Financial advisers hold a deeply personal window into their clients'lives. Income, debts, savings, pension pots, investment portfolios, family circumstances, insurance needs, inheritance plans — this is not generic marketing data. It is among the most sensitive information a person shares with any professional outside their doctor or solicitor.
That sensitivity creates real GDPR obligations. Independent financial advisers (IFAs), wealth managers, and restricted advisers operating in the UK are subject to both the UK GDPR (post-Brexit) and the FCA's conduct rules. Getting data protection right is not optional — and the consequences of getting it wrong can include both ICO enforcement and FCA disciplinary action.
This guide covers what financial advisers actually need to do.
Why Financial Advisers Face Strict GDPR Obligations
Financial data sits in an unusual position under GDPR. Unlike health data, political opinions, or religious beliefs — which are classified as "special category" data under Article 9 and attract the highest level of protection — financial information is not explicitly listed as special category.
But do not be misled by that. The ICO and courts have consistently recognised that financial data is highly sensitive in practice. A person's income, assets, and debts can reveal vulnerabilities, expose power imbalances, and cause significant harm if disclosed inappropriately. The data minimisation, purpose limitation, and security requirements of UK GDPR apply with full force.
There is also a practical point: financial advisers are often dealing with clients who are elderly, recently bereaved, divorcing, or otherwise in vulnerable circumstances. The duty of care embedded in FCA conduct rules reinforces — rather than conflicts with — GDPR's data protection principles.
Types of Data Financial Advisers Process
A typical client file for an IFA or wealth manager will contain:
- Personal identifiers: name, address, date of birth, national insurance number, passport or driving licence copy (for KYC purposes)
- Financial data: income (employment, self-employment, rental, investment), assets (property, savings, investments, pension), liabilities (mortgages, loans, credit cards)
- Tax information: tax codes, self-assessment details, capital gains positions, ISA allowances used
- Pension details: defined benefit entitlements, defined contribution values, pension transfer values
- Investment portfolio data: holdings, valuations, platform accounts, past transactions, risk attitude scores
- Family circumstances: marital status, dependants, anticipated inheritance, power of attorney arrangements
KYC/AML Requirements vs. GDPR Data Minimisation
One of the most common tensions for financial advisers is between Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations on one side, and GDPR's data minimisation principle on the other.
The Money Laundering Regulations 2017 (as amended) require advisers to verify client identity, understand the nature of the business relationship, and conduct ongoing monitoring.
How to navigate this:
- Legal obligation as lawful basis: For KYC/AML data, your lawful basis under Article 6(1)(c) is legal obligation. You do not need client consent.
- Minimum necessary: AML obligations require you to collect what is necessary to satisfy the regulations — not everything available.
- Retention: AML regulations require retention of client due diligence records for five years after the end of the business relationship.
FCA Conduct Rules and GDPR
The FCA's conduct rules sit alongside GDPR — they do not replace it. Key interactions:
Suitability assessments: FCA rules (COBS 9) require advisers to gather sufficient information to assess suitability. The lawful basis is typically contract plus legal obligation.
Consumer Duty: The FCA's Consumer Duty (effective July 2023) requires firms to understand clients' needs, characteristics, and objectives — creating expectations of richer data collection.
Data Retention — FCA Periods vs. GDPR Storage Limitation
FCA minimum retention periods (approximate):
- Investment advice records: five years
- Pension transfer advice: six years minimum (many firms retain permanently)
- Insurance mediation: three years
- KYC/AML records: five years after end of business relationship
Handling Data Breaches — The FCA Dual-Reporting Requirement
Financial advisers face a dual notification obligation:
- ICO notification: Breaches must be reported within 72 hours
- FCA notification: Material operational incidents must also be reported under Principle 11
Getting Started
Run a free privacy scan at app.custodia-privacy.com/scan to see what trackers and data processors are active on your website. Custodia's AI generates a tailored privacy policy, cookie banner, and compliance recommendations. No signup required.
This post provides general information and does not constitute legal advice.
Top comments (0)