Regulator – Financial Conduct Authority

Data protection and Cyber Security has been a theme since 2003

What it means to you – Enforcement Action

In April 2008 the FSA released Data Security in Financial Services

This document is still the in-force set of recommendations from the regulator so it bears a little analysis.

It made it clear that the FSA considers that ‘[t]he safekeeping of customer data is a crucial responsibility for firms’.  Under Principle 2 (‘a firm must conduct its business with due skill, care and diligence’) and Principle 3 (‘a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’).

Also under the SYSC handbook SYSC 3.2.6R (‘a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime’) and SYSC 3.2.6A (‘firms’ relevant systems and controls must be ‘comprehensive and proportionate to the nature, scale and complexity of their operations’).

Finally ‘[t]he secure handling of customer data is also part of the ‘Treating Customers Fairly’ standard that all firms must adhere to.’

Directly summarised as ‘Consumers are entitled to rely on firms to ensure their personal information is secure.’

The report does not constitute formal guidance however there are three clear instructions to firms.

‘firms should take a proportionate, risk-based approach to data security, taking into account their customer base, business and risk profile. Failure to do so may result in us taking enforcement action.’

‘We may take enforcement action against firms that fail to encrypt customer data offsite’

‘we will be issuing guidance to supervisors to ensure data security is reviewed as part of normal supervision. If firms fail to take account of this report and continue to demonstrate poor data security practice, we may refer them to Enforcement.’

In March 2013 the FCA published the “FCA Risk Outlook 2013”.

This document set out the FCA’s stall on market risk and how it planned to approach the identified themes.

In the Environmental conditions section they said the following:

“we will seek to ensure that firms consider the risks associated with technological advances and do all they can to ensure business continuity and consumer protection.”

“…can be subject to cyber-attacks through network intrusions, which could lead to systems failures … or breach or theft of personal information. Reliance on technology-based infrastructures can also leave firms exposed to risk management weaknesses from systems used outside financial markets…”

Following this up in April 2013 with the “Financial Crime: a guide for firms”

As with all non core publications the FCA include the following disclaimer ‘The Guide contains ‘general guidance’ as defined in section 158 of the Financial Services and Markets Act 2000 (FSMA). The guidance is not binding and we will not presume that a firm’s departure from our guidance indicates that it has breached our rules.’  This is slightly misleading as any compliance consultant will tell you.  If the FCA have suggested good and bad practice and you have not taken heed of it then you will be on the wrong side of any investigation.

It is in two parts:

Part 1: A firm’s guide to preventing financial crime

Provides guidance on financial crime systems and controls, both generally and in relation to specific risks such as money laundering, bribery and corruption and fraud.  Section 5 covers Data Security and applies to all regulated firms.

Part 2: Financial crime thematic reviews

Provides summaries of, and links to, FSA thematic reviews of various financial crime risks and sets out the full examples of good and poor practice that were included with the reviews’ findings.  Chapter 6 summarises the findings of the FSA’s thematic review of Data security in Financial Services.

From all of this we know the questions that the FCA will ask as part of an assessment:

Governance

Firms should be alert to the financial crime risks associated with holding customer data and have written data security policies and procedures which are proportionate, accurate, up to date and relevant to the day-to-day work of staff.

Self-assessment questions:

  • How is responsibility for data security apportioned?
  • Has the firm ever lost customer data? If so,
    • what remedial actions did it take?
    • Did it contact customers?
  • Did it review its systems?
  • How does the firm monitor that suppliers of outsourced services treat customer data appropriately?
  • Are data security standards set in outsourcing agreements, with suppliers’ performance subject to monitoring?

Controls

Firms should put in place systems and controls to minimise the risk that their operation and information assets might be exploited by thieves and fraudsters. Internal procedures such as IT controls and physical security measures should be designed to protect against unauthorised access to customer data.

The FCA supports the Information Commissioner’s position that it is not appropriate for customer data to be taken off-site on laptops or other portable devices which are not encrypted.

Self-assessment questions:

  • Is your firm’s customer data taken off-site
    • by staff (sales people, those working from home)
    • or third parties (suppliers, consultants, IT contractors etc)?
  • If so, what levels of security exist? For example:
    • Does the firm require automatic encryption of laptops that leave the premises
    • or measures to ensure no sensitive data is taken off-site?
  • If customer data is transferred electronically, does the firm use secure internet links?
  • How does the firm keep track of its digital assets?
  • How does it dispose of documents, computers, and imaging equipment such as photocopiers that retain records of copies?
    • Are accredited suppliers used to, for example, destroy documents and hard disks?
    • How does the firm satisfy itself that data is disposed of competently?
  • How are access to the premises and sensitive areas of the business controlled?
  • When are staff access rights reviewed? (It is good practice to review them at least on recruitment, when staff change roles, and when they leave the firm.)
  • Is there enhanced vetting of staff with access to lots of data?
  • How are staff made aware of data security risks?

We also know what they consider to be good and bad (read unacceptable) practice in a wide range of areas:

Governance, Training and awareness, Staff recruitment and vetting, Controls – access rights, Controls – passwords and user accounts, Controls – monitoring access to customer data, Controls – data back-up, Controls – access to the internet and email, Controls – key-logging devices, Controls – laptop, Controls – portable media including USB devices and CDs, Physical security, Disposal of customer data, Managing third party suppliers, Internal audit and compliance monitoring.

As well as:

Records, Responsibilities and risk assessments, Access to systems, Outsourcing, Physical controls, Data disposal, Data compromise incidents.

Which is pretty comprehensive.