The recent controversy over NatWest Group's handling of right-wing Brexit campaigner Nigel Farage's account, including sharing details with a journalist, has prompted concerns about whether other banks employ similar means to eliminate undesirable customers.
In a report published Tuesday, the regulator said no firm closed a personal account between July 2022 and June primarily because of a customer's political views—a practice that is banned under the U.K.’s Payment Accounts Regulations.
However, FCA Chief Executive Nikhil Rathi conceded, "[F]urther work is needed for us to be sure."
Farage, who had been monitored for months on behalf of NatWest subsidiary Coutts’s wealth reputational risk committee, called the findings “a joke” and said there were dozens of examples where people had been “debanked” because of their political leanings.
Experts believe the incident will prompt banks to review how they process customers’ personal data to see if they might be infringing the General Data Protection Regulation (GDPR), as well as FCA rules.
No personal data should be processed by a controller—in this case, a financial institution—without having a proper purpose and a lawful basis for the processing, such as checking whether someone might be engaging in money laundering or breaking financial sanctions.
"Generally, the only lawful basis for gathering and processing this information will be under the bank’s ‘legitimate interests’—but those interests are not absolute," he said. "They must be weighed against the impact on the individual of the processing that is being done. If a customer objected to that processing, the bank would have to justify why their interests ought to take precedence or stop the processing."
An additional layer of complexity arises, he said, where the characteristics being processed are so-called “special categories” of data—e.g., relating to sexuality, health, political affiliation, religious beliefs, or trade union membership. There, the starting point under the U.K. GDPR is that all such processing is prohibited unless it is for a limited range of defined purposes.
Declan Goodwin, partner at law firm Acuity Law, said Coutts’s monitoring of Farage could constitute a breach of the GDPR. He said it is “questionable” whether Coutts could justify the processing of his personal data under the catch-all exemption of legitimate interest, which would require the bank “to weigh up the rights and freedoms of the data subject against its own needs to process such personal data."
Goodwin said compliance mechanisms like data protection impact assessments, legitimate interest assessments, and privacy policies could help justify processing personal data for the purposes of reviewing customers. He added, "In the absence of a legal reason for monitoring customers in this way, it’s likely banks will need to be open and transparent with their customers, including via their privacy policies, to collect personal data in the way NatWest/Coutts have done regarding Farage."
Becky White, senior data protection and privacy solicitor at law firm Harper James, said unlawful disclosure of information to a third party, such as the press, "will inevitably lead customers to question how organizations handle their personal data generally and whether appropriate security measures and safeguards are in place, which could in turn lead to irreversible reputational damage.
"Ultimately, whether you agree with Farage’s politics or not, as a data subject he is entitled to the protection that data protection laws grant to individuals, which is to safeguard individuals’ fundamental right to privacy and protect their personal data."
By fLEXI tEAM