Today I want to consider a burgeoning imbroglio in the UK involving Nigel Farage. While you might not think of Farage as a candidate for the FCPA Compliance Blog, it turns out that his current banking situation has some very interesting data privacy issues, shedding light on the data protection risks faced by banks and the importance of compliance with GDPR regulations. So in this blog post, we will explore the lessons learned from this incident and provide practical advice for financial institutions to ensure the security and privacy of customer information.
The recent episode surrounding Nigel Farage’s banking situation has sparked concerns about data protection and compliance within the banking industry. Farage, a prominent figure in the Brexit movement, had his bank account with Coutts, a high-end bank owned by NatWest, closed and was offered an account with another associated bank. The alleged reason was that he did not have a high enough net worth to merit the account with Coutts. It turned out the real reason was his right-wing politics, particularly around leading the charge for Brexit.
NatWest then compounded its problem by leaking a story to the BBC, that Farage had been dropped because, as reported in the Guardian, the CEO of NatWest, Dame Alison Rose had been the source of the leak to the BBC of this false information. All of this raised concerns about a potential data breach. Coutts had closed his account after lengthy discussions over the reputational risk that his political views posed for the bank.
Rose tried to apologize to Farage but as the New York Times reported, “The apology and a promise to review the bank’s policies were not enough to ease the pressure on Ms. Rose. Reports late Tuesday that the government, which has a 39 percent stake in the bank, was “significantly concerned” about Ms. Rose’s leadership seemed to seal her fate. Before dawn, the bank announced her immediate departure” in late July. Peter Flavel, the boss of its private bank, Coutts was also sent packing.
From the regulatory, data privacy and GDPR responses, NatWest is in severe trouble. Not only had the Bank violated its own data privacy regulations in providing the information to the now former CEO but it also released that same information to the BBC. The consequences of non-compliance with GDPR regulations can be severe, particularly in regulated industries like financial services. Banks may face potential violations and internal policy breaches, which could lead to legal action and impact their banking license and fit and proper provisions. CEOs can be held liable for consent and connivance in data protection cases, emphasizing the importance of understanding data protection laws and potential criminal offenses associated with them.
The controversy surrounding Nigel Farage’s banking situation serves as a wake-up call for the banking industry to prioritize data protection and compliance. Financial institutions cannot afford to overlook these issues, as the consequences in the era of GDPR can be significant. It is crucial to establish proper policies and procedures, provide training and education for top-level management, and ensure a compliance culture is embedded throughout the organization.
There are multiple lessons to be learned from this controversy and several key takeaways that can help banks navigate the complexities of data protection and compliance:
1.Be cautious with written communication: The incident underscores the importance of being mindful of what is written in emails, as subject access requests can expose them. Consider whether a controversial email would be better discussed through a phone call or read aloud before sending.
2. Learn from previous compliance issues: NatWest had previous issues with data protection compliance, leading to the resignation of CEO Dame Allison Rose. This highlights the need for organizations to build a compliance culture at all levels, including those in top positions.
3. Allocate resources for subject access requests: The bank’s CFO has provided extra resources to handle subject access requests, as the cost of non-compliance is usually higher than the cost of compliance. It is estimated that it takes a six-figure sum for a bank to respond to a subject access request.
4. Scrutinize politically exposed persons and connections to Russian individuals: Financial institutions have an obligation to carefully scrutinize politically exposed persons and individuals with connections to Russian individuals. Balancing legitimate activities with obeying the law is crucial.
This affair provides valuable insights into the importance of data protection and compliance in the banking industry. The Farage controversy serves as a reminder that the security and privacy of customer information should be paramount for financial institutions. By learning from past incidents, allocating resources for subject access requests, and adhering to GDPR obligations, banks can safeguard their reputation, avoid legal repercussions, and build trust with their customers.
