On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing.
Cooperation and information sharing
The ICO and FCA have set out what matters they will communicate with each other and the exchange of information between them. Subject to legal restrictions on the disclosure of information, the ICO and FCA have agreed to:
Alert each other of any potential breaches of the legislation regulated by the other party;
Communicate regularly to discuss matters of mutual interest and consult the other on any issues that are significant for the other organisation;
Exchange information on “relevant issues of interest…and as appropriate and relevant to their respective objectives” – for example:
(i) investigations and actions taken against persons or firms that may be relevant to the functions of the other;
(ii) information held by either regulator in connection with the fraud/criminal activity that might cast doubt on the fitness and proprietary of an FCA-authorised firm;
(iii) intelligence held by the ICO that suggests a failure of an FCA-authorised firm’s regulated activities.
4. Request any information from the other that may assist the requesting regulator to carry out its functions;
5. Consult and coordinate on their work in respect of reviews, calls for evidence and recommendations made toward each of the parties, which may prompt further requests for disclosure by each of the parties.
The purpose of this two-way information sharing arrangement between the regulators is to “enhance their ability to exercise their respective functions”. It is made explicit, however, that the purpose behind the information sharing is not to be interpreted as imposing a binding obligation.
Investigations and enforcement
ICO and FCA have recognised that there are areas in which they have complementary functions and powers and therefore will ensure the most appropriate body will lead the investigations. The parties will, however, ensure that in cases of investigations, each will notify the other of significant developments where the other party is likely to have an interest.
Where investigations need to be carried out by both parties, they can also decide whether to proceed with these in parallel or in sequence. To that extent, the parties intend to share expertise and resources, to keep each other updated regarding progress, and to coordinate simultaneous publications of investigation outcomes and press releases.
This increased cooperation between the FCA and ICO means financial firms will likely need to answer to two regulators in event of a data breach.
Taking cybercrime as an example, over the past year the FCA has seen a dramatic increase in data breaches reported by UK financial services firms. Tesco Bank is one such firm that was fined by the FCA at the end of 2018 (£16.4 million) following a cyberattack.
Given the sensitivity of the personal data involved, cyber criminals are targeting bank accounts. If firms are unable to demonstrate they have the technical and organisational measures or even appropriate systems and controls in place to combat cyberattacks, they will likely be exposed to enforcement from both the ICO and the FCA. In the event of a cyberattack that involves personal data, the findings of any investigations carried out by one of the bodies will likely be shared with the other.
Essentially, the relationship and intelligence sharing between ICO and FCA become key – not only in combatting cybercrime but also in steering financial services firms toward strengthening the systems to safeguard their data and avoid falling foul of their compliance requirements.