The European Union General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and with just a few months left to comply with the requirements, time is of the essence for businesses.
Fund managers and administrators in particular are caught between the proverbial ‘rock and a hard place’ with respect to Know Your Client (KYC) documentation. On the one hand they must comply with KYC regulations by collecting private and potentially sensitive information on their investors (the ‘data subjects’), while on the other hand they are obliged to respect the evolving rights of investors in relation to data protection.
The territorial scope of the GDPR is far reaching and will apply not only to firms operating within the European Union (EU) but also to firms gathering data in, or offering services to, citizens of the EU. Applying this to the funds industry, GDPR will affect both funds based in the EU and funds based outside the EU which have EU domiciled investors or where the ultimate beneficial owners of their investors are EU domiciled.
Fund managers, their General Partners and service providers such as administrators cannot avoid such challenges as they are likely to be ‘Data Controllers’ under the GDPR: the natural or legal persons who determine the purpose and means of data processing. Funds with offices in several countries find that the information collected and held on investors needs to be shared across multiple borders between fund managers, administrators and group entities to comply with FATCA, the Common Reporting Standard, AIFMD and KYC requirements for international investments.
The Financial Times identifies the data protection challenge for international firms as being “…to navigate competing and often divergent regulatory regimes without incurring huge costs, whether in the form of compliance measures, or financial penalties if they are deemed to have broken the rules, or in reputational damage from a public rebuke by a state watchdog”. This challenge is most clearly illustrated by the potential fines of up to €20 million or 4% of annual turnover for non-compliance with the GDPR.
The main requirements of GDPR that will challenge the funds industry can be summarised as:
- Transfers of data to certain countries outside of the EU require the explicit consent of the data subject and the data subject must be informed of the specific risks involved in this transfer
- Data may only be used for a specific legitimate purpose and not further processed in a manner incompatible with that purpose
- Every reasonable step must be taken to ensure that inaccurate personal data is rectified or erased
- Data controllers must ensure appropriate security measures are in place, whether they be technical or organisational, to protect personal data from unauthorised processing and against accidental loss, destruction or damage
- Data subjects have the right to withdraw their consent, transparently access their information and ultimately to be forgotten if desired
To meet these requirements, funds and their service providers should ask themselves:
- Are the security measures of my firm adequate or vulnerable? Do we know or must we pay for a third party to test this?
- How is the KYC data used after initial on-boarding? Are we liable for further use and sharing of this information?
- How can the data be shared as required across multiple jurisdictions without breaching GDPR rules, for example, to invest in funds inside and outside the EU?
- Is my firm updating our clients’ data to ensure it remains accurate?
While investors may not be concerned about some elements of the KYC information they provide, they are likely to be very concerned over who has access to private information such as the beneficial ownership structure of their investment vehicles, what they are doing with this information and how it is stored. Collecting and maintaining KYC information by spreadsheet and pdf is no longer satisfactory. Financial service providers face a stark choice: maintain the status quo and risk hefty fines or invest in expensive advice and corresponding regulatory technology. So how can you comply with increasing legislative demands such as GDPR without affecting your IRR?
The ID Register is an investor onboarding platform that puts funds and their clients back in control. With over 19,000 unique investor profiles created to date, each investor can use a single profile to satisfy the requirements of KYC regulations, fund subscription and FATCA /CRS. The investor exercises control over which funds, administrators and banks they wish to share this information with. Fund managers then subscribe to the live data of their investors rather than having to collect, store and refresh it. With this simple and obvious solution, The ID Register currently supports over 140 fund managers, offering an elegant and cost effective way to launch funds with greater speed and efficiency.
The ID Register addresses the challenges of GDPR in that:
- Each ID Register profile is held on servers within the EU on the Microsoft Azure platform on a fully encrypted database with enterprise level information security and to the data privacy requirements of both the US and EU
- Investors complete their profiles in order to comply with Securities Law, KYC and FATCA/CRS requirements of the funds into which they invest
- Investor profiles can be shared outside the EU only by direction of the investor when required for further investments. A simple comparison to this model would be a LinkedIn ‘Connect’ request: the investor requests their KYC profile to be connected to a new fund based outside the EU and does not need to provide KYC documentation for a second time, an added bonus of the model
- The ID Register sends reminders to investors to update their information based on trigger events such as the expiry date of documentation and helps the investor to keep information up to date
In conclusion, data protection readiness is a leading concern of financial service providers in 2018 and quite rightly so in light of the increasing trend in international regulation to punish firms for data breaches. Funds and their investors face increasing regulatory demands and traditional solutions are no longer fit for purpose. The ID Register offers an effective solution that puts investors back in control of their own data while simultaneously providing a faster and more efficient method of complying with KYC, FATCA / CRS and fund subscription requirements, keeping your firm ahead of the regulatory curve.
Other articles on GDPR