Firms that are falsely using GDPR as a “scapegoat” for non-compliance with Consumer Duty are risking severe action from the Financial Conduct Authority (FCA), MorganAsh has warned.

The support services provider has reported that some firms using the data protection laws as a reason to not comply with the regulator’s Consumer Duty rules.

Consumer Duty requires firms to monitor consumer vulnerability over the lifetime of the product, and use this data to compare to outcome data, as well as mitigating any potential harms. GDPR requires firms to keep the data accurately and securely, to be able to produce it and delete it if the consumer requests this.

Anecdotal evidence gathered by MorganAsh indicated that some firms are avoiding collecting and storing customer vulnerability data to avoid a perceived conflict with GDPR. These firms have argued that the fines and sanctions from the FCA would be far less than those from the ICO.

MorganAsh managing director, Andrew Gething, suggested that this approach puts firms at risk of serious penalties and sanctions – particularly with the FCA’s focus on improving outcomes for vulnerable customers.

“We are seeing a worrying trend where some firms use GDPR as a scapegoat for not complying with Consumer Duty,” Gething said.

“While firms are right to consider data protection laws, the response should not be to forgo such an important requirement of Consumer Duty. This is especially true as the regulator continues to prioritise customer vulnerability and take significant action where it finds serious failings.”

He added: “Rather than burying their heads in the sand or choosing one regulation over the other to follow, firms of all sizes absolutely need to act and ensure their customer vulnerability implementation is compliant.”

---