Out-Law / Your Daily Need-To-Know

Data protection conundrum for banks over money and mental health risk

Out-Law Analysis | 05 Nov 2020 | 12:00 pm | 3 min. read

Banks face a data protection conundrum when considering how best to intervene in helping customers manage interlinked money and mental health issues.

Findings from a survey of more than 1,000 UK adults carried out earlier this year by Pinsent Masons identify real scope for banks to further leverage data-driven and technological solutions to help their customers better manage both their money and mental health.

Cavill Jonathan

Jonathan Cavill


Banks face a challenge in reconciling their obligations under data protection law with the expectations of the Financial Conduct Authority (FCA) over their treatment of vulnerable customers

However, the survey responses highlighted the potential for data-based interventions by banks to go further than what many customers would feel comfortable with. In addition, banks face a challenge in reconciling their obligations under data protection law with the expectations of the Financial Conduct Authority (FCA) over their treatment of vulnerable customers.

The survey results

The purpose of the Pinsent Masons report is to highlight the extent to which customers are willing to engage with financial institutions in relation to mental health issues and the range of initiatives currently adopted by the industry to support customers.

There are already some money management tools available. These range from Money Dashboard, which gives users the ability to review all of their online financial accounts in one place, to InBest, which enables users to calculate the benefits to which they are entitled. Another tool, Castlight, uses open banking technology to assess affordability of customer credit arrangements and help customers to access financial products. Some banks, such as Monzo, Barclays and Starling Bank, also provide customers with the option to 'self exclude' from gambling transactions.

However, the Pinsent Masons survey found that, despite the good work done by industry, many vulnerable customers that would benefit from these tools may not be aware of them: of those who said they use money management tools, 84% said they use text alerts, while 71% of the respondents said they felt they do not need to use such tools at all.

The survey also gauged consumer views on the way in which banks might analyse their data to identify triggers for their intervention. Attitudes were mixed. Approximately two-thirds of respondents said they support the idea of their bank getting in touch if it identifies abnormal spending patterns or reduced incoming payments. However, 68% said they were in favour of intervention only if consumers have first informed their bank that they have a mental health issue that could impact on their ability to manage their money. Those respondents said they did not think banks should be responsible for obtaining their personal information.

The data protection conundrum facing banks

Meeting the expectations of consumers in this area and addressing the increasingly stringent regulatory requirements set by the FCA is complicated by a range of legal and practical issues. Our report highlights some of these, which include issues of potential liability as well as those arising out of the quality of data banks have available to work from.

However, while banks are being increasingly drawn by consumers and regulators towards monitoring customers’ financial data to identify unusual spending patterns and offer proactive support, such as monitoring transactions, contacting the customer and blocking transactions, this raises particular challenges under data protection law.

Wynn Kathryn

Kathryn Wynn


Current FCA guidance on treating vulnerable customers fairly does not, in and of itself, provide a basis for processing special category personal data under data protection law

A fundamental requirement of data protection law is that organisations have a lawful basis for processing personal data. Further, where the data in question is data concerning health, which is classified as "special category personal data", additional conditions for processing must be met, even if a lawful basis has been identified. However, current FCA guidance on treating vulnerable customers fairly does not, in and of itself, provide a basis for processing special category personal data under data protection law, and other potential legal bases for the processing are either unsuitable or impose conditions that are difficult to satisfy.

For instance, while banks may seek to rely on customers' explicit consent to justify transaction monitoring, as consent must be 'freely given', there is a risk that the very customers banks are trying to help refuse to give their consent to such data processing.

Banks may have an alternative justification to consent to monitor transactions if they can show that the monitoring is necessary to protect the economic well being of the customer and to do so is in the substantial public interest, and that it would not be reasonable to seek consent if this could leave the most vulnerable customers exposed. However, complicating issues of consent could persist under open banking rules.

For example, if a consumer wishes to take advantage of services offered by fintechs to manage their money using open banking technology, they are also required to consent to those third parties to access their data and regularly refresh their consent to this access. As a result, there is a risk that people with mental health issues might be disengaged or might be overly anxious about the idea of being monitored and less likely to monitor their accounts and/or be willing to respond to requests to 'opt in' and to refresh consent, which could be a barrier to them making the most of these services. If only the least vulnerable customers agree to such monitoring, this could impact the quality of the data analytics and machine learning and result in data bias.

The Information Commissioner's Office (ICO) and the FCA have issued a joint statement confirming that FCA guidance on vulnerable customers is compatible with the data protection law. However, there has been some criticism that the expectations of the two regulators are difficult to reconcile in practice.

One concern that the ICO is likely to have will centre on ensuring that the monitoring is targeted and proportionate in line with the data protection law's principles of fairness and data minimisation. In particular, the ICO will be concerned about ‘false positives’, such as irregular spending patterns stemming from people working shifts, which are not necessarily an indication of a mental health issue. Another concern it may have is around the potential for ‘mission creep’ whereby the insights gleaned from the monitoring are used for another purpose. For example, in identifying vulnerable customers, the banks might identify customers with erratic spending patterns due to lifestyle that are not necessarily connected to an underlying mental health issue, but which could indicate that that person is high risk from a credit perspective.

Clearer, practical guidance from the ICO on how to apply the data protection law in the context of monitoring transactions to help vulnerable customers manage their money is needed to help banks feel able to use the technology available to them to do so. Consideration might also be given to engaging with the ICO at an industry level to develop an agreed set of rules to enable banks to engage in proactive monitoring of transactions to help vulnerable customers.