Ali Abbas
FCA admits data breach: how can firms ensure they don’t make the same ‘mistake’?
In late February this year, the UK’s Financial Conduct Authority (FCA) issued a statement announcing that it had suffered a data breach.
In late February this year, the UK’s Financial Conduct Authority (FCA) issued a statement announcing that it had suffered a data breach. As the result of a Freedom of Information Act request, published in November 2019, the FCA had allowed the confidential information of 1,600 individual to be exposed and accessible to the general public. The publication of this information, it admitted, was a mistake*. Accordingly, it referred itself to the Information Commissioner’s Office (ICO).
The FCA’s breach was, no doubt, an embarrassing occurrence for a regulator that is responsible for ensuring that financial institutions handle their data in a safe and secure way. In fact, in 2016 the FCA issued Tesco Bank with a £16.4 million fine for failing to store its data securely**.
In the age of GDPR, EU Data Protection Authorities and regulations such as the California Consumer Privacy Act (CCPA), data security is key. In the last year alone, multi-national companies such as Capital One and British Airways have faced record fines from the ICO for data-related failings. British Airways was ordered to pay £183 million to the ICO after the data of 500,000 customers was compromised***. This amounted to almost 1.5% of its global turnover under the new penalty rules introduced by GDPR.
This isn’t just a concern for EU-based firms, GDPR transcends borders and, in some instances, can stretch to protecting EU citizens wherever they may be. Data protection is a global issue.
Regulators are tightening their powers and scrutinising firms’ data management like never before (even if they fail to adhere to their own rules). The FCA certainly isn’t the first organisation to have left data exposed, and undoubtedly it won’t be the last. Financial institutions must be alert to their obligations and implement systems that ensure their data management is watertight.
Firms must automate their compliance systems in order to understand requirements, be alert to when those requirements change, and implement new regulations at pace to avoid falling foul of the regulators. Implementing RegTech will be essential to avoiding crippling fines and the loss of customer trust.
*Statement on FCA data breach, Financial Conduct Authority, 26 February 2020.
***Intention to fine British Airways £183.39m under GDPR for data breach, ICO, 8 July 2019.
