In this increasingly data-driven world, the protection of personal information and the maintenance of robust financial regulation are paramount. In the United Kingdom, the collaboration between the FCA and the Information Commissioner’s Office (ICO) plays a pivotal role in safeguarding both consumer data privacy and financial market integrity. Through their joint efforts, these regulatory bodies are working together to address the evolving challenges posed by the digital age and respond appropriately to their regulated organisation who get it wrong.
The FCA is the UK’s key regulator in the financial services sector, regulating the conduct of over 50,000 financial services firms in the UK to ensure that our financial markets are honest, competitive and fair. The FCA regulates a wide range of financial institutions, including banks, insurers, investment firms, asset managers and people.
The ICO is the UK’s independent regulator for information rights, responsible for the monitoring and enforcement of UK data protection laws, including UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR, and together, UK DP Law). The ICO’s enforcement powers include issuing fines, enforcing audits, prosecuting criminal offences, and perhaps most critical of all for many businesses: issuing stop orders where data processing must cease.
Collaboration so far
On 19 February 2019, the FCA and ICO entered into a Memorandum of Understanding; their framework for cooperation and coordination that identifies the complementary functions and powers of the two regulatory bodies, calls for greater cooperation in reviews and provides a legal base for greater information sharing. What’s more, the two bodies have also agreed to joint innovation initiatives, a protocol for major incidents and to coordinate enforcement announcements by providing one another with notice.
In April 2021, the FCA joined the Digital Regulation Cooperation Forum (DRCF), where it previously participated as an observing member. The DRCF was formed in July 2020 and now consists of the ICO, FCA, the Competition and Markets Authority, and the Office of Communications. This forum was set up in response to the challenge of regulating online platforms and represents further cooperation between central UK regulators. By way of example, John Edwards, Information Commissioner and chair of the DRFC, has recently announced plans for closer work between the ICO and FCA on digital assets, in understanding the consumer experience involved and the distributed ledger technology that underpins them.
Greater cooperation
The financial services market relies heavily on the use and exchange of personal data, with personal data underpinning the day-to-day activity of firms (eg where ID is required for the purposes of ID verification in the context of payments or, for instance, anti-money-laundering compliance).
The volume and risk profile of data held in the financial services sector often poses higher risk to the public in the event of breach of UK DP Law, such as from security and cyber incidents. This risk coexists with the opportunity presented by novel technologies and the deployment of AI in the sector, where regulatory collaboration can ensure a complementary framework that facilitates the needs of innovators whilst driving better outcomes for individuals.
Regulatory cooperation is also one of the ICO’s ICO25 objectives, recognising that working collaboratively and cooperatively will maximise its own effectiveness. Additionally, financial firms have to navigate an increasingly complex legislative landscape, where data related laws often overlap with financial regulation.
For example, in his speech at the Data and the Future of Financial Services Summit, Edwards noted the clear parallels between the (relatively) new FCA Consumer Duty, aimed at securing better outcomes for consumers, and UK DP Laws – particularly under PECR and the ICO’s guidance on this topic. Greater cooperation provides the opportunity for more transparency and clarity for firms as to their compliance responsibilities within the financial services sector.
In practice
Instances where financial misconduct intersects with UK DP Law breaches require close collaboration between the FCA and ICO. These include fraud prevention, where exploitation of individuals’ digital identity often breaches data protection law, and at the same time poses significant risk to financial services activities; and secure, verified, and authentic payments.
In cases where there is a potential violation of both financial regulations and data protection laws, the FCA and ICO coordinate their investigations to ensure a comprehensive examination of the issues at hand. This joint approach helps ensure consistent enforcement and appropriate penalties for organizations that breach both financial and UK DP Laws.
In practice, where an FCA-regulated entity experiences a breach of UK DP Law requiring ICO notification, or its conduct is otherwise brought to the ICO’s attention (eg through consumer complaint), the regulators will work together to information share and align their enforcement action. While the organization will find itself liaising with both regulators separately in practice, the two collaborate closely behind the scenes. This means that any internal response to regulatory investigation must be considered through the dual lens of the ICO and FCA, and organizations should be mindful that what is presented to one may be shared with the other, which could trigger different regulatory consequences.
Therefore, if the ICO and FCA are coordinating regulation and enforcement, it seems to follow that firms should be mirroring this collaborative approach within their own internal compliance teams. The Memorandum of Understanding provides a clear framework for coordination for the FCA and ICO, which could be used by firms as a basis on which they can organise their own internal cooperation. Financial firms need to ensure that they are aligning their internal day-to-day compliance, but also their communications with the ICO and FCA as reporting requirements become more aligned.
Philip James, partner, Global Cybersecurity and Data Privacy; Rebecca Sherry, principal associate, Global Cybersecurity and Data Privacy; and Sophie Lewis, trainee solicitor, Eversheds Sutherland.