GDPR compliance to cost FTSE100 firms £15 million, banks face largest bill

21 December 2017

As the May 2018 implementation deadline for General Data Protection Regulation (GDPR) looms, many firms are still scrambling to prepare for the landmark legislation. Their obedience will likely come at a price, however, with new research showing an average £15 million price tag for a FTSE100 firm, while companies should be expecting to spend around £300-450 per head on their compliance efforts.

According to new analysis from Sia Partners, there are two major observations to be gleaned from examining the way the UK’s top businesses are planning to cope with the GDPR. While each firm within the FTSE100 index will likely face different levels of investment, as size, IT system complexity, number of products, service lines and a whole host of determinants will vary from one firm to another, some themes remain constant across the board.

First, and most obviously, implementation costs will probably grow with a firms’ size, as increased amounts of data for larger operations up the levels of complexity involved in compliance. The spread of potential budget tends to multiply markedly against firm size.GDPR implementation cost by company size

However, the second point which authors David Coolegem, a Senior Manager, and Adrien Dauchot, a Senior Consultant at Sia, make about their data is that this spend tends to level out at a per-employee level. The minimum and average implementation cost per employee is consistent across firm size, with implementation costing £300-£450 on average per employee across all sectors. However, the maximum seen from an individual firm decreases markedly, as firms size increases beyond 10,000.

The authors explained that the reason for this is that the maximum figures tend to be outliers within a tightly clustered group, and named the biggest outliers as large insurance groups and oil & gas firms. Accordingly, this further reinforces that the £300-£450 implementation cost per employee is a good gauge to use for firms in the first instance, as they seek to evaluate what the right amount to spend on GDPR compliance would be.

GDPR implementation cost by company size per employee

Within the FTSE100, banks are the group with the highest expected spend for the GDPR. According to recent research by Baringa Partners, almost a third of people (29%) say that they would immediately switch to another bank if their provider suffered a major breach where their personally identifiable data was leaked. Banks tend to serve a wide range of customers (from retail to supranational), and offer a very wide range of products and services, tending to have complex webs of legacy IT systems. Meanwhile, banks also exist in a market that is becoming increasingly competitive, meaning customers do have the capacity to change providers relatively simply. As a result, the average implementation cost per employee is consistently higher throughout the banking industry.

Major spending

The average spend per sector excluding banks remains clustered around two distinct levels. Energy, commodities & utilities, retail goods and technology & telecommunications sectors will see approximate spends between £15-19 million, while the remaining camp, consisting of all other market sectors clustered, will most likely settle at around the £5-11 million level, according to Sia Partners’ estimates.

GDPR implementation cost per sector

One major outlying group comes in the form of large insurance companies. These face a disproportionally high average per employee implementation cost. This, coupled with the plentiful and sensitive information stored at the heart of the insurance industry’s work, mean they also have the highest maximum spend within the second camp. Based on these factors, Sia concludes that there will be three key outliers amid the general GDPR spending of £300-450 per head. These will be banks, the energy, commodities & utilities firms driven by the big oil firms, and non-banking financial services firms.

Irrespective of the industry, however, Sia Partners’ analysis still shows that significant budgets will be needed by firms to remain in-line with the GDPR’s specifications. On average, this sum will add up to a weighty £15 million investment. However, these changes would pay for themselves many times over if they help companies dodge the severe punishments of the new data safeguarding measures. An average fine wielded for breaching the GDPR will likely be 4% of annual turnover – something which Oliver Wyman suggests could cost the FTSE100 a collective £5 billion in fines each year.

GDPR implementation cost per employee by sector

For the FTSE100, the 4% of annual turnover fine would equate to a range of £800,000 for the smallest member and £7.1 billion for the largest. Generalising these numbers, on average a fine of 4% of revenues represents 30-80 times the cost of implementing the GDPR adequately in the first place. Within this range, energy, commodities & utilities and industrial goods & services stand out for their very high multiples of approximately 80. This not only reflects the contextually low cost of GDPR implementation in the first place, but also highlights that such programmes would offer great returns on investment for these firms.


The business and operating models of digital-only banks

04 April 2019

In recent years, several digital-only banks have successfully managed to nestle themselves in the banking landscape, with their popularity continuing to increase. Looking at it from the customer’s point-of-view, there is little difference between these FinTech unicorns; looking at the bigger picture, however, reveals significant variation in their business models. Matyas Fekete, a consultant at KAE, explores some of the main similarities and differences in digi-bank business and operating models. 

What about the profit?

Unlike in the UK, in most of continental Europe, bank accounts and corresponding banking services are historically paid-for services. The fact that digital banks offer most of their services free of charge has undoubtedly helped them build a large customer base. On the other hand, despite comparatively low set-up and minimised operational costs compared to that of traditional banks, and given the lack of revenue stemming from the typically no-fee model, profitability has proved difficult to achieve. Monzo, for instance, recorded a net loss of £30+ per customer in its most recent financial year. 

In the start-up world, it is customary to focus on expansion rather than profit – see the case of Uber, for instance. Still, while profitability might not be their number one priority in their early stages of development, it must be a long-term goal of any business. With their ever-growing customer base, digital banks are increasingly under pressure to turn their business from loss- to profit-making. 

Credit where credit is due

Digital banks pride themselves on their fair (often meaning “free”) proposition and have so far stayed clear of offering loans (including credit cards & overdrafts), traditionally amongst the most lucrative products for traditional providers. Though somewhat reluctantly, newcomers are also realising that offering lending products is one of the most straightforward ways to offset losses made on their free, often high-cost services (e.g. overseas ATM withdrawals). Monzo, N26 and Starling have recently started offering credit products to their customers, with their loan offering expected to be extended to a wide range of services, from mortgages to overdrafts. Correspondingly, creating a lending portfolio can also pave the way for launching an interest-paying savings offering – a proposition seen as a basic banking product that is yet to feature in most digital banks’ portfolios. 

The business and operating models of digital-only banks

The premium customer

While most digital banks offer most of their products for free, some have extended their offering by paid-for premium services in order to create a revenue stream. As these premium features – including different types of insurance, unlimited free transfers/withdrawals, faster payment settlement or concierge services – are often offered in a subscription format, customers are typically prompted to pay for the full package rather than just the desired service(s), providing a significant revenue stream for the bank. Revolut, for instance, was amongst the first digital banks in Europe to break even earlier this year, a feat largely due to revenue from its premium subscription.

SMEs like digital too

Traditional banks typically service small and medium sized businesses under their retail rather than corporate banking arm. Having their product offering tested with consumers, and consequently gaining a reasonable customer base, digital banks have also identified SMEs as an ideal segment to extend their target audience to. The five FinTechs profiled have already gone, or plan to go, down this path by following up their consumer solution with a business account. While both propositions are typically built on similar features, some providers charge businesses a monthly subscription (e.g. Revolut), while others apply additional fees to specific services (e.g. TransferWise), banking on the expectation that businesses are more likely to be willing to pay for banking – something they are already used to doing. 

The marketplace model

While most digital banks offer a wide range of banking services, some of these tend to come from partnering with third-party providers. For instance, Starling Bank’s only proprietary product is its current account, which serves as a basis for the provision of ancillary services, ranging from loans to insurance, to investment opportunities. Instead of developing these services in-house, Starling enables a select group of partnering financial service providers access to its platform in exchange for a fee. In effect, Starling is using its customer base to create a market for its partners, charging a commission for each acquired customer. 

In such cases of digital banks applying this marketplace model, the majority of their income often comes from partners rather than customers. Naturally, only banks with a large enough customer base can be successful in this set-up, underlining the current intensity of competition amongst digital banks.

Banking as a Service

While customer-centricity is heralded amongst the main USPs of digital banks, some are looking beyond offering consumer-facing services to diversify their revenue streams. Starling, which is among the few digital banks built on its own proprietary platform, has recently leapt into the Banking as a Service (BaaS) industry, making its technology available to other start-ups looking to launch a digital bank. Naturally, this raises the question whether the two offerings could threaten each other’s success. Generally, as long as such partners operate in different markets, the two business lines should be able to thrive alongside each other. Further along the line, however, such partners could easily end up expanding their banking solution into the same market(s) as they aim for global success, and by doing so, becoming direct competitors. 

Different approach, same result?

It is fair to say that consumers in Europe looking to bank with a digital-only provider would have a difficult time finding relative advantages/disadvantages amongst the leading players in the industry. Still, despite the limited surface-level variety, exploring the business models of leading digital banks reveals different approaches to the challenge of making money. Alongside the more straightforward method of offering paid-for premium features/subscriptions, some are banking on the value that access to their customer base offers to third-parties, while others outsource their technology to neobanks wanting to focus on the Fin rather than the Tech. With competition amongst digital banks heating up, it will be interesting to see which business model(s) prove to be the winning formula in the long term.