Bluerock Supplement : May 2002

The content you are searching for is contained within our extensive library of PDF publications.

To access this document simply click the title of the publication shown below and you will be forwarded to our download page.

BR Supplement - May 2002 (140k)
Data Protection Act 1998: Third Party Data.
Keywords: third party data, data protection act, TPD, credit reference agency, CRA


  PDF documents can only be viewed with the Adobe Acrobat Reader® application. This is available to download free of charge from the Adobe web site. If you do not currently have Acrobat Reader® installed, simply click the button to the right to download it.

If you experience any problems downloading any of our publications, or require alternative formats or additional information, please contact us.
DATA PROTECTION ACT 1998 - THIRD PARTY DATA: THE INTERNAL POLITICS AND EXTERNAL PRESSURES ON MANAGEMENT AGENDAS FINANCIAL SERVICES - CREDIT RISK Tony Kowalewski A manager's lot is not a happy one....... Justifying the funding of new projects is always a challenge. Not much fun, but it is a challenge. It's perhaps one of the most frustrating parts of the credit risk manager's job if you're the owner of a department budget. The criteria for spending money will comprise many things and will only stretch to a set of prioritised projects meaning some are left behind as non-starters. The anguished cries from those who have projects to deliver but can't find a sponsor are even more painful to hear. As a consultant, I am used to hearing clients say "I haven't got a budget for that". Many factors can affect the prioritisation process. Cost benefit arguments always tend to add weight, as do proposals that have an obvious fit with corporate aims designed to rein in more business. Internal politics and external pressures sometimes represent paradoxes that are difficult to resolve. In theory, legal and compliance projects will always be adequately funded to ensure the organisation doesn't get caught out - well that's the theory at least. All too often though, such projects are buried and forgotten. They're the ones put off until 'next time'. And when does next time happen? The reasons they get left behind will either be due to the fact that the projects are too complex or as is more likely, there's no obvious return on investment. Would the threat of prosecution by a regulator be good enough justification for investment? I suspect so. Users of Credit Reference Agency (CRA) data are currently reliant on the grace of the Information Commissioner. The issue of Third Party Data (TPD) compliance is not the responsibility of someone else. It is the responsibility of the data processor - you - to be compliant. Like it or not the Fourth Data Protection Principle requires you to process data accurately. What is Third Party Data? The changes introduced in the Data Protection Act 1998 mean that financial services organisations must collect, use and store data held on individuals fairly and accurately. Third Party Data relates to any individual other than the data subject. Currently for example, if Mrs Smith applies for a store card, information about her, her husband and possibly other people with which she has a financial relationship, may possibly be included in the assessment of her credit worthiness. The new rules mean that the use of data belonging to a third party is only permissible under a set of complex rules. Prosecutions Users of CRA data who continue to believe they have until 2007 to be fully compliant on Third Party Data could well be in for a shock. I wonder how a prosecution by the Information Commissioner under the Data Protection Act might affect a lender's reputation? (where a lender had not sufficiently or adequately planned how it would use TPD). Don't forget, it's the individual who stands to get prosecuted on this one, not the body corporate. I wonder how the manager who decided TPD wasn't a justified use of his budget might feel after prosecution. I can imagine how managers in many other organisations might feel. "There but for the grace of God go I..." they say and all of a sudden, TPD project documents get dusted and taken off the shelf for immediate approval. "I wonder how a prosecution by the Information Commissioner under the Data Protection Act might affect a lender's reputation?" Being the first to be caught and prosecuted represents a high reputational risk for the organisation and your personal reputation, quite apart from the penalties imposed by the courts. So where's the cavalry then? Although the CRAs have been at the forefront of the industry's efforts to retain the use of TPD (and what a good job they did), they have a massive task of their own to become TPD compliant. Many CRA data users appear to be sitting back expecting Equifax and Experian to wave a magic wand so that all will be well again. For the organisations in that category, I have a message - think again. With the best will in the world, the CRAs can't do it all for you. It's about your processes, your people, your systems. By way of example, have you yet considered how your organisation might utilise the Household Override facility? How will you access the Alert facility? Do you use Detect? Do you think all these things will be sorted out by the CRAs? Wrong - these are things your organisation has to have its own policy on. Is the quality of your CAIS / Insight data feed up to scratch? Well if it's not then it has to be. You are breaking the law if it's not, contrary to Principle Four. No Resource? Beware! Some of the larger banks and building societies have already taken steps to ensure that they have done everything in their power to become compliant with the Business Requirements Specification issued by the Third Party Data Working Party last year. But the larger players have the available resource to do so. Declaring yourself to be at an organisation with insufficient resource to handle all these changes is not a valid excuse for non-compliance. The Information Commissioner made this abundantly clear last year. Maybe this doesn't seem fair on the smaller players in the market but the fact remains, like it or not, compliance is not an option. Some other organisations have restricted their work to planning for the impact that revised generic CRA scores will have on their scorecards. What many have not done, is to assess the impact on broader business processes. There are a lot of processes and they are just as likely to be of interest to the Information Commissioner as what the CRA's are doing at their end. There are costs to doing business. If the Chancellor increases employers NI contributions then you pay, no questions asked. Compliance projects should be no different, as your obligation is also regulatory. Reputations Reputational risk is increasingly recognised as having a price tag associated with it. Remember what happened to Ratners after Gerald Ratner described his stock in an unfavourable light. The reputation of his jewellery stores crashed overnight. Closer to home, several banks and building societies have found themselves with reputational problems as a result of branch closure programmes, to an extent where competitors have shamed them in their own advertising campaigns resulting in a swift reversal exercise. There are heavy costs associated with getting it wrong. Best Data Quality Audit of the Year 2003 One could never describe TPD or indeed data quality, as exciting/core business subjects. TPD is in the same category as accountancy and legal - they are support functions and it's sometimes difficult to see how it adds value to the customer and ultimately the bottom line. Projects designed to address these issues are complex and sometimes costly. They rarely result in more products being sold and at next year's Credit Today Awards it's unlikely there will be a prize for "Best Data Quality Audit of the Year". (Hang on though, maybe there's an opportunity there for Equifax and Experian?). Maybe there's some good publicity to be gained from the fact that an organisation deems itself fully compliant. Imagine the headline "We care about our customer's data", to actually mean it and be able to prove to that effect. Now there's something that's likely to enhance a reputation rather than harm it. Shocked of Tunbridge Wells Third Party Data has featured in our consulting discussions with a cross section of organisations recently, from the largest of the banks to mortgage lenders (this by the way, is the market segment most acutely at risk), automotives, finance houses and mail order companies. Given that the credit industry has known the structure of the changes for a comparatively long time - more than a year - we at Bluerock have been shocked at the lack of preparedness, an assessment also shared by the trade associations with whom we have liaised on this subject. The lack of preparedness, action and understanding of the issues real & present, and of the consequences of inactivity, remains a key concern. It's your own people (business users as well as IT) - not those of the CRAs - that need to be re-writing, updating and implementing changes to your host systems. As well as systems, there are many other aspects that quite simply are the responsibility of the lender rather than the CRAs. For example, if you use data from host systems to pre-populate application form screens, (for existing customers), then that data too must be compliant. Third Party Data may not currently be perceived as exciting or dynamic as an issue. It does not deliver the tangible revenue benefits that can be achieved by marketing funding. However, if our experience of industry attitudes is anything to go by, then it's likely that those issues will become a minefield awaiting collision with someone's reputation. Be the captain of your own minesweeper and take evasive action by prioritising some of your budget for blowing up a few mines. Few executives like surprises, especially those of the less positive variety. The final message to leave you with is this. Be clear between what it is you would like to do and what you are obliged to do through regulation. View your budget and project planning in this manner. Alternatively, here's a really interesting Zen-type thought. As the management guru Deming once said, "You do not have to do these things. Survival is not compulsory". Tony Kowalewski, of Bluerock Consulting, can be contacted on 020 7743 6780 or tony.kowalewski@