Regulatory Considerations Relating to Personal Data

Are the FCA and the PRA data regulators?

The FCA and the PRA are not data protection regulators in the same way as the UK Information Commissioner, whose remit is the protection of personal data. The FCA and PRA have a much broader remit. The FCA focuses on particular issues in relation to data.

Does the FCA keep information shared with it confidential?

Under section 348 of the Financial Services and Markets Act 2000, the FCA is under a duty, subject to certain exceptions, not to disclose confidential information shared with it.

What is the relevance of the FCA principles in relation to data?

• Principle 2 - Requires firms to conduct their business with due skill, care and diligence. As regards data, this requires firms, for example, to deal with data in a way that keeps it secure
• Principle 3 - Requires firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. This ensures firms have systems and controls in place to minimise the loss of data
• Principle 11 - The FCA has reminded firms of the need to make a notification under Principle 11 of its principles for business, which covers the duty to be open and cooperative with the regulators where firms have been subject to a material cyber incident

Why should firms be concerned about the FCA principles?

The FCA’s principles, although high-level in nature, are in fact rules. This means that where the FCA finds a firm to have breached its principles, it can bring disciplinary action.

What are the key record-keeping and other practical requirements in relation to data?

• Requirements include making and retaining adequate records of all services and transactions and keeping them in an orderly way to enable effective monitoring of compliance by the FCA
• SYSC 4.1.1R requires firms to have robust governance arrangements, including effective systems and controls and safeguarding arrangements for information processing systems.

What specific safeguards must firms have in place?

• Sound security mechanisms
• Maintain confidentiality of data at all times
• Guarantee the security and authentication of the means of transfer of information
• Minimise the risk of data corruption and unauthorised access
• Prevent information leaking

What are the relevant EBA guidelines that specifically address data?

1. Firms should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis
2. Firms should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the firm

What is the significance of data in relation to Open Banking and PSRs?

1. Open Banking
   • A quasi-regulatory or competition law initiative that essentially requires major banks to allow third party processors (TTPs) to access customer bank transaction data to provide innovative types of payment service. TTPs, with the customer’s consent, can pull data from their payment accounts and present that information to the customer or to another person in accordance with the customers instructions.
2. PSRs
   • An example of how PSRs govern use of data is contained in regulation 97. A payment service provider must not access, process or retain any personal data for the provision of payment services by it, unless it has explicit consistent of the payment service user to do so.

What is an example of a breach in regulation resulting in FCA involvement?

There have been a number of high profile regulatory decisions. For example:

• Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations team to carry out an attack. This netted the cyber attackers £2.26 million.
• The FCA found that Tesco Bank had breached Principle 2 as it failed to exercise due skill, care and diligence to the design and distribution of its debit card, configure specific authentication and fraud detection rules, or to take appropriate action to prevent the risk of fraud.
• The Nationwide Building Society case related to the theft of an employee’s laptop containing customer information.