Banks to face fines totalling €4.7bn in first three years under GDPR

Report warns that banks are not prepared for the 72-hour breach notification requirement

European financial institutions could face fines totalling €4.7bn in the first three years under the incoming General Data Protection Regulation (GDPR).

That's according to a new report from Consult Hyperion, commissioned by AllClearID dubbed Banks, Breaches and Billion Euro Fines.

The new EU legislation comes into effect in May 2018, and the financial penalties for a data breach are substantial. Organisations can receive fines of up to two per cent of the previous year's global annual revenues for a first offence, and up to four per cent for repeat offences.

The report forecasted how different types of banks - from Tier 1 to Tier 3 - would fare once GDPR was enforced. Figures were compiled from an analysis of historic data breach figures and then adjusted for the size of financial institution. GDPR sanction levels were then applied to the data.

It forecasted that Tier 1 banks would be fined an average of €260m for two to three breaches in the first year under the new regulations, and that Tier 2 banks would be fined €48m on average per breach, with six breaches forecast in the first year. Tier 3 banks, which make up the biggest proportion of institutions, were forecast an average fine of €5m, with 120 forecast breaches in the first year - meaning an estimated total fine of €600m in the first year.

The total fines in the first year for all banks would be €1,554m, and over three years would be €4,662m.

Consult Hyperion said it only used the lower end of the GDPR fine scale which is €10m or two per cent of global turnover. It said that its forecast was ‘conservative' and excluded compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.

So the fines could be much worse - and what's worse is that financial institutions are not yet prepared for the incoming legislation.

According to Tim Richards, principal consultant at Consult Hyperion, the highest risk item in the GDPR is the 72-hour breach notification requirement - as banks are not mitigating this.

"Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the four per cent level," he said.

"This indicates an eight per cent chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR," he added.