We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

FCA/ICO: We’ve Got An Understanding

FCA/ICO: We’ve Got An Understanding

It’s official: the body responsible for regulating financial business, the Financial Conduct Authority (FCA) and the body responsible for regulating the use of personal data, the Information Commissioner’s Office (ICO) have announced a formal collaboration about how both regulators will share information to work together.

The ICO already openly refers high profile cases involving data security for enforcement to the FCA, because the FCA has more extensive enforcement powers when it comes to financial businesses.  For example, as far back as 2010, a fine was issued to Zurich insurance for a data security breach as a result of the ICO and the FSA (the FCA’s predecessor) working together.

To formalise this approach, in January 2015 the FCA published a memorandum of understanding (MoU) setting out the working arrangements between the FCA and the ICO where they have a common interest.  The key areas covered by the MoU are set out below.

Information sharing

The FCA and ICO will exchange information to aid their respective functions.  They may request information from each other and suggest deadlines.  They may also consult and co-ordinate in reviews, calls for evidence and recommendations.  The ICO frequently responds to consultations by the FCA to influence the direction of policy in a number of different areas, such as its response to payday lending.

Policy and rulemaking

The two bodies will seek to coordinate their rules in areas that have a material effect on each other’s objectives.  They aim to work closely to ensure their awareness activities are complimentary.  They’ll also share communication and publication plans.  This coordination was seen when the two worked together in creating a policy on credit agencies and their treatment of vulnerable people.  Data which is held by credit reference agencies is governed by policies which are written in conjunction with the ICO but the agencies themselves are regulated by the FCA. 

Investigation and enforcement

The two regulators will ensure that, where they have overlapping functions, the most appropriate body will commence and lead investigations.  They will notify each other of significant developments, discuss appropriate steps and ensure an appropriate exchange of views.  They may refer matters to each other and their staff will seek to coordinate as far as possible.  As noted above, this formalises the existing practice – where the better-placed regulator naturally takes the lead in cases of overlapping competency.

However, it’s not all plain sailing.  The ICO also has jurisdiction to hear complaints about how the FCA handles requests for information.  In the past year there have been a number of occasions where the ICO ruled that the FCA breached freedom of information requirements and ordered it to make disclosures.

In practice, the MoU means that there is now an established process for the ICO to share information about any data breaches with the FCA, with the aim of making regulatory action for such breaches easier and more streamlined.  In the financial services sector, it is now more important than ever to make sure your house is in order when it comes to protecting personal data.

If you have any queries about the roles and responsibilities of the FCA and ICO, or how they affect your business, please get in touch with our financial services and data protection experts.

Lorna Finlayson
Partner, Financial Services Regulatory

Charles Rogers
Solicitor, Financial Services Regulatory

Helena Brown
Director, Data Protection

Ross McKenzie
Associate, Data Protection