Mutual Matters – Summer 2016
Print newsletter
New general data protection regime: Mutuals, R (E)U ready?
The new EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. Walker […]
The new EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. Walker Morris’ Louise Power, a specialist in retail financial services litigation and non-executive director of a local building society, Jeanette Burgess and Andrew Northage, specialists in data protection regulation and compliance, explain why mutuals need to get to grips with the new regime and the practical steps they should be taking now.
A new regime for all
The existing data protection regime is now some 20 years old and technology has advanced significantly since it came into force in the late 1990s. The GDPR therefore aims to harmonise data protection legislation by the creation of an EU-wide single legal framework; to recognise and embrace technological advances for businesses (in accordance with the EU’s Digital Single Market Strategy); and to strengthen citizens’ fundamental data protection rights.
The GDPR will have direct effect in all EU Member States (i.e. it will apply directly in all Member States without the need for any implementation legislation at national level) from 25 May 2018.
Whilst the UK voted to leave the EU on 23 June 2016, the UK will continue to be a Member State, bound by applicable EU laws, for two years from the date a trigger notice is served by the UK Government pursuant to Article 50 of the Treaty on the European Union.
As an Article 50 notice has not yet been served, the GDPR will almost certainly come into force before the UK leaves the EU, which means that UK businesses will be subject to the GDPR for several months before “Brexit”.
Even following a Brexit, due to the expanded territorial scope of the GDPR, UK businesses which offer goods or services to EU data subjects or which monitor EU data subjects’ behaviour will be subject to the GDPR.
It is also likely that post-Brexit, the UK will adopt legislation that closely mirrors the GPDR in order to ensure that it is a safe third country, so that EU organisations can continue to transfer EU personal data to the UK.
Being responsible data controllers, building societies and other businesses operating in the retail financial services industry should starting getting to grips with the new data protection regime now.
Key messages for mutuals
This article provides a brief overview of the key changes introduced by the GPDR, including those that will be of particular relevance to building societies and other retail lenders, brokers and financial advisors.
- Increased enforcement powers. The maximum fine for a data protection breach in the UK is currently £500,000. Under the GDPR, however, there will be a two-tier system:
- fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and
- fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles, breaches of data subject rights, and so on.
- Record keeping. Instead of registering with the Information Commissioner’s Office (ICO) on an annual basis, the GDPR will require businesses to maintain detailed records regarding their data processing activities.
- Data protection officers (DPOs). The GPDR will require businesses whose core activities involve either the monitoring of data subjects on a large scale or the processing of special categories of data (i.e. sensitive personal data) on a large scale to appoint a DPO, who must be an expert in data protection law.
- Privacy by design and by default. The GDPR contains new rules which require businesses to implement data protection both by design (for example, building-in data protection safeguards when creating new products, services or other data processing activities); and by default (for example, by minimising the amount of data held/processed). There is also a new requirement for businesses to carry out data protection impact assessments to identify privacy risks in new products.
- Data breaches. There will also be a new obligation on organisations to notify data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.
- Security and pseudonymisation. Building societies will already implement certain data security measures. The GPDR builds upon this and requires both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks involved in the processing of personal data. The measures required of financial services firms are likely to be significant, based on their handling and storage of customers’ sensitive financial data.
- Encryption technology is already a fairly commonplace tool for addressing data security, but the GPDR also introduces the concept of ‘pseudonymisation’, also known as ‘keycoded data’. This is where although data has been anonymised, individuals can still be identified through the use of a ‘key’. For example an anonymised list of employees which includes national insurance numbers – knowing which national insurance number belongs to which employee will enable the individuals to be identified.
- Enhanced data protection rights for individuals. Building societies and others operating within the retail financial services sector also need to be aware of, and to comply with, the enhanced rights afforded to individual customers under the GDPR. These include:
- Right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where a business removes data pursuant to this right ‘to be forgotten’, the business also has a duty to inform others to whom they have passed the data of the erasure request.
- Right to object to profiling. This is the right for individuals not to be subjected to wholly automated processing for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements. Individuals are also able to object to decisions made based solely on automated profiling. This could have implications for some credit check and underwriting procedures.
- Right to data portability. Individuals have the right, in certain circumstances, to receive their data in a structured, commonly used and machine-readable format in order to transfer that data to another controller without hindrance. This is likely to be relevant for account-switching, re-mortgaging and the like. Building societies should consider collaborating with other data controllers to develop smooth and efficient procedures for dealing with data transfer requests.
- Changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded to include the purposes of the processing; the categories of data held; the envisaged period for which data will be stored; the recipients or categories of recipient to whom the data has been or will be disclosed; the sources from which the data originates; the existence of automated decision-making/profiling and the logic involved; and the safeguards in place relating to any transfer of data to a third country or international organisation.
- The time frame for complying with a SAR will also reduce from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information.
- Responses to SARs should be concise, transparent and in easily accessible form in clear and plain language.
- The ICO has suggested that for organisations which receive large volumes of SARs, they should consider carrying out a cost/benefit analysis of providing customers with access to their personal data online.
- Consent for data processing. Under the GDPR it will be more difficult to obtain consent for data processing. The GDPR requires that consent must be freely given, specific, informed, unambiguous and demonstrated either by a statement or a clear affirmative action. The GDPR also requires that it must be as easy for a data subject to withdraw consent as to give it.
- New obligations for data processors – For the first time, the GPDR introduces direct obligations for data processors, which will be enforced by the levying of fines and other penalties. Data processors will also be liable to compensate individuals whose rights have been infringed.
Next steps
Whilst the GPDR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it is also likely to mean greater scrutiny, by customers and by regulators and greater administrative pressures on building societies and others within the retail financial services sector.
As the Information Commissioner himself has said, in light of the new increased fines, there are now 20 million reasons for organisations to get compliance with the GDPR right. The key to which is ensuring that organisations understand in detail how they currently deal with personal data. The best way to do this is to carry out a full information audit which should include a review of:
- what personal data is collected;
- where it is collected from, how and why;
- where the data is stored;
- what security measures are in place to protect the data;
- how it is processed and for what purposes;
- whether the data is transferred to third parties, if so where are they located and what are they doing with the data;
- how long is data kept for;
- what consents are obtained for processing;
- what procedures are currently in place for dealing with SARs;
- any existing privacy notices; and
- existing contractual arrangements in light of the new data processor obligations.
The results of the information audit should be documented and a gap analysis performed to identify where action needs to be taken to bring processes into line with the GDPR’s requirements. An information audit is a worthwhile investment as it will form the basis of the documentation that organisations will need to keep in respect of their data processing activities.
Although the GDPR will not come into force for nearly two years, there is a lot for organisations to do in order to ensure that they are compliant with the new regime on 25 May 2018. In the words of the Information Commissioner “Don’t panic, be prepared” and the ICO has already published its 12 step guidance to help organisations begin the process. The ICO is also due to publish further guidance in a number of areas by the end of the year, so it is important for organisations to keep up to date with developments. Walker Morris will be monitoring and publishing updates as and when more information becomes available.
If you have any queries or concerns relating to the GDPR, or if you would like advice and assistance with undertaking an information audit, please do not hesitate to contact Louise Power, Jeanette Burgess or Andrew Northage, who will be very happy to help.

Lack of advisory duty for lenders
Walker Morris has reported previously [1] on the growing body of lender-friendly case law which […]
Walker Morris has reported previously [1] on the growing body of lender-friendly case law which has arisen out of interest rate swap agreements entered into in the run-up to the 2008 financial crisis. Many of those cases have centered on the lack of any duty on the part of the lender to advise customers in relation to financial products being sold. In Finch v Lloyds [2], the High Court has emphasised that lack of duty.
Background and facts
The borrowers in this case entered into an interest-rate swap agreement when taking out a loan in early 2008, but then discovered an onerous term relating to break costs when they sought to terminate the agreement early. While other swap mis-selling claims have focused (unsuccessfully) on allegations of negligent advice, the claimant borrowers in Finch v Lloyds alleged that the lender had contractual and tortious duties to provide advice as to the existence and effect of onerous terms within the products sold, but had failed to do so.
The borrowers claimed that duties on the lender to advise arose out of the close working relationship between the parties, or were implied by section 13 of the Supply of Goods and Services Act 1982 or by necessity. The borrowers also relied upon the fact that the lender had described itself in its marketing materials as a “trusted advisor” and as providing a loan that was “tailored” to the borrower’s needs.
Decision and law
The High Court dismissed the borrower’s claim in its entirety:-
- The court held that, regardless of the relationship and interactions between the parties, there was no express contract to advise and no contract to provide a service into which the duty to advise could be implied.
- The court found that use of the phrase “trusted advisor” was merely a marketing tactic to try to make the lender appear different from its competitors, but that it had no other significance.
- In relation to the claim that the lender had negligently misrepresented that the loan agreement would be “tailored” to the borrower’s needs, the court held that the loan was tailored to the extent that it met the borrower’s requirements as to amount, term and inclusion of a payment holiday and that the borrowers had not informed the lender of any plan to exit early.
- The court also noted that the term “tailored” in this context could not possibly be construed as requiring the lender to offer facilities on terms that subordinated its commercial interest to those of the borrowers.
- Crucially, the court reiterated that there is no general duty on a lender to provide their customers with advice where they have not specifically agreed to do so. A tortious duty only arises when a lender does provide advice, then to do so with reasonable care and skill.
- The court went even further, stating that “the circumstances would have to be exceptional before it could safely be concluded that a bank that is pitching for the business of a potential customer came under a duty to give advice in relation to the product that it was offering” [3]. That is likely to be all the more the case where, as here, to the knowledge of the lender, the borrowers were represented in the transaction by brokers and solicitors.
WM Comment
This case will be welcomed by lenders for the emphasis it gives to the principle that there is no general duty on them to provide advice and for the additional hurdle that it represents to claimants, citing, as it does, that exceptional circumstances will be required before a court will find otherwise.
Mutuals should note from a practical point of view, however, that whilst the case does indicate that a lender will not be held to marketing statements that amount to mere advertising puff [4] there is nevertheless the possibility that some statements that are made by lenders in their marketing material could, in some circumstances, amount to contractual promises. Even where that is not ultimately the case, it may be better in terms of customer relations, TCF and for the avoidance of future disputes, for mutuals’ marketing materials to be reviewed to ensure that they do not set up unrealistic customer expectations or misrepresentations which could come back to bite.
_______________________
[1] See our previous briefing.
[2] Finch & Anor v Lloyds TSB Bank Plc & Ors [2016] EWHC 1236 (QB)
[3] Ibid. para 54
[4] Carlill v Carbolic Smoke Ball Co [1892] EWCA Civ 1

CMA’s reform of retail banking
The Competition & Markets Authority (CMA)’s final report following its investigation into the retail banking […]
The Competition & Markets Authority (CMA)’s final report following its investigation into the retail banking market was published on 9 August 2016 and can be accessed here. The report concludes that the larger and more established banks do not have to compete hard enough for customers’ business. As a result, smaller and newer banks and other financial services providers find it difficult to grow and customers do not benefit as they should in a more competitive market.
The CMA is therefore implementing a wide package of reforms, which building societies and other retail financial services providers will have to implement, which aims to ensure that customers benefit from technological advances and increased competition. Key measures, which should benefit personal and small business customers, include:
- The requirement for building societies and other retail banking services providers (referred to, for the sake of brevity, as ‘banks’) to operate Open Banking by 2018. Open Banking requires the implementation of technological change to enable customers to share their data securely with other banks and third parties, to take control of their funds and to compare financial services products more effectively.
- The requirement for banks to publish trustworthy and objective information on the quality of their services to encourage customers’ easy and effective comparison with competitors.
- The requirement for banks to issue periodic and event-based [1] prompts reminding customers to review the service they are getting and to consider switching banks.
- Measures to make it easier for customers to search and switch bank accounts and other financial services products.
- Measures to benefit unarranged overdraft users, including increased notification requirements to give customers the increased opportunity to avoid overdraft charges and monthly caps on such charges.
WM Comment
The remedies proposed by the CMA are influenced by insights from behavioural economics, which are essentially aimed at equipping the consumer with the tools to take action. This approach reflects the recent trend for economic regulators to put a stronger focus on behavioural economics and move away from structural remedies.
Whilst there seems little doubt that the CMA’s retail banking reforms will place an additional administrative burden on all retail banking providers in the short term, many building societies’ policies and practices already go a long way towards promoting transparency and treating customers fairly. Harnessing technological advances to improve the customer experience and to encourage competition is perhaps a natural extension of this. Some of the more established mutuals will already be well equipped to respond positively to the new measures (as, no doubt, will their customer base) and some of the smaller firms and more recent entrants to the market will welcome the opportunities that the reforms may represent.
If you would like any further advice in connection with the CMA’s final report and what it might mean for your business – in particular, if you would like any help with reviewing your existing policies and procedures to ensure compliance or if you currently face any customer complaints with which we might assist – please do not hesitate to contact Louise Power or any member of the Banking Litigation team.
_____________________________
[1] Relevant events will include branch closures, fee/charge increases and the like.

Overreaching and overriding interests
Like so many cases in recent years, the background to Mortgage Express v Lambert [1] […]
Like so many cases in recent years, the background to Mortgage Express v Lambert [1] involves fraud. When the owner of a leasehold flat, Ms Lambert, got into financial difficulties, she fell prey to a sale and leaseback scam whereby she sold her property, at a significant undervalue, to two fraudsters. While Ms Lambert continued to occupy, the fraudsters obtained a mortgage loan secured against the property at its true value and then made off with the proceeds. When the lender sought possession, Ms Lambert claimed she was entitled to unravel her sale to the fraudsters on the basis that it was an unconscionable bargain. She also claimed that she was entitled to receive her flat back free from the mortgage.
The Court of Appeal had to consider the legal nature of Ms Lambert’s right to set aside her sale of the flat on the basis that it was an unconscionable bargain; how such a right fitted into the system of land registration; and whether Ms Lambert’s right could be overreached in any event.
Law for lenders
The Court of Appeal undertook some academic analysis which will be of interest to building societies and other lenders, which can be summarised as follows:
- The law is clear that a right to set aside a transaction on the grounds of misrepresentation or undue influence is classified as an ‘equity’ [2]. There is no reason to suppose that a right to set aside an unconscionable bargain is any different, and so Ms Lambert had an equitable right that was recognised at law.
- Section 116 of the Land Registration Act 2002 (LRA) provides that an equity is an interest that is capable of binding successors in title.
- The general rule in registered conveyancing is that all interests and rights over a piece of land must appear on the register. Overriding interests are the exception to that rule, however, and may bind a successor in title despite not being registered.
- Occupiers’ interests may be capable of overriding registered dispositions (such as mortgage charges) if the occupation is obvious on a reasonably careful inspection of the land or the buyer/mortgagee knows about the interest.
- Overreaching is a process by which equitable rights in land which might otherwise have enjoyed protection on the occasion of a disposition are detached from the land and are transferred instead to monies paid in exchange for the sale/mortgage.
Court of Appeal decision
The Court of Appeal concluded:
- Although Ms Lambert’s right was legally capable of binding successors in title, it did not amount to an overriding interest because when inquiry was made of Ms Lambert prior to completion of the mortgage, she did not disclose the fact that she was continuing in occupation. If an occupier does not reveal its rights when inquiries are made as part of a reasonable inspection, he or she cannot thereafter assert them.
- In any event, the fraudsters in this case had been registered proprietors of the land and a valid mortgage transaction was completed [3], such that the requirements for overreaching were met.
- Ms Lambert’s right was therefore not binding on the lender. Her interest had been overreached and had, thereby, become an interest in the loan proceeds (rather than an interest in the land itself).
WM Comment
This case clarifies, for the first time, that the right to set aside an unconscionable bargain is an equity that is, at least in principle, capable of being an overriding interest and of binding successors in title. As the Court of Appeal’s conclusion demonstrates, however, much will depend on the facts of the case, and an occupier’s rights will not override those of a subsequent registered chargeholder if those rights were not obvious or asserted upon a reasonable inspection. Lenders will also be pleased with the confirmation provided in this case that overreaching of an equity can nevertheless occur if other necessary legal requirements are met.

Tiuta v De Villiers Surveyors restores law in lenders’ favour
Walker Morris has reported previously on the earlier High Court decision in the Tiuta v De […]
Walker Morris has reported previously on the earlier High Court decision in the Tiuta v De Villiers Surveyors litigation. Professional Negligence specialist Sandip Singh now explains the outcome of an appeal to the Court of Appeal [1], which will no doubt be of welcome interest to building societies and other lenders.
Background law and facts
In order to succeed in a negligence claim against a surveyor, a claimant must establish causation. It must prove, on the balance of probabilities, that but for the surveyor’s negligence, the claimant would not have suffered any loss. Applying the well-established ‘but for’ test involves comparing the claimant’s actual position with the no negligence position (i.e. the position it would have been in if the surveyor had valued correctly) [2]. Where a subsequent loan fully redeems an earlier loan, no loss is suffered and so no cause of action subsists in relation to the earlier loan. In these circumstances, a claimant would only be able to pursue a claim if it had suffered loss and if that loss was caused by negligence, if any, in the valuation upon which the subsequent loan was founded [3].
The High Court’s decision in Tiuta v De Villiers Surveyors [4], however, effectively enabled the surveyor to escape the consequences of his negligence when providing an over-valuation in support of a second/re-financing loan, on the basis that loss had already been suffered in any event, arising out of the original debt. The High Court’s decision seemed to significantly limit the losses that a lender could recover in surveyor’s negligence cases involving second/re-financing loans.
Court of Appeal clarity
The lender in this case, Tiuta, argued on appeal that the second transaction had discharged the original loan in full and had created a fresh loan, with fresh security, rendering the surveyor liable for all losses flowing from the negligent valuation which had been provided in support of the second loan. The surveyor, on the other hand, argued that the second loan was, in substance, merely an increase in the amount of the original loan and, as such, its liability should be restricted accordingly. It also argued that if the subsequent loan had not been made, the lender would still have suffered loss as a result of the (over-valued) original loan.
Siding with the lender, and effectively restoring the law as stated in Nykredit and Preferred Mortgages, the Court of Appeal decided that when a lender considered making a fresh loan, part of which was to be used to repay an existing debt, the purpose to which the new loan would be put was irrelevant to the valuer. The valuer was instructed to provide a valuation upon which the lender would rely when considering whether to enter the transaction, regardless of the purpose to which the loan monies would be put. If the surveyor negligently overvalued the security, he would be liable for the losses flowing from that valuation which, crucially, will not be limited to the amount by which the re-finance exceeds the original loan.
WM Comment
Lenders and their legal advisors will be pleased both with the clarity provided by the Court of Appeal in this decision and with the fact that it means that, in relation to surveyors’ negligence claims, second loan, re-financing or remortgage transactions will be treated as fresh loans in their own right, such that lenders’ losses will potentially be recoverable in full and will not be restricted to the amount by which the second loan exceeds the first.
Valuers may wish to review the standard terms and conditions upon which they provide second mortgage valuations and to take advice as to whether they may be able to limit or exclude liability. In any event, this decision will impact upon the exposure of valuers and their insurers in second loan, re-financing or remortgage valuation cases and the industry may see an increase in professional indemnity premiums as a result.
If you would like any further advice or assistance in relation to this important decision, please contact Sandip Singh or any member of Walker Morris’ Banking Litigation team.
___________________________________
[1] Tiuta International Limited (In Liquidation) v De Villiers Chartered Surveyors Limited [2016] EWCA Civ 661
[2] Nykredit Mortgage Bank plc v Edward Erdman Group Ltd [1997] UKHL 53
[3] Preferred Mortgages Ltd v Bradford & Bingley Estate Agencies Ltd [2002] EWCA Civ 336
[4] [2015] EWHC 773 (Ch)