Update on recent UK data protection guidance in the financial services space

UK FCA, ICO and TPR issue a joint statement on communications to consumers in relation to retail investments and pensions

On 15 November 2024, three UK regulators – the Information Commissioner’s Office (ICO), The Pension Regulator (TPR) and the Financial Conduct Authority (FCA) – published a joint statement on the interaction between data protection and direct marketing laws and the FCA Consumer Duty and TPR’s Code of Practice and Guidance in relation to customer communications.

This follows a similar statement in July 2023 from the ICO and the FCA in relation to communications to savings customers. 

The ICO has previously published more detailed guidance in March 2023 on direct marketing and regulatory communications.

The statement makes it clear that UK data protection laws do not stop firms and pension schemes from sending regulatory communications or service messages – they can send these messages to customers even if they do not have direct marketing permissions from them provided that the messages do not constitute direct marketing under data protection law. The definition of ‘direct marketing’ is broad - “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. The regulators set out that organisations should “use a neutral tone and avoid active promotion or encouragement when communicating facts to customers” to help ensure compliance.

Usefully, the statement includes a (non-exhaustive) list of examples of regulatory communications that can be drafted in a way that are unlikely to be direct marketing:

1. A message that warns a customer that they are at risk of harm from having an inadequate pension income in retirement due to their existing contribution rates; or from drawing down on their pension at an unsustainable rate.
2. Helping a customer to understand their pensions or retail investments product or service, such as explaining jargon and signalling where consumers can go for support.
3. Reminding customers of the option of consolidating their pension pots and the relevant factors around this, where that is appropriate for the client.
4. Factually describing the details of different decumulation options to help customers make an informed choice.
5. Noting where people can access free tools, such as pension tracing tools and savings or retirement income calculators.
6. Informing a customer they are being transferred to another pension scheme.
7. Giving a child trust fund owner important information about their account, where the account was opened for them during their childhood.
8. Highlighting to a customer that they have unused Individual Savings Account (ISA) allowance towards the end of the tax year.
9. Telling customers who are reaching the end of a term deal what their options are.

Guidance on data sharing to tackle fraud and scams

During International Fraud Awareness Week in November, the UK  Information Commissioner’s Office (ICO) published guidance on the data protection considerations in relation to the sharing of personal data for the purposes of preventing, detecting and investigating scams and frauds.

This sits alongside other data sharing related resources from the ICO, including the Data Sharing Code of Practice.

The ICO notes that fraud is the most frequently experienced crime in the UK, accounting for 39% of all reported crime in England and Wales. The guidance emphasises that data protection law is not a blocker to sharing personal data to prevent fraud and scams, provided it is done in a responsible, fair and proportionate way.

The guidance highlights the following steps to help ensure that data is being shared in a compliant manner, echoing the guidance in the Data Sharing Code of Practice:

1. Carry out a DPIA
2. Be clear about responsibilities
3. Set up data sharing agreements
4. Identify a lawful basis
5. Understand the type of information being shared
6. Comply with the data protection principles 
7. Respect people’s rights

The ICO provides a couple of practical examples in relation to the application of legitimate interests in the context of fraud prevention and in relation to the sharing of criminal offence information. These examples are useful reference points for financial services organisations.