Along with PSD2, the EU’s General Data Protection Regulation (GDPR) is arguably the biggest legislative change on the horizon for banks doing business in the EU.
Due to come into effect on May 25th 2018, GDPR is a new set of rules designed to strengthen data protection for all individuals within the EU, giving people more control over their personal information and how it is used.
It is also intended to simplify and streamline the regulatory environment for businesses.
GDPR will place a number of additional requirements on financial institutions, including an obligation to report data breaches within 72 hours of the incident being identified.
The new rules could also have major financial consequences, with non-compliance fines running as high as €20 million, or up to four percent of global annual turnover.
A recent report from Consult Hyperion, commissioned by ID security firm AllClear ID, forecast that the financial impact of GDPR could be as high as €4.7 billion in fines for EU banks within three years of the regulations being introduced.
The study predicted that financial institutions operating in the EU could experience 384 data breaches during the three-year period after May 2018, raising the distinct possibility of fines for late reporting.
Tier one banks alone could be hit by fines of some €666 million a year, based on a prediction of two to three data breaches a year and average fines of €260 million each time.
Tim Richards, principal consultant at Consult Hyperion, stressed that banks must be prepared for the 72-hour breach notification requirement, which he called the “highest-risk item” in GDPR.
“Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European tier one banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the four percent level,” he said.
“This indicates an eight percent chance that any tier one bank will suffer a data breach in any given year.”
Mr Richards also noted that the estimates on GDPR’s financial impact are conservative, as they don’t cover costs such as compensation claims and less quantifiable impacts such as reputational damage and lost customers for banks that fail to comply with the new rules.