New guidance on balancing data protection with the FCA's Consumer Duty and the TPR's Code of Practice

What is it?

The Financial Conduct Authority (FCA), Information Commissioner's Office (ICO) and The Pensions Regulator (TPR) have published welcome guidance (Joint Statement) aimed at retail investment firms and pension providers on how to ensure their customer communications comply with the FCA's Consumer Duty (Consumer Duty) and the TPR’s Code of Practice (Code of Practice), whilst ensuring they follow the rules on direct marketing and data protection. 

What are the Consumer Duty and the Code of Practice?

The Consumer Duty rules (here) and guidance (here) set out certain obligations and expectations on FCA-regulated firms offering financial products and services to retail customers. In particular, the Duty sets high expectations for the standard of care that firms provide to consumers, including in respect of customer communications and customer support. 

Broadly, the consumer understanding and consumer support outcomes under the Duty are intended to ensure that, respectively, (i) customers understand the information they are given and can make effective, timely and properly informed decisions, and (ii) customers are provided with customer support that meets their needs. 

These outcomes also require firms potentially to have more touch points and engagement with customers, particularly post-sale, to prompt them to make better decisions. By way of an example, a bank may wish to write to a savings account customer to let them know if the bank introduces another savings account with a better interest rate.

The Code of Practice sets out how governing bodies of pension schemes can comply with their obligations under pensions law. As under the Consumer Duty, it includes obligations in relation to communications with pension scheme members (both on initially becoming a member and in respect of subsequent communications), including a requirement to ensure timely and appropriate information is provided to enable "informed decisions about their benefits".

Conflict with direct marketing rules?

Direct marketing rules include an obligation not to send direct marketing unless you have the consent of the individual or (in limited circumstances) on an opt-out basis.

The Joint Statement notes that "service messages" (i.e. communications which are to provide key information that individuals need to know about their product or service) do not constitute direct marketing. However, service messages that contain a direct marketing element (even if minor) will be considered to be direct marketing and subject to direct marketing rules.

There have been some concerns about how to reconcile the Consumer Duty and Code of Practice requirements with direct marketing rules – i.e. the scope and content of communications required to comply with the Consumer Duty or Code of Practice may tip over into being direct marketing messages and potentially constitute a breach of data protection law.

How to avoid getting it wrong

According to the Joint Statement, the key to avoid the risk of sending direct marketing in breach of the law is to ensure that communications present the facts to enable consumer decision-making, but without giving opinions which may influence those decisions. Further, any content which is promotional in nature should be avoided. In this way, messages can lawfully be sent, even to those individuals who have not consented to, or who have opted out of, direct marketing communications.

The Joint Statement refers to the ICO's direct marketing and regulatory communications guidance (here) which provides additional relevant guidance and examples of how communications can be phrased, as both the wording and broader context of the messages must be carefully considered to ensure compliance.

The Joint Statement also provides a non-exhaustive list of examples of types of messages which (properly drafted in compliance with the Joint Statement) can be provided such that they do not constitute direct marketing.

Impact on other FCA-regulated businesses

Whilst the Joint Statement is directed at retail investment firms and pension providers, the guidance is also helpful for other FCA-regulated businesses that deal with retail customers.

In relation to the insurance sector, for example, the guidance is useful particularly when considering post-sale engagement with customers (pre-sale insurance communications can be promotional provided that they are balanced and highlight any risks and limitations as well as the product benefits).

As with the banking example noted above, firms can include some promotional material in post-sale communications if it is to benefit customers or prompt them to make informed decisions which deliver good customer outcomes. However, firms will need to ensure that their communications to meet compliance needs are not used as an opportunity to promote or sell to customers. By way of example, under the Consumer Duty, some firms may look to send communications to customer seeking feedback from them to understand how the product is performing.  Where this communication is also used to seek to promote new product offerings this may breach data protection law.

Why is the Joint Statement important?

The Joint Statement provides comfort to the retail finance and pensions sectors that they can present the required Consumer Duty/Code of Practice information to individuals without falling foul of data protection law. The Joint Statement gives a helpful and practical steer to retail investment firms and pension providers on how to avoid that pitfall. It also provides useful guidance to other FCA-regulated businesses operating in the retail sector.

Challenges will nonetheless come in crafting such messages appropriately to ensure they don't stray into being direct marketing communications. Regulated firms will therefore need to strike a balance between meeting their consumer understanding and support obligations under the Consumer Duty and ensuring that they do not fall foul of the direct marketing rules.

It appears that further guidance on this topic may come in the future, and the ICO has indicated that it would welcome any feedback on the Joint Statement.

We worked with a number of clients who have carried out significant work to ensure that their policies on communications, financial promotions, customer support etc. reflect the Consumer Duty requirements. In light of the Joint Statement, they may want to consider further updating these policies to incorporate the new guidance and include some examples of dos and don’ts.

Please get in touch with any of the authors listed here if we can provide any advice in this area.