Out-Law Analysis | 12 Aug 2015 | 10:18 am | 7 min. read
Every forward-looking financial services organisation is now expected to have a well-developed digital strategy in place, not least by its customers. However, the success of firms' digital channels will require effective planning and a sound understanding of the relevant legal and regulatory frameworks, most importantly in the three areas of customer interaction; use of data, and technology infrastructure.
The potential prize of convenience for greater numbers of customers at less cost is an attractive one, and the Financial Conduct Authority (FCA) recognised in its 2015 Business Plan and Risk Outlook that firms will continue to focus their attentions on their digital strategy and planning in 2015. However, the regulator also warned in its Business Plan that "technology may outstrip firms' investment, consumer capabilities and regulatory response".
By effectively balancing innovation with legal and regulatory requirements in each of these three areas, firms can begin to view themselves as digital leaders, rather than businesses playing catch-up with their competitors.
Firms' intentions when looking to improve customer interaction can range from a desire to enhance the customer experience through to gaining greater control over the customer relationship. Whatever the motivation, clarifying the 'channels' used to approach potential customers and the ensuing contractual and regulatory relationships will be central to any effective digital strategy.
'Digital-first', 'digital-led', 'multichannel' and 'omnichannel' are now ubiquitous phrases, but they effectively represent the same thing: that the nature of communication with the customer has changed and the number of channels through which you can reach customers and provide services has increased.
The digital devices and channels available range from mobile devices and apps that provide an opportunity to reach customers in an intimate and immediate way, to websites - including aggregator and social media sites - and digital offerings developed by intermediaries. As many of these channels have their own unique features, they will also present unique legal and regulatory challenges.
For example, how financial promotions and risk warnings must be presented will need to be considered specifically for each channel as requirements such as prominence, size and clarity may have a different impact on each. At the same time, the FCA will look to apply its rules consistently, irrespective of the physical restrictions of a particular channel;
Social media presents its own risks, however it is accessed. These include the ease of forwarding and re-posting, the issues raised by real-time communication and character limitations - all of which create potential challenges when presenting a clear and comprehensive message to the right audience.
Financial firms will need to keep these challenges in mind continuously if they are to navigate them successfully; before channels are built, during the development process and after they go live.
Contracting with customers
Firms need to clearly understand how the scope and nature of their legal and regulatory relationships with customers may change in a digital environment. Although the underlying legal and regulatory principles will remain essentially the same, a digital context can have a significant impact on how firms comply, and are expected to comply, with these principles. For example, how a contractual agreement is formed with a customer including distance requirements and fairness, clarity and availability of contractual terms, will need to be considered in the particular circumstances. In addition, 'knowing' customers, verifying their identities online, securing and authenticating transactions and dealing with anti-money laundering and fraud will all be affected by the move to a digital environment.
Gaining explicit customer consent and producing evidence of positive client affirmations are common related challenges. These issues remain despite the European Commission, the Cabinet Office and a number of industry associations investing heavily over a number of years in the development of digital identify infrastructures. Consumers are hearing more and more promises of seamless, paperless, cross-border financial products and services; but the reality is that straight-through digital-only transactions are still only a concept and a useable, consistent approach remains some way off.
This is not to say that the client identification and verification digital framework has come to a halt. New and developing European legislation in this area includes the development of an Electronic Identification and Trust Services (eIDAS) Regulation that will come into force next year and new anti-money laundering requirements and rules governing payment initiation and access to accounts under a second Payment Services Directive (PSD2).
Firms should be concerned with understanding these changes to customer interaction; just as much as they should be thinking through changes to online consumer rights, the regulatory position on unfair terms and varying customer terms in a digital context.
'Big data', advances in data science, the use of algorithms and analytics are all providing financial firms with opportunities that they have never had before. However, these opportunities need to be balanced against customers' rights, effective governance and the need for cyber risk protection frameworks.
As these issues continue to develop, data protection and cyber security laws continue to undergo significant reform at EU level. While it was as far back as January 2012 that a draft EU-wide General Data Protection Regulation was first introduced by the European Commission, it was not until March 2014 that the European Parliament voted in favour of an agreed position on the legislation's draft text. The Council of Ministers, the third body involved in forming EU legislation, reached its own agreed position in June 2015 and a "shared ambition" to finalise the legislation by the end of 2015 now looks significantly more achievable.
Uncertainty around the outcome of these negotiations still presents a genuine challenge to forming an effective digital strategy, and financial firms will need to be prepared for change in relation to many aspects of the ways that they process data. The proposed changes range from new mandatory data breach notification obligations and new or changed requirements to enable data portability, rectification and erasure; to fines of potentially up to €100 million or up to 5% of annual worldwide turnover if the European Parliament's position was to be accepted.
It is important that firms have a clear understanding of both current data obligations, and how these are likely to change in the future, when making decisions to push ahead with long-term innovation or to change the approach of particular projects.
Dealing with modern technology infrastructure
The right technology infrastructure should provide agility, efficiency and flexibility for your business. At the same time, poorly designed approaches to dealing with old 'legacy' technology can prove costly. Maintaining adequate risk profiles and monitoring in an environment where technology is increasingly developed by and procured from start ups and SMEs is particularly important. Firms need to ensure that appropriate governance and controls are in place to manage their infrastructure development.
Challenges remain to finding the right mix of personnel and expertise to implement policy frameworks once agreed. At a high level, digital is often on the radar of the board or a key driver for some members of it, but the day to day governance and management of digital can become a battleground between different businesses and risk teams. It is not always straightforward to communicate throughout the business the extent to which moving to a more digital approach can mean fundamental changes to the way that the business operates and governs itself. It may also require retraining individuals and, in some cases, recruitment of specialist staff.
The most effective legal teams will want to act as enablers for proper business decisions, rather than just initiating new policies to govern the risks arising from those decisions. A clear understanding of how changes to the business will affect its risk profile is essential to providing this kind of practical support.
Risk management policies need to be developed to deal with the particular risks of business transformation. The most obvious of these is cyber risk, which is worth considering further in its own right.
How effectively businesses deal with cyber security risks is becoming more of a differentiating factor between businesses, both in terms of reducing technology expense and enabling future innovation. Cyber threats range from individuals, such as ex-employees, looking to steal confidential information through to sophisticated criminal gangs working as part of international syndicates. The reality now is that these threats are always present for every business.
Just as significant as the risks of cyber crime are the costs associated with outages and other network and data-related incidents that result from accidental or inadvertent actions of employees and third-party outsourced technology suppliers.
Financial services businesses need to plan and be effectively prepared for all kinds of technology risk, whether through the terms of contractual arrangements with suppliers or in the way in which they react to cyber threats. Technical teams need to speak a language that the rest of the business can understand, and be able to communicate effectively with legal teams in times of crisis. They also need to be fully aware of and committed to organisational and technical measures that are of a standard that regulators expect. That standard is an ever-changing one as the 'state of the art' of cyber protection technologies and the organisational methods for dealing with risk continue to evolve.
What next for firms?
We have only been able to briefly highlight the issues for financial firms presented by the shift to digital here. However, it is clear that maximising the opportunities, avoiding costly mistakes and being effective in implementing a digital strategy all require an up-to-date understanding of how the legal and regulatory frameworks relating to digital interact with financial services laws and regulation. Firms investing time and effort in planning their digital strategy at the outset will be in a much better place to manage the known risks and reduce the impact of unexpected developments in future than those who develop such a strategy 'on the hoof'.
The FCA has recently issued a 'call for input' in relation to regulatory barriers to innovation in digital and mobile solutions. The paper stresses that any perceived barriers whether in relation to the FCA's rules, those of the Prudential Regulation Authority, the Payment Services Regulator or even the EU should be raised by firms, for potential change or influence by the regulator. Responses to this paper are due by 7 September 2015 and firms should consider whether there are issues they are facing in their own digital developments worth bringing to the attention of the FCA.