A fundamental requirement of data protection law is that organisations have a lawful basis for processing personal data. Further, where the data in question is data concerning health, which is classified as “special category personal data”, additional conditions for processing must be met, even if a lawful basis has been identified. However, current FCA guidance on treating vulnerable customers fairly does not, in and of itself, provide a basis for processing special category personal data under data protection law, and other potential legal bases for the processing are either unsuitable or impose conditions that are difficult to satisfy.
For instance, while banks may seek to rely on customers’ explicit consent to justify transaction monitoring, as consent must be ‘freely given’, there is a risk that the very customers banks are trying to help refuse to give their consent to such data processing.
Banks may have an alternative justification to consent to monitor transactions if they can show that the monitoring is necessary to protect the economic well being of the customer and to do so is in the substantial public interest, and that it would not be reasonable to seek consent if this could leave the most vulnerable customers exposed. However, complicating issues of consent could persist under open banking rules.
For example, if a consumer wishes to take advantage of services offered by fintechs to manage their money using open banking technology, they are also required to consent to those third parties to access their data and regularly refresh their consent to this access. As a result, there is a risk that people with mental health issues might be disengaged or might be overly anxious about the idea of being monitored and less likely to monitor their accounts and/or be willing to respond to requests to ‘opt in’ and to refresh consent, which could be a barrier to them making the most of these services. If only the least vulnerable customers agree to such monitoring, this could impact the quality of the data analytics and machine learning and result in data bias.
The Information Commissioner’s Office (ICO) and the FCA have issued a joint statement confirming that FCA guidance on vulnerable customers is compatible with the data protection law. However, there has been some criticism that the expectations of the two regulators are difficult to reconcile in practice.
One concern that the ICO is likely to have will centre on ensuring that the monitoring is targeted and proportionate in line with the data protection law’s principles of fairness and data minimisation. In particular, the ICO will be concerned about ‘false positives’, such as irregular spending patterns stemming from people working shifts, which are not necessarily an indication of a mental health issue. Another concern it may have is around the potential for ‘mission creep’ whereby the insights gleaned from the monitoring are used for another purpose. For example, in identifying vulnerable customers, the banks might identify customers with erratic spending patterns due to lifestyle that are not necessarily connected to an underlying mental health issue, but which could indicate that that person is high risk from a credit perspective.
Clearer, practical guidance from the ICO on how to apply the data protection law in the context of monitoring transactions to help vulnerable customers manage their money is needed to help banks feel able to use the technology available to them to do so. Consideration might also be given to engaging with the ICO at an industry level to develop an agreed set of rules to enable banks to engage in proactive monitoring of transactions to help vulnerable customers.