The 2008 financial crash kick started the idea of “better regulation”, how can regulators improve the market in which they operate but also support customers and ensure that all customers within their respective market are treated fairly. Of course, the idea of Treating Customers Fairly is embedded within the Financial Conduct Authority’s “Principles”, all customers should receive a good quality service and expect to meet 6 Outcomes. However, other regulators are slow to catch up on the idea of “better regulation” and are still treading water ensuring procedure is followed regardless of consumer detriment.
It’s fair to state that the FCA govern the outcomes rather than the procedural requirements. For example, a firm’s attitude to risk should be based on the outcomes their customers receive. If a customer doesn’t receive X procedural statement, has that customer reached a poor outcome than had they received that information? If they had then this would be a breach of the ethos of the FCA. If the customer had received a good outcome regardless, this may be a breach of the FCA’s procedural requirements, however, due to the customer being in a better position than if they had been without the service it’s difficult to argue this was a “breach” in the sense which should be prohibited.
For example, within the consumer credit sector a requirement of the FCA is for lenders to provide their customers with forbearance when the customer falls into arrears. This requirement is to ensure that customers receive due support and care to pay their debts (in essence increasing the amount recoverable by firms than if they had not applied forbearance – a trait many firms forget). One of these procedural requirements, linked to forbearance is notifying the customer of free debt advice. Using the above analysis not providing the customer with notice of areas of free debt advice, will amount to the customer obtaining a worse outcome than if they had provided that information. For example, they may have been eligible for an IVA but due to the lenders’ inability to notify the customer of free sources of debt advice, they do not enter an IVA and are in a worse position than they would have been had they received the advice. Hence a breach of the customer Outcomes.
Although the above is besides the point at hand, it demonstrates that the regulations are designed to improve the outcomes of the customer, they are not designed to be “procedural” rules that have to be met at all times. The rules are designed to complement the Outcomes, not inhibit them.
The Procedural Effect
The idea of “better regulation” has not yet met the Information Commissioner’s Office, although this is not entirely their fault as they do not have the tools to provide “better regulation”, they do stick to procedural requirements with no scope for providing better outcomes for customers.
For example, let’s focus on one area of the GDPR (subsequently enforced by the ICO) and this area being automated decision making, for example, a programme which is based on machine learning takes all the data of the population, understands spending habits, incomes, expenditure, ethnicity, the religion of the population. From this the machine makes data inferences, for example, “do not lend money to consumers who were born in ABCDEFG” (this being in our hypothetical situation people originally born in ABCDEFG do not pay their debt). So, when a citizen applies for a loan who is from ABCDEFG they will be ineligible straight away.
In the example above, the procedural requirements of the ICO and the GDPR have been met (for example, including notification of this decision within the Privacy Notice, having a human explain the decision (data inferences based on XYZ have been made, on this inference you have been rejected for the loan). So, for the true effect of the Regulation, nothing is wrong from a data perspective.
The above goes to demonstrate that as long as the procedure is followed there is little recourse found within the regulations at current, what rule has the firm breached? None. This commitment to procedural requirements negates benefits to the customer, as it is not possible to say that the customer has been provided with a good outcome.
So how can the ICO aim to instead of being the procedural regulator become an outcomes regulator? The simple answer is that there needs to be a fundamental shift in how they observe data protection practices, starting from the top. Data needs to be used to uphold customer outcomes and not allow discriminatory data practices which diminish customers receiving good outcomes.
The FCA and the ICO
The debate between good outcomes for customers and following procedural requirements comes at loggerheads when the data of a company pertains to the data used by a regulated entity. Take the above example, in this situation a customer from ABCDEFG cannot receive a good outcome from the firm, the firm will not lend to the customer, that may well be the firm’s prerogative but the customer themselves has not received a good outcome.
The FCA can’t really challenge the procedural requirement which prohibited the firm from lending to the individual. If the customer never becomes a customer based on the machine learnt data, the FCA cannot improve the customers’ outcome, it would likely be ultra vires. However, it is clear that the customer has not received a good outcome, maybe the firm offers the best rates on the market, the customer is prohibited from them.
So how do the regulators move forward? They don’t as they can’t, although they believe they have a memorandum of understanding between each, there is no way to reconcile the “better regulation” one being following procedure and one ensuring good outcomes for customers.
The place for exploitation
One concluding thought is that following procedure is no longer enough to be determined as “regulation”. As compliance consultants Scott Robert know that ensuring our firms are following data procedure is more important than having their customers receive good outcomes, although this is unfortunate this is the reality.
The only shining grace is that the UK has an opportunity coming in the future months to either improve data protection regulation or diminish it even further, will our customers receive better data outcomes in the future than they do not? Can compliance consultants encourage businesses to make good consumer decisions or will they remain to simply require procedural requirements to be met without promoting consumer outcomes?