable or not. Deleting files under the belief it is a GDPR requirement could land a firm in difficulties later on. Equally, clients may not be happy with firms telling them data has been retained for regulatory purposes.
One possible solution would be for the ICO and the FCA to establish joint guidance on the issues surrounding data retention and complaints.