Regulatory Considerations relating to Personal Data

Regulatory Considerations relating to Personal Data

Jake Ghanty

20 years: Financial technology law

In this video of the series, Jake covers the role of regulators in relation to data. He explains the responsibilities of the Financial Conduct Authority (FCA), the relevant EBA Guidelines and the significance of data in relation to Open Banking and Payment Services Regulations (PSRs).

In this video of the series, Jake covers the role of regulators in relation to data. He explains the responsibilities of the Financial Conduct Authority (FCA), the relevant EBA Guidelines and the significance of data in relation to Open Banking and Payment Services Regulations (PSRs).

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Regulatory Considerations relating to Personal Data

9 mins 23 secs

Overview

This essentially covers the role of financial regulators in relation to data. In the FCA handbook and under the EBA guidelines, there are a wide range of principles and requirements that ensure firms effectively manage, use and secure the use of customer data.

Key learning objectives:

  • Understand the relevance of the FCA principles in relation to data

  • Understand the key record-keeping and other practical requirements in relation to data

  • Outline the significance of data in relation to Open Banking and PSRs

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Summary

Are the FCA and the PRA data regulators?

The FCA and the PRA are not data protection regulators in the same way as the UK Information Commissioner, whose remit is the protection of personal data. The FCA and PRA have a much broader remit. The FCA focuses on particular issues in relation to data.

Does the FCA keep information shared with it confidential?

Under section 348 of the Financial Services and Markets Act 2000, the FCA is under a duty, subject to certain exceptions, not to disclose confidential information shared with it.

What is the relevance of the FCA principles in relation to data?

  • Principle 2 - Requires firms to conduct their business with due skill, care and diligence. As regards data, this requires firms, for example, to deal with data in a way that keeps it secure
  • Principle 3 - Requires firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. This ensures firms have systems and controls in place to minimise the loss of data
  • Principle 11 - The FCA has reminded firms of the need to make a notification under Principle 11 of its principles for business, which covers the duty to be open and cooperative with the regulators where firms have been subject to a material cyber incident

Why should firms be concerned about the FCA principles?

The FCA’s principles, although high-level in nature, are in fact rules. This means that where the FCA finds a firm to have breached its principles, it can bring disciplinary action.

What are the key record-keeping and other practical requirements in relation to data?

  • Requirements include making and retaining adequate records of all services and transactions and keeping them in an orderly way to enable effective monitoring of compliance by the FCA
  • SYSC 4.1.1R requires firms to have robust governance arrangements, including effective systems and controls and safeguarding arrangements for information processing systems.

What specific safeguards must firms have in place?

  • Sound security mechanisms
  • Maintain confidentiality of data at all times
  • Guarantee the security and authentication of the means of transfer of information
  • Minimise the risk of data corruption and unauthorised access
  • Prevent information leaking

What are the relevant EBA guidelines that specifically address data?

  1. Firms should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis
  2. Firms should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the firm

What is the significance of data in relation to Open Banking and PSRs?

  1. Open Banking
    • A quasi-regulatory or competition law initiative that essentially requires major banks to allow third party processors (TTPs) to access customer bank transaction data to provide innovative types of payment service. TTPs, with the customer’s consent, can pull data from their payment accounts and present that information to the customer or to another person in accordance with the customers instructions.
  2. PSRs
    • An example of how PSRs govern use of data is contained in regulation 97. A payment service provider must not access, process or retain any personal data for the provision of payment services by it, unless it has explicit consistent of the payment service user to do so.

What is an example of a breach in regulation resulting in FCA involvement?

There have been a number of high profile regulatory decisions. For example:

  • Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations team to carry out an attack. This netted the cyber attackers £2.26 million.
  • The FCA found that Tesco Bank had breached Principle 2 as it failed to exercise due skill, care and diligence to the design and distribution of its debit card, configure specific authentication and fraud detection rules, or to take appropriate action to prevent the risk of fraud.
  • The Nationwide Building Society case related to the theft of an employee’s laptop containing customer information.

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Jake Ghanty

Jake Ghanty

Jake is a partner at Kemp Little where he heads the Financial Regulation practice, which is part of the Commercial Technology department. Jake's focus is on helping clients navigate the requirements of UK and European regulators.

There are no available videos from "Jake Ghanty"