As the volume and value of M&A deals continue to rise in the wealth management sector, due diligence has to remain strict. But experts are warning that firms are very often neglecting a crucial area that could end up costing them very dearly indeed.

It may be hard to hear for a sector predicated on confidentiality and discretion, but experts have repeatedly told this publication that protecting clients' personal data is often not as high in wealth managers’ priorities as one might expect. As well as exposing them to myriad risks in and of itself, neglecting this very spiky area of compliance threatens to hit firms where it might really hurt in monetary terms – in M&A deals.

The M&A merry-go-round has spun at a dizzying speed globally in recent years as wealth firms have sought scale and savings, and the pandemic posed no barrier to the continuation of what PricewaterhouseCoopers called "a banner year" in terms of both volume and value; indeed, the 220 deals announced in wealth and asset management in 2020 were worth $53.4 billion, a new record. Meanwhile, the global banking sector as a whole saw over 1,300 deals – more than 2018 and 2019 combined – according to Finaria.

Expectations are that M&A will continue apace as the existing competitive (and profitability) pressures exacerbated by the pandemic start to really bite. But while firms approaching corporate marriages might be confident that they have done their due diligence with a fine-tooth comb in all the usual areas, data protection and the associated cybersecurity is very often emerging as a blind spot, experts say. Sellers could suffer last-minute knock-downs in transaction prices (or even clawbacks), while acquirers risk enforcement action, lawsuits and serious reputational damage for folding data protection nasties into their businesses effectively sight unseen.

So, how is it that these data protection dangers still lurk, and what should both sides be doing to tackle them well ahead of deals going through?

Data denial
As this publication has previously explored, the foremost contributing factor is an underappreciation of just how much personal data is handled in the course of providing wealth management services to clients (interesting employee data protection matters are treated here).

“It’s thankfully becoming rarer, but some firms still believe they are not holding much, if any, personal data,” says Matthew Negus, senior director at management consultancy Alvarez & Marsal. “Admittedly, it may not be obvious at first glance as it may be inferred personal data concerning non-client relationships with counterparties and vendors, but there is typically a lot more held both within and outside the client relationship.”

Still less appreciated is how commonly assessing financial situation and investment goals - and evaluating the desirability of a client in the first place - can include sensitive information (or “special category” data as it is known under Article 9 and 10 of GDPR). “Ethnicity, religion and certain health-related details come up frequently, such as where a power of attorney is held,” Negus continues. “It can also arise in AML and enhanced due diligence if someone is a politically exposed person, or if there’s any adverse media concerning criminal doings.”

This knowledge gap comes alongside great variation in data protection resourcing across the industry, as WealthBriefing has highlighted in recent research. It revealed that although some forward-thinking firms are developing dedicated and well-staffed “centres of excellence” for data protection, diffuse lines of responsibility and tiny teams which have the whole business knocking on their door seem common.

IT and international transfers
The scale of the data protection workload across a wealth management business is easily underestimated and continues to grow, in large part due to the industry’s digital transformation. Each innovation can require a surprising amount of work in planning, testing and compliance documentation. Relatedly, there are the massive complications involved with cross-border transfers, which have been exacerbated by the EU’s Schrems II ruling of last summer.

In brief, this has made the arrangements between wealth managers and the processors who handle data on their behalf a fraught affair if transfers involve jurisdictions deemed not to offer an equivalent level of data protection. This might be due to matters involving surveillance and lack of redress, as with the US. The prevalence of cloud-based solutions, combined with data centres and technical support teams being scattered all over the world, means that this is a very busy time for those drafting the contracts vendors and their institutional clients need to have in place.

Here again though there may be worrying knowledge gaps that leave wealth managers wide open to risks. “I suspect that most firms are significantly underestimating how many suppliers they really have,” Hazel Grant, head of the Privacy, Security and Information Group at law firm Fieldfisher, said. As both Grant and Negus point out, financial services is a sector known for tangled webs of legacy IT infrastructure, even before we consider the innovative tools continually being bolted on. As firms will have (hopefully) discovered in their initial GDPR programs, just understanding what data they have, and why and how it is being processed can be a gargantuan task.

Lessons from other sectors
It may take one of the industry’s own being hit with a headline-grabbing enforcement action to really make these data protection dangers hit home. But recent cases in other sectors are instructive on a number of fronts, particularly in how data protection weaknesses can come back to bite both acquiring firms - and their acquisition targets - potentially years down the line.

Here, Negus cites Marriott-Starwood as a case in point. In October 2020 the UK’s Information Commissioner’s office fined the Marriott hotel chain £18.4 million (around $25 million) for failings contributing to a cyberbreach affecting an estimated 339 million guest records worldwide. Crucially, the attack, which was discovered only in 2018, took place in 2014 and was on Starwood Hotels and Resorts Worldwide - a company Marriott acquired in 2016.

And, to illustrate that the huge losses related to data protection failings can indeed run both ways, there is the Verizon-Yahoo case of 2017. After two massive data breaches came to light, Verizon knocked $350 million off the price it had originally planned to pay to acquire Yahoo.

Blood in the water
Nor, of course, are regulatory enforcement actions the sole danger of being run when insufficient attention is paid to cybersecurity and data protection governance generally.

Data privacy - and ownership - concerns are higher in the public consciousness than ever before, due to developments such as the use of test and trace technologies during the pandemic and headlines concerning tech platforms which many of us use every day. For instance, WhatsApp was recently forced to row back on a plan to share non-EU user data with its (relatively new) parent, Facebook, which itself had a mass legal action launched against it last week in the UK’s High Court, in a case concerning alleged data sharing with third-party apps without users’ knowledge or consent.

Naturally, reputational damage and loss of trust are particularly to be feared in the private client world. Data protection regulations very much pave the way to lawsuits too, since enforcement actions pretty much present an oven-ready case for plaintiffs. As this publication has previously noted, litigation funders can smell class-action blood in the water. And, with litigators seeking damages of £2,000 per person affected in the Starwood breach, for instance, the numbers could easily dwarf the original fines involved, Negus notes: “Things really seem to be following the US paradigm in this area.”

With dangers this manifold and manifest, one would think looking into data protection would be a key part of due diligence in financial services M&A. Not necessarily so, it seems.

Late in the day
When data protection is considered at all, questions about privacy or cyber risk tend to come very late in the day, our experts observe. This naturally puts a limit on how rigorous investigations can be, particularly when there is also likely to be a degree of trepidation about digging further when this might uncover something that may negatively impact a deal.

In fairness, however, there is also a limit to how much potential acquirers can actually dig into another firm’s data practices, Grant points out. Disclosing underlying personal data would usually call for data sharing agreements, privacy notices and so on, aside from probably being unacceptable to the firm and its clients also before a deal is actually struck.

That said, since data protection regulation is very much by documentation, she would remind buyers that looking through an acquisition target’s policies and governance procedures can be very revealing indeed. For such savvy shoppers, “data protection can then be looked at in terms of the cost of remediation being built into the deal price,” she says. That licking a laggard into shape can cost upwards of £100,000 should certainly focus minds. On the flipside, a firm wishing to be snapped up could certainly use best practice in data protection to stand out in a beauty parade.

The complexities of whether firms are a data controller, joint-controller or even a processor after an M&A deal will have to be left for now, but suffice to say that working out these relationships is the bedrock of correctly delineating where responsibilities – and liabilities – lie. It is not hard to imagine serious errors soon coming to light in this sector, and that where there is any doubt, regulators are likely to come after the bigger name (fines being proportionate to revenues).

At the very least, the wealth management industry should put itself on warning that data protection can very much be the sting in the tail in M&A – and it could variously be the seller, the buyer, or both that end up smarting.