A senior analyst gives this publication a tour around what the wealth management sector needs to know about new privacy legislation.

Ashley Longabaugh, senior analyst at Celent, tells our head of research, Wendy Spires, what wealth managers need to know about the ePrivacy Regulation coming hot on the heels of the European Union's General Data Protection Regulation - GDPR. We welcome readers' feedback; email the editor at tom.burroughes@wealthbriefing.com

WS: The EU is set to extend its data protection clampdown further by upgrading its ePrivacy Directive to a Regulation. What’s the current state of play?
AL: While the EU probably had ambitions for the ePrivacy Regulation following the General Data Protection Regulation (GDPR) more closely, the ePR isn’t expected to come into force until spring 2020.

Implementation of the regulation has been stalled due to negotiations across the industry and there is still uncertainty that the regulation will be enacted at all. Some issues with the proposed text include: the potential impact on innovative businesses and competition; the burden it could place on browsers and apps; questions about the value-add of the requirements; and concerns about the magnitude of the fines for non-compliance.

WS: Haven’t firms got enough to contend with without preparing for possible regulations?
AL: There is still a slight chance that ePR will not be implemented at all, but firms should still make good preparations irrespective so they are not seriously caught out. The uncertainty about ePR’s implementation is a reason for firms to focus on more immediate challenges and dedicate valuable resources to the issues on hand, thus resulting in a rush at the end to implement the regulation. We could see a similar rush to comply, or perhaps an even worse one, than we saw with GDPR.

However, robust preparation for GDPR will have hopefully provided a strong foundation for wealth managers and a solid stepping stone into ePR compliance.

WS: Leveraging client data to offer more tailored products and services is something many firms are investing heavily in. Do you see a tension between profiling of this kind and the spirit of the GDPR and ePR law?
AL: A desire to leverage big data analytics and tools to ultimately deliver an outstanding client experienced tailored to the specific needs of individual clients is naturally prevalent throughout the wealth management industry. The increasing usage, dependence, and expectation of using digital tools, particularly those that track clients’ online behaviour, has embedded itself in the business models of financial institutions. The implementation of the ePR will therefore be another disruptive force in the industry. 

Metadata, essentially data about data which helps streamline the collection and analysis of data, is affected by the ePR. There is a wide range of use cases for metadata, such as geolocation and purchase authorisation services, which are often used by wealth managers and financial institutions to deliver targeted products to a client.

As the ePR aims to regulate the use of metadata, real-world applications such as those mentioned above will need to be re-examined by providers. Targeted advertising, customised content delivery, and customer segmentation will be affected.

WS: The ePR covers over-the-top communications channels like WhatsApp, and these are increasingly being used by firms and advisors. Do you think that concerns over ownership of data will prompt them to move away from these to maybe develop their own, or just outright bans?
AL: The ePR regulates every electronic communication technology, including “OTT” (over-the-top, i.e., communication services provided via the internet; services that go OTT of cellular communications: WhatsApp, Skype, Messenger, IM), in addition to machine-to-machine communications. 

As such, the complexity of regulating every form of service is enormous. There is potential for firms to ban advisor communication via these channels and only use proprietary communication tools, but in my view they will more likely address ePR compliance and continue using third-party OTT providers.

Many of the challenges presented by ePR are similar to GDPR: overcoming legacy systems, cross-border complexities, multi-channel management, meeting regulators’ or clients’ deadlines, educating end-users on ePR or new system tools, and managing third-party partners/distributors. Moreover, any firm that has operations in Europe must adhere to ePR, including those based outside the continent.