A potentially explosive compliance danger exists for finance firms that over-prioritise anti-money laundering (AML) and know-your-customer (KYC) imperatives at the expense of Privacy.
The EU’s General Data Protection Regulation (GDPR) may only have applied from mid-2018, but given the high value of total fines imposed by European data protection authorities (DPAs) compared to fines by financial regulators, a disproportionate focus on AML/ KYC risks obfuscating significant, continuing Privacy liability.
Data protection enforcement figures suggest that:
This article examines the penalties imposed by Finance and Privacy regulators during three calendar years (2020-2022) in the UK, Ireland, France, and Germany, including discussion and insights.
Country-specific data sources include the following:
They do. While the largest Privacy fines have been issued against non-finance firms, such as Meta, TikTok, Amazon, and Google, they have targeted matters that equally affect finance firms, such as:
This includes having identified the appropriate legal basis for processing personal data.
In July 2022, the Lower Saxony DPA issued a €900,000 fine against a bank for combining datasets to profile its customers without their consent. The bank’s defence strategy cited legitimate interests, but that argument was rejected by the DPA.
Individuals must have sufficient information about the processing of their personal data. This is particularly true of automated decision-making processes that can have significant legal or other consequences for individuals, such as a firm using algorithms to filter client applications.
In May 2023, the Berlin DPA fined a Berlin-based bank €300,000 for failing to be transparent about why its algorithm denied a credit card to an applicant.
In other words, Privacy fines across the four countries were 22% higher than financial regulatory fines.
There are, however, significant differences within the jurisdictions.
The numbers clearly show that the FCA is the primary enforcement risk vector for firms only operating in the UK. London is a centre of finance, as demonstrated by the FCA’s substantial fines, but the regulator’s total is still shy of Ireland’s single biggest Privacy fine.
Whether it is deserved or not, in data protection circles in the UK and EEA, the ICO has a reputation for issuing relatively few GDPR fines. One may argue that Ireland has all the enormous US-based tech groups, and that is a valid argument, but DPAs in countries such as Spain issue many more fines than the UK ICO.
Here though, looking at quantum, there is a significant imbalance in the UK, with Finance fines totalling £976.2m, compared to £61.7m for Privacy fines.
The Central Bank of Ireland’s finance fines total €305.3 million in the years 2020 to 2022.
As mentioned above, however, significant US technology companies are designating their Irish subsidiaries as the EEA controller under GDPR. Ireland is therefore home to the EEA headquarters for most of the largest US-based tech groups and is the lead supervisory authority for cross-border processing under GDPR.
The numbers clearly reflect this situation, with Ireland’s Data Protection Commissioner (DPC) issuing exceptionally large Privacy fines totalling more than €1.5 billion throughout 2020-2022.
Enforcement work by Ireland’s DPC illustrates that investigations can take two to three years to complete, and the DPC has more than its share of large investigations. GDPR took effect in mid-2018 but delivering headline penalties required years of preparation.
It also illustrates the rapidly growing size of GDPR fines and the impact of the regulation’s cooperation and consistency mechanism, which requires data authorities to circulate draft decisions to peer agencies. Additionally, supervisors can turn to the European Data Protection Board (EDPB) to adjudicate difficult-to-resolve disagreements. That process has resulted in large increases to draft fines proposed by the DPC.
As with Ireland, French Privacy penalties (€453.9 million) significantly outpaced those for financial misconduct (€231.7 million).
CNIL, the French DPA, is known for proactively asserting its jurisdiction and issuing large fines around cookies under the ePrivacy Directive.
Precise figures for German Privacy fines can be difficult to find, due to the country’s array of state DPAs working alongside the national DPA. Germany’s Finance and Privacy fines were the lowest of the four example countries.
Unlike the other three countries, German penalties were more evenly distributed between financial misconduct (€64.2 million) and Privacy violations (€51.7 million).
Three Privacy enforcement cases outside the scope of this analysis further demonstrate that GDPR fines are growing:
AML and KYC are, and will rightly remain, key areas of compliance for the financial industry. However, the risk of Privacy fines on Finance players looks to be increasing, particularly with the widespread adoption of artificial intelligence, cross-border processing, and Europe’s ever-growing customer base.
European DPAs have shown their willingness to impose significant penalties, which can be further amplified by the GDPR’s consistency mechanism for cross-border processing. Additionally, the race to deploy artificial intelligence tools may soon result in GDPR super-fines targeting finance firms.
(Robert Baugh is the Founder and CEO of Keepabl, Privacy Management SaaS based in London. Prior to Keepabl, Robert was General Counsel of technology growth companies for more than a decade.)
All MSPs wanted to know about GDPR but were afraid (or just didn’t want) to ask! Join MSP thought leader and IT services consultant Richard Tubb, as he interviews our…