Here's a prediction that will age well: within 18 months, the financial services firms that treated the death of third-party cookies as a box-ticking exercise will be scrambling to build the data foundations their competitors quietly assembled while everyone else was fussing over consent banners.
I know that sounds dramatic. But I've watched this exact pattern play out before - with mobile, with cloud, with GDPR itself. A regulatory or technology shift arrives. Most firms do the minimum to stay compliant. A handful see the structural opportunity underneath the disruption and invest accordingly. By the time everyone else catches up, the gap is meaningful and closing it is expensive.
The data tracking changes hitting financial services right now - cookie deprecation, cross-device tracking limitations, tightened consent requirements - feel like a compliance headache. For most firms, that's exactly how they're being managed. We've updated the cookie banner. Legal signed off. Can we move on?
You can. But you'd be missing something significant.
Let me be specific about what's actually changed, because the detail matters more than the headlines.
Google's Chrome browser - roughly 65% of web traffic - has been on a long, messy journey towards deprecating third-party cookies. Safari and Firefox already block them by default. The practical effect is that the infrastructure most financial services firms relied on for audience targeting, attribution, and behavioural tracking is either gone or going. Cross-device tracking - following a prospect from their phone research to their desktop enquiry - has become significantly harder without explicit consent. And the ICO in the UK, plus various state-level privacy frameworks in the US, have tightened enforcement around what constitutes meaningful consent.
For a wealth management firm or a mid-tier bank, this creates a few concrete problems. Your marketing team can no longer rely on third-party audience segments for programmatic advertising with any real precision. Your attribution models - the ones that tell you which channels are actually driving enquiries - are increasingly full of gaps. And the behavioural data you used to get essentially for free, from tracking scripts and third-party pixels, is drying up.
But here's the thing that doesn't get said enough: for regulated financial services, the old approach was always a bit dodgy anyway.
Earlier this year I was doing a martech audit for a mid-sized wealth management firm. Standard stuff - nothing dramatic. At some point I asked a pretty simple question: "Where does the data that feeds your audience targeting actually come from?"
There was a pause. Longer than I expected, honestly. Then a slightly uncomfortable admission that most of it came from third-party data brokers and platform-native audiences, and nobody had ever really interrogated the provenance of that data. I remember thinking: this is a firm regulated by the FCA. A firm whose compliance team would lose sleep over an improperly documented client communication. And yet the data underpinning their digital marketing was, essentially, a black box. Nobody knew exactly how those third-party audiences were constructed, what consent had been obtained, or whether any of it met the standards the firm applied to literally everything else it touched.
I'm not pointing fingers - this was the industry norm. Third-party data was cheap, convenient, and "everyone else was using it." But in a sector where data governance isn't optional, relying on data you can't audit was always a risk someone chose not to think about.
The tracking changes haven't created a new problem. They've exposed an existing one. And that reframing matters, because it shifts the conversation from "how do we replace what we've lost" to "how do we build something that actually works for a regulated business."
When people talk about the shift to first-party data, it often sounds like settling. Like you're giving up the precision of third-party tracking and making do with whatever scraps you can collect directly.
That framing is wrong.
First-party data - the information your clients and prospects give you directly, through interactions with your platforms, your content, your advisers, and your services - is categorically better than what you had before. More accurate. Auditable. Collected with clear consent. And in financial services specifically, it connects to something you already have that most industries would kill for: deep, long-duration client relationships.
Think about what a wealth management firm actually knows about its clients. Risk appetite. Life stage. Family circumstances. Investment history. Communication preferences. The duration and frequency of adviser interactions. This is extraordinarily rich data. The problem isn't that you don't have it - it's that it's scattered across a CRM that hasn't been properly maintained since it was implemented, a portfolio management system that doesn't talk to anything else, an email platform running on its own, and a website analytics setup that's tracking pageviews but not connecting them to actual client journeys.
The opportunity isn't to collect more data. It's to connect what you already have.
I want to be practical here, because "build a first-party data strategy" can sound like one of those consultant phrases that means everything and nothing simultaneously.
For a financial services firm - let's say a wealth management business with around 2,000 clients and a prospect pipeline they'd like to grow - there are four things that actually need to happen.
The first is consent architecture. Not just a cookie banner. A proper consent framework that captures, stores, and respects preferences across every touchpoint - website, email, client portal, events, adviser interactions. Granular enough that a client can say yes to portfolio insights but no to marketing emails, and that preference needs to follow them everywhere. If your client portal runs on one system and your marketing on another and they don't share consent records, you've got a compliance gap that's only going to get more expensive to fix.
The second is data unification - getting client and prospect data out of silos and into a single, reliable view. This doesn't necessarily mean a Customer Data Platform, though for larger firms that's worth evaluating. For most mid-market firms, it means properly integrating the CRM with the website analytics, the email platform, and the client portal. The goal is simple: when a prospect reads three articles on your site, downloads a guide, and then calls an adviser, everyone in that chain should know what happened before the call.
Third is progressive profiling. Instead of asking for everything upfront (the 14-field form that nobody completes), you build understanding over time. First visit: they read an article and you learn their interest area. Second visit: they download a guide and you learn their role and firm size. Third visit: they complete a short assessment and you learn their specific challenge. Each interaction adds to the picture, and each layer is collected with consent.
And the fourth - the one most firms get wrong - is value exchange. You can't just ask for data. You have to give something worth having in return. In financial services, you're sitting on expertise that prospects genuinely want: market insights, regulatory updates, planning tools, benchmarking assessments. The firms that create genuinely useful content and tools behind a light registration gate build their first-party data assets much faster than those relying on "sign up for our newsletter" as their primary collection mechanism.
We've built these architectures for several financial services clients now. The pattern is consistent: firms that invest in getting this right see a meaningful step-change in lead quality within six months. Not just more data, but more useful data - the kind that actually helps an adviser prepare for a first conversation rather than going in blind.
Everything I've described so far sounds like good data hygiene. Important, yes. But it's not exactly going to set pulses racing in a board meeting.
So let me connect the dots to something that will.
The data foundation you build in response to tracking changes is, almost exactly, the data foundation that AI requires to be operationally useful. This isn't a coincidence - it's the same underlying requirement. AI models, whether you're talking about personalisation engines, predictive analytics, intelligent document processing, or agentic workflows, need structured, consented, connected data to function. Feed them fragmented, poorly governed data from disconnected systems and you get garbage outputs with compliance risk attached.
I've written about AI readiness separately, but the short version is this: most financial services firms that think they're "not ready for AI" are actually saying they don't trust their data. And they're right not to trust it. Gartner puts poor data quality costs at around $15m annually for the average organisation - and for a regulated firm, the cost includes not just inefficiency but regulatory exposure.
The consent architecture you're building for tracking compliance? That's your AI governance foundation. The data unification work that connects your CRM to your website to your client portal? That's the integration layer your AI tools will need. The progressive profiling that builds richer prospect understanding over time? That's training data for personalisation and predictive models.
You're not doing two separate things. You're doing one thing that serves two purposes.
Say you're a mid-tier wealth management firm. You've done the work: consent is properly managed, your CRM and website are integrated, prospect behaviour is being tracked with consent and connected to known profiles.
Without AI, that data is already more useful than what you had before. Your advisers know which prospects are engaged and what they're interested in before they pick up the phone. Your marketing team can segment and target based on actual behaviour rather than purchased audience lists. Your compliance team can audit exactly what data you hold and how consent was obtained.
Now add AI to that foundation. A recommendation engine surfaces the right content to the right prospect at the right moment - not based on crude demographic segments, but on observed behaviour patterns across your own data. An intelligent triage system routes inbound enquiries to the right adviser based on the prospect's demonstrated interests and complexity level. A predictive model flags existing clients whose engagement patterns suggest they might be considering a move, giving you a three-month head start on retention.
None of that works without the data foundation. All of it becomes possible once you have it.
We worked with a financial services firm recently - can't name them, but the pattern is worth sharing - where what started as a compliance-driven data consolidation project ended up becoming the backbone of their AI strategy. The CTO told me afterwards: "We thought we were fixing a compliance problem. Turns out we were building the thing we'd been trying to justify budget for separately."
That quote has stuck with me. It captures exactly what most firms are walking past right now.
Right now, most financial services firms are treating data tracking changes as a compliance exercise. Updated the cookie banner, checked the box, moved on. A smaller number are building proper first-party data strategies. An even smaller number are connecting that work to their AI readiness.
That creates a window. If you're in the second or third group, you're building an advantage that compounds. First-party data gets richer with every interaction. AI models improve with more data. The firm that starts now will have 18 months of behavioural data and model training by the time the laggards kick off their "AI strategy" project.
And in regulated financial services specifically, the advantage is sticky. You can't shortcut data governance. You can't backfill consent. You can't retrospectively connect systems that should have been integrated from the start. The work has to be done properly, and doing it properly takes time. Early movers don't just get a head start - they get a head start that's genuinely hard to close.
We're handling cookie consent and that's enough. This is a compliance issue, not a strategic one.
I understand the impulse. There's always something more pressing - a regulatory deadline, a client issue, a board paper that needs writing. Data tracking changes don't feel urgent in the way that, say, a cybersecurity incident does. But the firms I work with that are furthest ahead on AI readiness didn't get there by running a separate AI initiative. They got there by making smart decisions about data infrastructure when a forcing function - like tracking changes - gave them the excuse to invest.
If you're a marketing or technology leader at a financial services firm, here's what I'd suggest.
First, audit what you're actually collecting and where it lives. Not what you think you're collecting - what's actually happening. Which systems hold client and prospect data? Are they connected? Is consent being captured and stored consistently? We've done these audits for firms that expected to find three or four data sources and actually uncovered eleven, several of which nobody in the current team had set up or fully understood. That's not unusual. It's just uncomfortable to discover.
Second, map the gaps between where you are and where you'd need to be for AI to work. This doesn't require an AI strategy - it requires an honest assessment of data quality, connectivity, and governance. Our AI Readiness scorecard is a good place to start if you want a structured way to benchmark yourself.
Third, stop treating compliance and AI as separate budget lines. The next time you're building the case for a consent management platform or a CRM integration project, frame it as infrastructure that serves both purposes. The ROI changes significantly when the same investment supports compliance requirements and future AI capability.
There's a companion piece in Section 4 of The Briefing Room that covers how to build the business case for this kind of investment and get it past a board that's sceptical about spending on "infrastructure." Worth reading if the challenge isn't knowing what to do but getting approval to do it.