Financial services firms, privacy and third parties—issues to consider
Produced in partnership with Stephen Bonner of KPMG
Financial services firms, privacy and third parties—issues to consider

The following Financial Services guidance note Produced in partnership with Stephen Bonner of KPMG provides comprehensive and up to date legal information covering:

  • Financial services firms, privacy and third parties—issues to consider
  • Why is data protection of relevance?
  • Process development
  • Conduct reviews
  • Reporting and remediation
  • Most common risks found
  • A final thought

Why is data protection of relevance?

Appropriate use and handling of personal data is very much at the heart of the objectives of the Financial Conduct Authority (FCA)—to ensure that financial markets function well and consumer protection. This theme was reinforced in the October 2012 paper Journey to the FCA. Page 27 outlines the FCA's Firm Systematic Framework (FSF). The FCA assesses a firm's conduct risk by looking at various areas of a firm, such as business models and strategy (eg use of outsourcing and offshoring for costs savings, centralisation of administration etc) and how firms embed fair treatment of customers (eg through transaction processes, product design and after sales). This involves consideration of the firm's approach to systems and controls in general, thereby bringing a firm's approach to information security into the FCA's remit. Much of the guidance provided by the Financial Services Authority (FSA) remains of value.

From a prudential point of view, the Prudential Regulation Authority (PRA) will need to know financial institutions are on top of risks arising from information security requirements, and that their safety and soundness is not at risk (eg where this links into a systemic financial crime risk). The Memorandum of Understanding between the FCA and the PRA sets out how the PRA and FCA should coordinate. For example, the PRA is