According to the 2025 Thales Digital Trust Index, trust in digital services has dropped across nearly every sector over the past year, with not a single industry reaching 50% trust among consumers. And financial services – while leading the pack at 44% — still didn’t come out well in terms of consumer trust.
Banking and financial services, often perceived as upholding regulatory oversight and accountability rules and safeguarding consumers’ most private data, is not even doing as well as perception. At a meager 44%, it is not figure that inspires confidence. If fewer than half of consumers trust even the most trusted digital sector, financial services and the consumers and businesses who use them face a serious problem.
And that problem may be worse than it looks. Despite the onerous regulation across multiple aspects of financial operations, data privacy and protection remain blind spots for many financial services firms. In fact, recent research shows that nearly half of finance brands are failing to comply with basic data protection laws—a critical gap that exposes these organizations to significant business and reputational risks.
Regulatory compliance ≠Data safety and privacy protection
Consumers might assume that their financial data is safe simply because financial institutions are subject to unusually high levels of regulatory scrutiny. But compliance with financial regulation is not the same thing as compliance with data protection laws like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). While financial regulations focus on areas such as anti-money laundering, know-your-customer (KYC) requirements, and transactional integrity, GDPR specifically governs how consumer data is collected, stored, and processed.
This distinction is a source of genuine risk. As consumer trust erodes, any perceived breach or misuse of personal data can result in not only regulatory fines, but also irreparable brand damage.
Non-compliance: Widespread but often unintentional
A comprehensive study by digital innovation agency 7DOTS uncovered alarming evidence: of the nearly 25,000 UK financial services websites analyzed, 43% were found to be non-compliant with GDPR and related data protection rules. At the heart of the problem: these companies accessed browser storage (such as cookies) for analytics or advertising purposes without first obtaining explicit user consent.
In addition, 72% of these non-compliant firms passed data to Google without appropriate permissions, often unwittingly. In most cases, this data exchange was done to power analytics dashboards or target consumers with personalized advertising—activities that are illegal under GDPR unless consent is clearly and freely given.
The study, which focused on Financial Conduct Authority (FCA)-regulated firms with operational websites and broader regulatory mandates than just consumer credit, used a custom-built cookie compliance testing tool to conduct their investigation and reach these conclusions.
The findings suggest a systemic issue across the financial services industry—not isolated technical oversights, but widespread procedural failings and a fundamental misunderstanding of or indifference toward data privacy and protection laws and consumer consent.
It’s easy to be compliant with CookieHub
Sign up today and create a custom cookie banner for your website
- 30 day free trial
- No credit card required
Reputational risk: On the brink of a crisis of trust
Financial brands already face challenges in retaining consumer trust. According to the Thales report, even in the relatively “trusted” banking sector, less than half of consumers feel secure using digital services. Add to this the revelation that many institutions are unlawfully harvesting or sharing data, and loss of consumer trust becomes imminent.
The reputational fallout of non-compliance can be swift and brutal. Consumers today are savvier about their digital rights and quicker to act when those rights are violated. Negative media coverage, public shaming on social media, and regulatory investigations can combine to create a narrative of incompetence or indifference, which can lead to tangible losses in brand value.
In industries like finance, where relationships are built on credibility and trust, even a single compliance failure can prompt customers to close accounts, move to competitors, or file complaints with regulators.
Financial risk: Fines and legal exposure
Non-compliance with data protection regulations can also come with real financial penalties. Under GDPR, regulators can fine organizations up to 20 million EUR or 4% of their annual global turnover, whichever is greater. For large financial institutions, this could translate into tens or even hundreds of millions of euros in liability.
Fines are not the only possible penalty. Legal costs, compensation claims, and mandatory audits add to the possible financial and operational costs. In worst-case scenarios, repeat offenses or blatant negligence could result in criminal proceedings or long-term operational restrictions.
Moreover, regulators are becoming increasingly proactive. In the UK and across the EU, data protection watchdogs are ramping up their surveillance of the financial services sector.
Why compliance is often overlooked
Many financial services brands find themselves in violation of privacy laws not because they intentionally engage in wrongdoing. The data privacy landscape is complex and frequently changing. Slow-moving and heavily regulated industries can have greater difficulty adapting both to rapid technological and legal changes, especially when they fall outside the scope of their day-to-day business. Outdated digital practices, legacy technology systems, and even a lack of awareness or delegated responsibility in the organization. For example, even wildly outdated, GDPR-violating practices like plugins or analytics tools that set cookies or allow access to local storage by default might still be in practice. Unless the organization regularly audits its website infrastructure and data flows, such infractions can go unnoticed literally for years. While most financial institutions’ practices will not likely be that outdated, compliance is nuanced and multifaceted, requiring a level a vigilance most companies across industries struggle to implement.
Another key challenge is the implementation of consent management platforms (CMPs). These tools allow users to accept or reject cookies and other forms of data collection, ensuring compliance with GDPR and similar regulatory frameworks in other jurisdictions. However, integrating CMPs across complex digital ecosystems—especially in firms with legacy systems—is no small feat. It requires coordinated efforts from legal, compliance, IT, and marketing teams, as well as ongoing monitoring and updates.
Digital transformation must include data ethics
The push for digital transformation in financial services has come front and center and accelerated in recent years. The innovations financial firms are attempting to introduce, such as AI, omnichannel service delivery and advanced analytics, rely heavily on access to customer data. Balancing that demand for data with regulations governing the collection and processing of demands that the foundations for digital transformation be solid. Ignoring user consent and blindly collecting and using personal data will end up creating a faulty foundation to build on.
Digital trust starts with transparency, accountability, and consent
Financial brands must adopt a proactive, transparent approach to data privacy to build a solid and consent-forward approach to digital trust. This involves:
- Conducting full compliance audits of websites, apps, and data handling practices.
- Implementing robust consent management platforms and ensuring they are configured correctly and collecting consent preferences.
- Reviewing third-party integrations (such as Google Analytics and advertising plugins) to ensure they don’t bypass consent protocols.
- Educating internal teams about GDPR requirements and individual responsibility.
- Embedding privacy-by-design principles into every new digital product or service.
Ultimately, financial brands must recognize that regulatory compliance is not a box-ticking exercise—it’s a trust-building strategy. Consumers are watching. Regulators are watching. The media is watching.
Legal oversight – business risk
The financial services sector can no longer afford to conflate financial regulation with data protection. As trust continues to decline and regulatory scrutiny increases, non-compliance with data privacy laws is not just a legal oversight—it’s a potentially expensive and even business-ending risk.
Are you compliant?
CookieHub automatically scans your website to detect cookies, ensuring all cookies are easily managed.