Memorandum of Understanding between the FCA and ICO emphasises co-regulation

Insight

10.04.2019

The Financial Conduct Authority (FCA) and the Information Commissioner (the ICO) have signed a Memorandum of Understanding (MoU) on 19 February 2019 that establishes a framework for co-operation, coordination and information sharing between them.

Key Take-Aways

The MoU serves as a reminder that there is regulatory overlap between the FCA and ICO. This is most obvious in the area of information security. The FCA has noted an increase in cyberattacks recently and is focused on ensuring that and notes that this creates a risk for individual customers’ money and data. Firms should therefore ensure that their processes and systems are strong enough to keep customers’ data secure in the event of a cyberattack. Co-regulated entities need to bear in mind that they face two regulatory regimes, or they could face enforcement actions from both the FCA and the ICO.
More specifically, when reporting on data security breaches, the approach to each regulator must be consistent and at or about the same time. The expectation should be that any divergence in reporting will be identified through the information sharing envisaged in the MoU. Remember as well that in GDPR terms, a data breach is construed by regulators to include a significant service outage (an “availability breach”) where individuals cannot access their data, not just a cyberattack.

Below, we set out a summary of the key points from the MoU.

Respective Functions of the ICO and the FCA

First a reminder of the relevant functions of each regulator:

The ICO is empowered to take a range of regulatory action for breaches of regulations such as the Data Protection Act 2018 (DPA), the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD). The GDPR and the DPA in particular impose a broad range of statutory duties on the ICO, including monitoring and enforcement of the GDPR, promotion of good practice, and adherence to the data protection obligations by those who process personal data. The ICO’s powers extend to organisations in the financial services sector along with a wide range of other sectors.
The FCA is responsible under the Financial Services and Markets 2000 for making and enforcing rules governing the conduct of firms authorised and regulated by the FCA, regulating standards of conduct in retail and wholesale markets and for supervising the trading infrastructures that support those markets. The FCA’s single strategic objective is to ensure that the relevant markets function well, which it does via oversight of the UK financial markets. The FCA has the power to bring investigation and enforcement activity against firms and individuals who are carrying out or purporting to carry out regulated activities and financial services, and to bring criminal prosecutions against those firms.

Information Sharing between the ICO and the FCA

Under the MoU:

Both the FCA and the ICO will alert each other to any potential breaches of the legislation regulated by the other whilst undertaking regulatory duties, and provide relevant and necessary supporting information to one another.
The information that may be exchanged is wide-ranging and includes, but is not limited to:

- information about investigations and notifying the other about any relevant action taken against a person or firm by one regulator which may be relevant to the functions of the other;
- information held by either regulator regarding fraud/criminal activity or any other activity that might cast doubt on the fitness and propriety of an FCA-authorised firm, certified individuals or an approved person; or
- information or intelligence held by the ICO which indicates that there may be a failure of an FCA-authorised firm's regulated activities (including the implementation or effectiveness of its systems and controls).

The MoU recognises that information sharing may be restricted, but sets out the lawful bases under which this might occur.

Investigation and enforcement

The MoU recognises that because of the regulatory overlap, both the FCA and ICO might be involved with simultaneous investigations. The MoU provides that the FCA and the ICO will try to ensure that in such situations the most appropriate of them will commence and lead the investigation.
However, the MoU also recognises that investigations could be conducted in parallel or in sequence. In such cases, the FCA and ICO will work closely together, sharing resources where that is appropriate and keeping one another informed.
In our view, it should not be assumed anymore that the FCA will take the lead were a matter is co-regulated. The ICO now has significant powers following the implementation of GDPR (e.g. it has power to issue financial penalties of up to 4% of an organisation’s turnover) and has taken on additional resources to deal with investigations and enforcement.

If you require further information about anything covered in this briefing note, please contact Ian De Freitas or Nandini Sur, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.