DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Mortgage Brokers: How to Handle Sensitive Financial Data Compliantly

#gdpr #privacy #finance #compliance

GDPR for Mortgage Brokers: How to Handle Sensitive Financial Data Compliantly

Mortgage brokers and independent financial advisers (IFAs) handle some of the most sensitive personal data in any regulated profession. Income, employment history, credit records, debt obligations, and — for protection products — health conditions. Much of this is special category data under GDPR Article 9, subject to the regulation's strictest protections.

At the same time, brokers operate under dual regulatory oversight. The FCA sets conduct and data retention rules that sometimes pull in a different direction from GDPR's storage limitation principle. Getting this right means understanding how the two frameworks interact — not just following one and hoping the other takes care of itself.

This guide is for mortgage brokers, IFAs, and anyone working in residential or commercial lending who wants a practical, actionable understanding of GDPR compliance. Start by scanning your website at Custodia to see what data your digital presence is already collecting.

Why Mortgage Data Is Especially Sensitive

A standard mortgage application file contains more sensitive personal data than most other consumer financial products. Before you consider compliance, it helps to understand exactly what you're holding.

Standard personal and financial data

  • Full name, date of birth, current and previous addresses
  • Employment status, employer name, length of employment
  • Income (salary, bonuses, rental income, self-employment earnings, benefits)
  • Existing debts, credit card balances, personal loans, other mortgages
  • Bank account details and statements
  • Credit scores and credit history (including missed payments, defaults, CCJs)
  • National Insurance number
  • Passport or driving licence scans (for ID verification)

Special category data under Article 9

GDPR defines special category data as information about health, genetic data, biometric data, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, trade union membership, and criminal convictions.

For mortgage brokers, health data arises most frequently in two contexts:

  1. Protection products: Life insurance, critical illness cover, and income protection all require health declarations. Pre-existing conditions, mental health history, and lifestyle factors (smoking, alcohol consumption, high-risk occupations) are routinely collected and passed to insurers.

  2. Affordability assessments: Where a client's income is affected by a disability, chronic illness, or maternity/paternity leave, health information may inform affordability calculations.

Processing special category data requires not only a lawful basis under Article 6 but an additional condition under Article 9. For most brokers, this means explicit consent from the client, documented separately from general data processing consent.

Lawful Basis for Processing

Most mortgage data falls across three lawful bases depending on the category of data and purpose.

Contract performance — Article 6(1)(b)

The primary lawful basis for processing financial data is contract performance. A mortgage broker cannot source a mortgage, compare lenders, submit an application, or advise a client without processing their financial information. This is necessary to perform the service the client engaged you for.

This covers:

  • Income and employment data used to assess affordability
  • Debt and credit data used to identify suitable products
  • Identity data needed to submit lender applications
  • Bank statements used to verify income

You do not need consent for this data — asking for it would imply the client could refuse and still receive the service, which is not the case.

Legal obligation — Article 6(1)(c)

As FCA-regulated firms, mortgage brokers have statutory obligations that create independent lawful bases for certain processing. These include:

  • Anti-Money Laundering (AML) obligations — verifying identity under the Money Laundering Regulations 2017
  • FCA suitability and record-keeping rules — MCOB requires brokers to retain records of advice and recommendations
  • Suspicious activity reporting — if you file a SAR with the National Crime Agency, processing is covered by legal obligation

Legal obligation is particularly important for data you're required to retain even after a client relationship ends. You cannot delete this data because a client requests it if you have a statutory obligation to keep it.

Explicit consent — Article 9(2)(a) for special category data

For health data collected in connection with protection products, explicit consent is the appropriate condition under Article 9. This must be:

  • Freely given, specific, informed, and unambiguous
  • A clear affirmative act (not pre-ticked boxes)
  • Granular enough that the client understands what health information is being collected and who it will be shared with
  • Recorded and retained as evidence

Practical note: your fact-find or application form should include a separate, clearly labelled consent section for health data. General T&Cs consent is not sufficient.

CRM and Mortgage Sourcing Software as Data Processors

Most mortgage brokers use a combination of CRM systems and sourcing platforms. Each is a data processor under GDPR — they process personal data on your behalf, under your instructions, and you remain the data controller responsible for how that data is used.

Common platforms and processor obligations

Mortgage Brain and Twenty7Tec are widely used sourcing and application platforms. Both process client financial data to source products and submit DIPs (Decisions in Principle). You need a Data Processing Agreement (DPA) with each.

Iress (formerly Trigold) provides sourcing, client management, and compliance tools. A DPA is required. Check Iress's sub-processor list — data may flow to cloud infrastructure providers outside the UK.

Salesforce Financial Services Cloud is used by larger brokerages and networks. Salesforce provides a DPA under its standard terms, but you must ensure your Salesforce configuration only captures data you need (data minimisation) and that access is restricted to appropriate staff.

Other common processors:

  • Smartr365, Acre, or similar broker CRMs
  • DocuSign or Adobe Sign for e-signatures
  • Credit reference agencies (Experian, Equifax, TransUnion) — note these may be joint controllers for credit data, not just processors
  • Secure document portals (Moneyhub, Brokerage-specific portals)

What your DPAs must cover

Under Article 28 of GDPR, your DPA with each processor must specify:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The types of personal data and categories of data subjects
  • Your obligations and rights as controller
  • Restrictions on sub-processing without your consent
  • Security measures (Article 32)
  • Deletion or return of data on termination

Most enterprise software providers offer standard DPAs — but you must review and sign them, not just acknowledge their existence.

FCA Data Retention vs. GDPR Storage Limitation

This is where mortgage brokers face the most practical tension between regulatory frameworks.

FCA retention requirements

Under MCOB (Mortgage Conduct of Business sourcebook), FCA-regulated mortgage brokers must retain:

  • Records of advice and suitability assessments — minimum 3 years from the date of the advice
  • For pensions and retirement advice tied to mortgages — indefinitely in some cases
  • Mortgage documents and KFIs/EISDs — generally 3 years, but many firms retain longer

AML regulations under the Money Laundering Regulations 2017 require:

  • Customer due diligence (CDD) records — 5 years from the end of the business relationship
  • Transaction records — 5 years from the completion of the transaction

GDPR's storage limitation principle

GDPR Article 5(1)(e) requires that personal data is kept no longer than necessary for the purpose it was collected. But Article 6(1)(c) (legal obligation) explicitly permits retention where required by law.

In practice: FCA and AML retention periods take precedence over a client's right to erasure for data you're legally required to keep. You should document this in your Record of Processing Activities (ROPA):

  • What data you hold
  • Why you're holding it (purpose and lawful basis)
  • How long you'll keep it (retention period and justification)
  • When it will be deleted or anonymised

For data beyond your minimum legal obligations — early prospect data, marketing lists, lapsed leads who never became clients — GDPR's minimisation principle applies in full. Delete this data when it's no longer needed.

Sharing Data with Lenders and Insurers: Processor or Joint Controller?

When you submit a mortgage application to a lender, or pass client health data to an insurer, the question of whether that third party is a data processor or joint controller has significant compliance implications.

Lenders as controllers in their own right

When you submit a client's application to Halifax, Barclays, or any other lender, the lender becomes an independent data controller for that data. They make their own decisions about how to process it (credit assessment, fraud checking, AML), they have their own retention obligations, and they're subject to their own ICO registration.

This means you are not responsible for what the lender does with the data after submission — but you are responsible for:

  • Informing clients in your privacy notice that data will be shared with lenders
  • Only submitting to lenders you have a genuine reason to approach (data minimisation)
  • Not submitting "fishing" applications to lenders unlikely to approve

Insurers and protection product providers

Similarly, when you pass health data to a life insurer or critical illness provider, the insurer becomes an independent controller for underwriting and policy administration purposes. However, because this involves special category health data, your privacy notice must explicitly state:

  • That health information will be shared with specific types of provider
  • For what purpose (underwriting)
  • What the legal basis is (explicit consent under Article 9)

Credit Reference Agencies — joint controllers

The situation is different with credit reference agencies (CRAs) like Experian, Equifax, and TransUnion. CRAs maintain and manage credit files independently of your instructions. They are typically joint controllers with lenders rather than processors — they determine the purposes and means of processing credit data independently.

You should inform clients in your privacy notice that a credit search may be conducted via a CRA, and whether this is a soft or hard search (hard searches affect credit scores and should be disclosed).

Identity Verification and AML/KYC Obligations

Every FCA-regulated mortgage broker must comply with the Money Laundering Regulations 2017. This creates specific data processing obligations around identity verification and Know Your Customer (KYC) checks.

What AML data you collect

  • Certified copies or digital scans of passports, driving licences, or other ID documents
  • Proof of address documents (utility bills, bank statements)
  • Source of deposit and source of funds evidence for large transactions
  • Enhanced Due Diligence (EDD) documentation for higher-risk clients
  • Politically Exposed Person (PEP) and sanctions screening results

GDPR implications

AML data is processed under legal obligation (Article 6(1)(c)). You are required by law to collect and retain it, regardless of whether the client consents. However:

  • You must still be transparent — your privacy notice must explain that AML processing takes place and why
  • Where you use electronic identity verification services (e.g., Experian Identity or Credas), these are data processors and require DPAs
  • AML records must be retained for 5 years from the end of the business relationship
  • If a client requests erasure, you cannot delete AML records during the statutory retention period

Marketing to Existing Clients vs. New Prospects

Marketing compliance for mortgage brokers sits at the intersection of GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).

Existing clients — soft opt-in

Under PECR, the soft opt-in (sometimes called the existing customer exemption) allows you to market by email or text to existing clients provided:

  • They became a client through a previous transaction with you
  • You're marketing similar products or services — a mortgage remortgage reminder is similar; a car insurance referral may not be
  • You gave them the opportunity to opt out when you collected their data
  • You give them a clear opportunity to opt out in every subsequent communication

The soft opt-in covers remortgage reminders, product transfer alerts, and rate expiry notifications — all highly relevant for the typical 2 or 5-year fixed mortgage cycle.

New prospects

For leads who have not yet become clients, you need prior consent under PECR before sending marketing emails or texts. This means:

  • A clear opt-in at the point of data collection (enquiry form, comparison site lead)
  • Specific enough to cover mortgage broker marketing (not just "financial services updates")
  • Documented with a timestamp and the wording they agreed to

If you purchase leads from comparison sites or aggregators, ensure the lead's consent covers communication from your firm specifically, or obtain fresh consent before marketing.

Phone calls

Cold calling (to numbers not on the TPS or CTPS) requires a legitimate interest balancing test under GDPR. Register with ICO and screen against TPS/CTPS before calling any number where you don't have a pre-existing relationship.

Handling Declined Applicants' Data

One area many brokers overlook: what happens to a client's data when their application is declined?

During the active file period

While a declined applicant might want to reapply with a different lender or come back in a few months, you have a legitimate interest in retaining their data for a reasonable period — typically 12 months — to support a future application without making them repeat the entire fact-find.

After the retention period

Once the reason for retention expires, you must delete or anonymise the data. This means:

  • Removing financial details, ID documents, and health information from your CRM
  • Deleting or anonymising files in document portals
  • Retaining only AML documentation for the statutory 5-year period where applicable

Documenting your approach

Your ROPA should include a separate entry for declined applicant data with its own retention period and deletion trigger. Your privacy notice should tell clients upfront how long you retain data if an application is unsuccessful.

Compliance Checklist for Mortgage Brokers

Use this checklist to assess your current position:

Lawful basis and documentation

  • [ ] Privacy notice updated to cover all categories of data collected (financial, identity, health)
  • [ ] Separate explicit consent mechanism for health data (protection product fact-finds)
  • [ ] Lawful basis documented for each processing activity in your ROPA
  • [ ] AML processing disclosed in privacy notice with 5-year retention period

Data processors

  • [ ] DPA signed with your CRM provider (Smartr365, Acre, etc.)
  • [ ] DPA signed with sourcing platform (Mortgage Brain, Twenty7Tec, Iress)
  • [ ] DPA signed with e-signature provider
  • [ ] DPA signed with electronic ID verification provider
  • [ ] Sub-processor lists reviewed for each provider

Data sharing and third parties

  • [ ] Privacy notice explains data sharing with lenders, insurers, and CRAs
  • [ ] Credit search disclosure (soft vs. hard) included in client-facing documents
  • [ ] Joint controller relationship with CRAs acknowledged

Retention and deletion

  • [ ] Retention schedule documented covering FCA (3 years), AML (5 years), and operational data
  • [ ] Deletion process in place for declined applicants after defined period
  • [ ] Marketing lists reviewed and outdated contacts removed

Marketing

  • [ ] Soft opt-in documented for existing clients
  • [ ] Consent mechanism in place for new prospect marketing
  • [ ] TPS/CTPS screening in place for outbound calls

Rights and subject access

  • [ ] Process in place to respond to Subject Access Requests within 30 days
  • [ ] Erasure request process documented (including AML exemption)
  • [ ] Privacy notice includes how to exercise data subject rights

Start with Your Website

Before tackling the back-office compliance picture, check what your website is already collecting. Cookie trackers, contact form data, and analytics tools can all create GDPR obligations you may not be aware of.

Scan your website free at Custodia — it takes 60 seconds and shows exactly what personal data your digital presence is collecting, what consents are missing, and where you're exposed.

This article is intended as general guidance for UK-regulated mortgage brokers and IFAs. It does not constitute legal advice. For advice tailored to your firm's specific circumstances, consult a qualified data protection adviser or your compliance function.

Top comments (0)