With information about customers increasingly seen as valuable by both legitimate business and criminal elements, Jonathan Minter investigates the precautions motor companies are taking, or should be taking, to protect their customer data
As a result of checking a customer’s credit and affordability, it’s only natural that motor finance companies end up with a large amount data about their customers.
Access to this type of information can be extremely valuable and, as a result, companies need to be guarded in ensuring the data they collect is stored in a secured manner, protected from potential outside attacks, and disposed of in an effective manner, and at an appropriate time.
How companies use this data is set to change in the coming years, with the General Data Protection Regulations due to come into force in 2018 across the EU including the UK, assuming it doesn’t vote to leave in June.
Currently, though, organisations are compelled to observe the letter and the spirit of the Data Protection Act 1998 (DPA), which overseas transparency, security and accuracy, and maintains information standards, as well as observing consumers’ rights.
Tim Smith, head of motor finance at Black Horse points out that, while this Act sets out a number of reasons why customer data should be retained, it does not set out specific retention periods.
Speaking to lenders, it appears the common practice is for this length to be determined by the length of contract the customer has – something Smith says is true at Black Horse.
The same is true at Paragon Bank, according to head of motor finance Julian Rance. Describing the basics of Paragon’s data policy, he says: "We only need, from a minimum data side, to keep information which is required for the purpose of car buying and servicing the loan. So that’s pre- and post-completion. As a company we put in place across the business a group retention and destruction policy. It’s not just about keeping data, it’s also about how long you keep it for and how you delete that data – you can’t keep it forever.
"There’s also a policy where the length we’ll keep customer data won’t mirror exactly the contract length, because of the potential for customers to come back."
Length of time isn’t the only element in the DPA which is open to interpretation, with the Act operating with eight principles which, in a similar manner to the Financial Conduct Authority’s (FCA) principles, can be interpreted and implemented in slightly different fashions.
One example of this brought up by Craig Armstrong, partner at Shoosmiths, is on the seventh principle, that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
Armstrong says: "This principle has been routinely incorporated into any commercial agreement involving the processing of personal data, but what actually constitutes "appropriate technical and organisational measures" is inherently subjective, creating uncertainty as to how business can satisfy this legal requirement.
"Moreover, the onus has been placed on the data controller under the DPA, with no statutory comeback to the data processor who processes personal data in breach of the DPA 1998."
In order to ensure they remain compliant, and in order to ensure they retain public trust, companies are able to look at a few options.
One option Billing Finance has gone with is to have an external audit of how their customer data is stored. Oliver Mackaness, director at Billing Finance, says the company is audited by specialists Regulatory Strategies.
When asked about the advantages of hiring external consultants to look at this, Mackaness says: "Because we’re a relatively small company, this is an issue for us. There are only 40 of us at Billing Finance. We collect a lot of data and in order for us to be doing things properly, we need to get advice from other people. The FLA is also really good, as they give out lots of advice."
Mike Bradford, director at Regulatory Strategies, says that embedding data protection across the business can become a competitive and commercial advantage for a company and, done in the right way, can be seen as a value-add, not just another barrier to doing business.
When asked what the typical mistakes he sees motor finance companies make, he says: "Typical areas include: using out-of-date information – which is both a DPA breach as well as missing great commercial opportunities for up and cross-sell; not dealing with consumers fairly under their subject access rights; not having policies and procedures in place and poor staff awareness; not having well-rehearsed plans in case of lost or stolen data; and having a data protection officer who adds no business value and just tells the business what it can’t do rather than how to do what it wants to do – the business prevention officer!
"Another area is not thinking through what the business might want to do with the data during the customer life cycle and missing opportunities at the point of data capture on the application form to be clear as to the purposes for which the data may be processed – missed business opportunities again."
A second option that companies might consider is looking at meeting a recognised international or market standard. This is something Paragon Motor Finance has done. Rance notes the company is ISO 27001 certified, and continuously reviews its processes to ensure everything is up to the standard.
ISO is an independent, non-governmental international organisation, with membership of 161 national standard bodies.
ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
According to Armstrong, many companies use these types of organisation to demonstrate compliance with the seventh standard. He says ISO 27001 is the most popular one.
However, he warns: "For most consumers, reference to an unrecognised international standard gives very little, if any, comfort. In fact, the padlock symbol of website SSL [Secure Sockets Layer] encryption is far more likely to give that necessary consumer comfort. However, SSL certification is only one element of information security within the consumer transaction journey."
Another route companies may wish to go down is the ‘Cyber Essentials’ scheme, which the UK government launched in June 2014.
Armstrong says the scheme has been designed to incentivise the widespread adoption of basic security controls that will help protect organisations against the most common kinds of internet attacks.
He says: "The scheme is constructed to be affordable and practical for all firms, small as well as large. Certification comes with a badge which firms can use to help demonstrate their security credentials to consumers and which insurers can take into account when considering firms for relevant insurance policies."
Potentially of importance to fleet providers, Cyber Essentials has been mandatory in order to obtain central government contracts since 1 October 2014 which involve handling personal information and providing certain IT products and services.
The first line of defence for data protection is making sure that staff are well trained. Both Mackaness and Rance say their staff go through specific data security training. Meanwhile Black Horse, as part of Lloyds Bank, can additionally rely on a team of subject matter experts to ensure effective controls are in place, and that these are tested on a regular basis in order to ensure these controls are effective in protecting customer data.
Part of the reason why staff training is so important is because of the nature of the attacks. According to the people Motor Finance spoke to, the majority of threats they face come via standard phishing emails to staff.
Rance says: "We’re seeing criminals increasingly turning to simpler methods like email phishing to trick the unwary. We’re seeing more of that, and attacks on our systems."
While these threats are often associated with more consumer-based scams, scams like phishing are increasingly being used on a more corporate basis.
Again, Rance says, the key is staff training: "From a system perspective, and this is an industry-wide case, we’re seeing an increase in this," he says. "It comes down to training the staff. You don’t want them opening up things they shouldn’t. It’s all about communicating with staff, and giving them an understanding of what this means.
"Paragon staff receive training on cybersecurity and an integrated approach in terms of different departments within the group, and also fraud and compliance. You need this joined-up approach to combat criminality and making sure your data is secure."
Once staff have been trained, it’s important to ensure this is maintained, and Billing monitors staff to ensure standards are kept up.
Mackaness says: "If you record the small details, it makes people more aware that it’s something we take seriously. So we’ll review phone calls for all our staff, and if they haven’t asked all of the right security questions at the beginning, then this will be highlighted, so they know this is something we take really seriously.
"We educate our staff. Everybody will go through our data protection and security policies. We also have access rights to the IT system, so it’s just making sure the appropriate people can access the appropriate information which is relevant to them. On password management we’re a lot tighter now, and staff now have to change their passwords regularly.
"Luckily we don’t have many people working outside the office. We don’t have a travelling sales team, so there’s not the issue of people handling data offsite. That’s a much bigger issue for companies that have got offsite sales people."
Another basic step is to decide whether to store electronic data locally, or in a remote location.
Both Black Horse and Paragon, which are part of larger organisations, store their data internally. Smith says: "Any future decision to move data storage to a cloud facility would fall in line with a strict governance process that is subject to evidence of stringent protection of that data."
Meanwhile Rance says: "We don’t currently use the cloud services. That doesn’t mean we won’t. We just haven’t had to.
"Cloud or non-cloud needs to be risk assessed, to make sure the information is safe. Where we are is: cloud and non-cloud have vulnerability considerations. Salesforce and Microsoft are examples of companies that have made major investments making sure their platforms are secure. We’re not anti-cloud, we’ve just not had a need or desire to do so.
"There’s also a concern about whether your server is based in the US or Europe. The cloud is quite new-age development and, as we’ve seen with Microsoft, it will develop, and there are already platforms that are very secure."
Billing, which can’t call on a larger parent company in this way, uses a hosted system through Oyster Bay. Mackaness notes that, for a smaller company like Billing, the costs of storing this data onsite would be disproportionately higher. Instead, the company has a detailed contract with a third party.
Mackaness adds: "And I like the fact that if our building burned down, we could still access the data. So it spreads the risk a bit more."
Bradford agrees that for many companies storing customer data offsite could streamline its processes. "Choosing the right partner can have significant advantages by enabling the business to concentrate on its core activities by using an external expert for IT or other support services."
With regards to Oyster Bay Systems, Mackaness notes the two companies are able to move data between them with "amazing" speed.
Regardless of size, all motor finance companies deal with third parties, both in terms of introducers (dealers and brokers) and third-party IT firms.
The fact that motor finance is mostly introducer-based presents an obvious weak point in any data protection system – as the data is generally entered from an external site, and then has to be transmitted to the lender.
Bradford is clear that businesses have both a legal and a business requirement to check these third-parties thoroughly via due diligence, and that robust contracts must be put in place, including appropriate warranties and indemnities.
He adds: "The outsourced partner has no direct DPA obligations as ‘data processor’ and all risks lie with the motor finance company or ‘data controller’. This will change in 2018 and both parties will have data protection liabilities – so get these contracts in place now before the negotiation position of your third-party suppliers changes and they will look for reciprocal indemnities."
At Paragon, Rance notes that customer data is at its most vulnerable when it’s in transit between the customer and getting to the bank. He adds: "That’s why customer data gets encrypted, so if it does go awry, at least it can’t be read. So the most vulnerable point is when it comes from an introducer – be it dealer or broker."
When it comes to third-party IT systems, the general impression given is that most companies use a blend of third-party and first-party developed security IT systems.
At Black Horse, for example, Motor Finance is told: "We use both internal and external security protocols and technologies to protect customer data. We use specialist security providers where required, and these suppliers meet our standards in relation to security protection and defence strategies."
Meanwhile Rance says: "In common with many companies, we use a mixture of technologies, some of which are in-house, some of which are third-party. It’s about getting that blend right.
"With third-party, you can fill gaps where your knowledge isn’t as strong. I don’t think any company knows it all, so you can use third-party to support you there."
With data protection set to change in the next two years, now is a good time to ensure your data protection principles are all in order. As Bradford says: "Sort out your compliance position now to make the transition to the new data protection regime in two year’s time as seamless and ‘business as usual’ as you can."