Out-Law News 3 min. read
20 Sep 2012, 11:50 am
Financial services sector head John Salmon brings you insight and analysis on what really matters in the world of financial services.
Sharing information is at the heart of financial services, but this week's events show that it is never a simple or easy issue. Insurers are being encouraged to share, UK banks have concerns about sharing, Deutsche Bank is looking for opportunities to share and the UK Government is proposing that financial institutions in general support a move to share more data with US regulators.
Insurers, fraud and data
Insurers know that fraudulent claims are damaging their profits and increasing the cost of insurance to businesses and consumers. Their latest plan for combating fraud is more sharing of information.
Through the Association of British Insurers (ABI) and the Insurance Fraud Bureau, insurers are creating a database called the Insurance Fraud Register (IFR), which will list people who have been involved in fraudulent, "bogus" and "exaggerated claims". Information will be stored on the database for five years.
This is likely to become an effective investigatory tool especially as insurers look for more ways to engage in fraud prevention, with the industry hoping to clamp down on £2bn of fraudulent claims the ABI says are paid out every year. But the register also poses some tough questions.
The first that may trouble some is about data protection: can insurers be certain that they are not violating individuals' rights by sending material to the database? After all, saying that someone is involved in a fraudulent claim is a sensitive matter.
The ABI said that it has consulted with privacy regulator the Information Commissioner's Office and that populating the IFR will not cause financial institutions to infringe sensitive personal data non-disclosure requirements.
Although the Data Protection Act requires sensitive data to be treated with a heightened degree of caution, its rules make provision for insurers to engage in fraud detection and prevention activities. Although generally the processing of sensitive data requires the 'explicit consent' of the individual to whom it relates, this general requirement does not apply where processing "is necessary for the purposes of preventing fraud".
A more difficult question is to do with data accuracy. Third parties including other insurers and the regulator will rely on the information provided, so insurers really have to ensure that any allegations they make are supported by evidence and that they have processes in place that enable timely updating of the database, as and when new information relating to an alleged offence becomes available.
Banks, fraud and data
While an association of insurers is looking to have its members share more information, its banking counterpart is concerned with the amount of information that its members may be required to share once the proposed EU Data Protection Regulation is in force.
In response to a call for evidence from the House of Commons' Justice Committee, the British Banks' Association (BBA) has taken issue with the proposal that banks be required to respond electronically to requests for access to personal information.
Although the sentiment is admirable – the European Commission wants you and I to be able to request access to our personal information in a timely and user-friendly manner, the proposed Regulation does not appear to account for an important practicality.
Financial institutions need to be absolutely certain that a request for access to financial information is not fraudulent. If requests are to be made electronically, significant safeguards must be put in place and the costs of doing so must be considered.
The BBA has also put forward some suggested amendments that seek to clarify that any changes to data retention laws must take into account the special circumstances applicable to processing financial data. It has proposed that the new Regulation explicitly acknowledge the right of banks to retain data for the purposes of investigating money laundering, fraud and terrorist financing allegations through a number of new exceptions.
Sharing with Deutsche Bank
Deutsche Bank has proposed that the investment banking sector cut costs by embracing open source software. Through its Loudestone Foundation, it is suggesting that market data platforms, trade repositories for over-the-counter derivatives and grids for risk and pricing could all follow common standards and be set up via a shared infrastructure, possibly in a cloud.
It is interesting to think about what this means in light of the glitches, outages and breaches that UK financial institutions have faced recently. It may be that a move towards greater standardisation will encourage the development of more stable and secure systems.
Sharing with the US
Finally, as we noted two weeks ago, financial institutions need to begin preparing for the US Foreign Account Tax Compliance Act (FATCA) which will come into effect on 30 June 2013.
This week FACTA became the subject of a bilateral agreement between the UK and the US which Exchequer Secretary to the Treasury David Gauke has described as "the first of its kind and represents a significant step forward in the scope and nature of information exchange between governments."
The Government is now proposing implementing legislation. Financial services firms should watch this closely – there is a danger that they will be trapped between FACTA's demands to divulge information and EU demands not to do so. They may have to make robust arguments to Government when the legislation is being planned.