In a new report carried out by Consult Hyperion and commissioned by AllClear ID entitled GDPR: Banks, Breaches and Bullion Euro Fines, it is forecast that European financial institutions could face fines of up to €4.7 billion in the first three years under the European Union’s new General Data Protection Regulations (GDPR). The actual figure, the report says could be much, much higher as the report has been compiled with conservative estimates and excludes compensation claims, customer costs, damage to reputation and branding as well as senior executive resignations. The fines that banking institutions (indeed any organisation) could be subject to are up to 2% of the previous year’s global revenue (4% for repeat offenders) or €20 million, whichever is higher.
To compound the issue, these institutions will not just be subject to the new European General Data Protection Regulations but to other new European regulations such as ePR,AMLD 4/5 and PSD2 which will require institutions to hold more data and make it available over open interfaces, which in theory could make them more open to data loss and open to the possibility of punitive fines from not complying with GDPR.
Key findings from the report include:
- GDPR will cost banks €4.7 billion in GDPR fines over three years
- Financial institutions will experience over 380 breaches
- Large banks could face fines as high as €260 million per breach
“The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this,” said Tim Richards, Principal Consultant, Consult Hyperion. “Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level. This indicates an 8% chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR.”
Bo Holland, CEO, AllClear ID said:
“A poorly managed customer notification in the wake of a breach makes you look like a fool. Financial institutions are myopically focused on preventative measures, ignoring the importance of the resilience. History tells us that companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations, while those with a prepared plan and a managed response have sidestepped these issues. GDPR raises the stakes even higher. With only 72 hours to react, financial institutions that have not invested in response readiness will face the most serious fines and collateral business damage.”