GDPR ‘could cost banks €4.7bn in first 3 years’

European banks could face fines totalling €4.7 billion in the first three years under the new General Data Protection Regulation (GDPR), a new report from Consult Hyperion has forecast.

The report has been described as ‘conservative’, as it excludes compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.

Financial institutions may experience 384 data breaches with fines as high as €260 million per breach, according to predictions.

Under GDPR, financial penalties for a data breach are substantial. Institutions can receive fines of up to two per cent of the previous year’s global annual revenues for a first offence and four per cent for repeat offences where the regulator has previously ordered remedial action. There are also possible criminal penalties for executives deemed responsible.

GDPR’s 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is critical. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.

Tim Richards, principal consultant at Consult Hyperion, said: “The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this. Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the four per cent level.

“This indicates an eight per cent chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR.”

    Share Story:

Recent Stories


Data trust in the AI era: Building customer confidence through responsible banking
In the second episode of FStech’s three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech examines the critical relationship between data trust, transparency, and responsible AI implementation in financial services.

Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Transforming document management into a strategic advantage for financial institutions
In this exclusive fireside chat, John Rockliffe, Pre-Sales Manager at d.velop, discusses the findings of Adapting to a Digital-Native World: Financial Services Document Management Beyond 2025 and explores how FSIs can turn document workflows into a competitive advantage.

Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.