Financial Conduct Authority (FCA) and Information Security

What does it mean if you are regulated and fail to follow the guidelines?

Getting formal guidance from the FCA is sometimes a bit tricky, however IP Sentinel have had experience of dealing with the Financial Regulator over several years.  As information security is becoming ever more important as part of corporate responsibility, this post aims to bring together all the relevant guidance in one place.

In April 2008 the FSA released Data Security in Financial Services

This document is still the in-force set of recommendations from the regulator so it bears a little analysis.

It made it clear that the FSA considers that ‘[t]he safekeeping of customer data is a crucial responsibility for firms’.  Under Principle 2 (‘a firm must conduct its business with due skill, care and diligence’) and Principle 3 (‘a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’).

Also under the SYSC handbook SYSC 3.2.6R (‘a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime’) and SYSC 3.2.6A (‘firms’ relevant systems and controls must be ‘comprehensive and proportionate to the nature, scale and complexity of their operations’).

Finally ‘[t]he secure handling of customer data is also part of the ‘Treating Customers Fairly’ standard that all firms must adhere to.’ Directly summarised as ‘Consumers are entitled to rely on firms to ensure their personal information is secure.’

The report does not constitute formal guidance however there are three clear instructions to firms.

  1. ‘firms should take a proportionate, risk-based approach to data security, taking into account their customer base, business and risk profile. Failure to do so may result in us taking enforcement action.’
  2. ‘We may take enforcement action against firms that fail to encrypt customer data offsite’
  3. ‘we will be issuing guidance to supervisors to ensure data security is reviewed as part of normal supervision. If firms fail to take account of this report and continue to demonstrate poor data security practice, we may refer them to Enforcement.’

In March 2013 the FCA published the “FCA Risk Outlook 2013”.

This document set out the FCA’s stall on market risk and how it planned to approach the identified themes.

In the Environmental conditions section they said the following:

  • “we will seek to ensure that firms consider the risks associated with technological advances and do all they can to ensure business continuity and consumer protection.”
  • “…can be subject to cyber-attacks through network intrusions, which could lead to systems failures … or breach or theft of personal information. Reliance on technology-based infrastructures can also leave firms exposed to risk management weaknesses from systems used outside financial markets…”

Following this up in April 2013 with the “Financial Crime: a guide for firms”

As with all non core publications the FCA include the following disclaimer ‘The Guide contains ‘general guidance’ as defined in section 158 of the Financial Services and Markets Act 2000 (FSMA). The guidance is not binding and we will not presume that a firm’s departure from our guidance indicates that it has breached our rules.’  This is slightly misleading as any compliance consultant will tell you.  If the FCA have suggested good and bad practice and you have not taken heed of it then you will be on the wrong side of any investigation.

It is in two parts:

Part 1: A firm’s guide to preventing financial crime

Provides guidance on financial crime systems and controls, both generally and in relation to specific risks such as money laundering, bribery and corruption and fraud.  Section 5 covers Data Security and applies to all regulated firms.

Part 2: Financial crime thematic reviews

Provides summaries of, and links to, FSA thematic reviews of various financial crime risks and sets out the full examples of good and poor practice that were included with the reviews’ findings.  Chapter 6 summarises the findings of the FSA’s thematic review of Data security in Financial Services.


If you would like to discuss this in more depth and work out if your firm is compliant with the Regulators guidelines please give James Hogbin a call on 01825 701870

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.