by Alun Milford

It is just over a year since the European Union’s General Data Protection Regulation came into force. It strengthened Europe’s already highly evolved legal framework for the protection of personal data and provided for much heavier penalties for breaches of those protections than had hitherto been available. For example, under the old law the maximum penalty the United Kingdom’s regulator could impose for a data protection breach was £500,000 whereas under the new law the maximum penalty throughout Europe is the higher of 20,000,000 euros or 4% of the firm’s annual worldwide turnover in the preceding financial year. The prospect of penalties on this scale has concentrated the minds of businesses with European operations, whether headquartered there or not. 

For firms in the United Kingdom’s regulated financial sector a particular concern was the prospect of having to comply with two distinct regulatory frameworks – one for the conduct of business and the other for the protection of personal data – policed by two distinct regulators – the Financial Conduct Authority and the Information Commissioner’s Office – where both regulators now had the power to impose very significant sanctions for the same conduct. In this blog I consider the functions of the respective regulators, the areas of overlap or common interest in their work and the way in which the regulators have indicated they will approach those areas of common interest.

The Regulators

The Information Commissioner’s Office, headed by the Information Commissioner, was established to uphold information rights by promoting openness on the part of public bodies and data privacy for individuals. The primary legislative vehicle for defining standards for individuals’ data privacy is currently the European Union’s General Data Protection Regulation, which has direct effect throughout the European Union and is supplemented in the United Kingdom by the Data Protection Act 2018. Indeed, the protection of individuals’ data privacy has been driven in large part by developments in European law, including not least the Charter of Fundamental Rights of the European Union which became part of European law when the Treaty of Lisbon took effect in December 2009. Article 8 of that convention provides that everyone has the right to the protection of personal data concerning him or her. The Information Commissioner may be regarded as a human rights regulator, therefore. Her powers include conducting compliance assessments, requiring the production of information, issuing enforcement notices, imposing penalties and prosecuting a small number of offences touching on her areas of responsibility. 

The Financial Conduct Authority is the UK’s financial regulator and derives its functions from the Financial Services and Markets Act 2000 as amended. These are made up of an overarching strategic objective to ensure that relevant markets function well and three operational objectives, namely securing an appropriate degree of protection for consumers, protecting and enhancing the integrity of the UK financial system and promoting effective competition in the interests of consumers in the markets. Its business plan, which describes how it intends to achieve these statutory objectives, contains four cross-cutting priorities, one of which includes combating financial crime and improving anti-money laundering practices by enhancing the use of technology and data. This is an economic regulator, therefore. The Financial Conduct Authority is empowered to make rules for the market. Its extensive enforcement powers include withdrawing a firm’s authorisation, prohibiting individuals from carrying on regulated activities, imposing penalties on regulated firms or individuals and prosecuting for certain financial offences.

Areas of Common Interest

In February last year the two regulators published a joint update on the General Data Protection Regulation in which they acknowledged that it would be regulated and enforced by the Information Commissioner’s Office. This did not, however, render irrelevant the Financial Conduct Authority. First, some of the Financial Conduct Authority’s rules require firms to process personal data. The regulators stated their shared belief that there was nothing in the General Data Protection Regulation which ran contrary to the Financial Conduct Authority’s rules, and indeed pointed to many similarities in approach: board level responsibility, evidencing compliance and the requirement to treat customers fairly. The Financial Conduct Authority undertook that, when making rules, it would take into account how its requirements would affect the privacy interests of individuals such as firms’ customers and employees. Second, having made its rules the Financial Conduct Authority has to ensure compliance. It indicated that, in doing so, it will consider compliance with General Data Protection Regulation requirements and pointed specifically to the requirements it has made in the Senior Management Arrangements, Systems and Controls (SYSC) module for firms to establish, maintain and improve appropriate technology and cyber resilience systems and controls.

Indeed data security is the obvious area of operational overlap between the two regulators, and we see this illustrated in two relatively recent enforcement decisions. On 19 September 2018, the Information Commissioner’s Office imposed a £500,000 penalty on Equifax Limited, a regulated firm, for its cumulative and manifest failures as data controller for the personal data of 15 million UK data subjects processed in the United States by Equifax Inc., acting as Equifax Limited’s data processor. That data was compromised in a massive cyber attack which took place from 13 May 2017 to 30 July 2017, before GDPR came into force and maximum penalties were increased. The Financial Conduct Authority also opened an investigation into the circumstances surrounding this cyber attack. That investigation remains open.

On 1 October 2018, the Financial Conduct Authority imposed a £16,400,000 penalty on Tesco Bank for its failure to protect data from a cyber attack that took place in November 2016 and for its failures properly to respond to the attack. In imposing its penalty the Financial Conduct Authority identified four separate breaches of its rule (contained in Principle 2 of its High Level Principles for Business) that a firm must conduct its business with due care, skill and diligence on the basis that Tesco Bank was in the business of banking, and fundamental to that business is protecting its customers from financial crime. On the facts, no personal data was lost and the Information Commissioner appears not to have opened an investigation.

With both regulators claiming jurisdiction over conduct of a similar kind, a co-ordination mechanism is required. The regulators acknowledged as much in their joint statement of February 2018, when they indicated they were reviewing the memorandum of understanding that they had put in place four years previously in order to ensure it was fit to address future collaboration. It seems that it was not, because on 18 February this year they entered into a new memorandum of understanding (PDF: 385 KB).

Approach to Areas of Common Interest

The memorandum of understanding describes itself as establishing a framework for co-operation, co-ordination and information sharing between the Information Commissioner and the Financial Conduct Authority. Some of that framework consists of recording the legal basis for the regulators to share information with each other. That point having been covered, the memorandum of understanding goes on to make provision for the co-ordination of policy work where the parties’ policies may have a material effect on each other’s objectives. The parties also commit to ensuring that their separate awareness activities are complementary.

So far as investigations are concerned, the parties start by recording their recognition that they have areas of complementary functions and powers, and provide that they will endeavour to ensure that the most appropriate body or bodies will commence and lead investigations. They go on to provide for liaison mechanisms, to the extent permitted by law and where appropriate. They then make provision for referrals between the two on the basis that the referring body tells the other body the action sought and the legal powers it considers are available to it. The parties go on to agree that where both parties investigate, the investigations will usually be conducted in parallel whilst also providing that sequential investigations are possible in appropriate circumstances.

Where investigations turn to action, the parties are similarly Delphic. It is a matter for either party whether to take action. The extent of their commitment to each other is only to consider whether it is possible and appropriate to publish the outcome of investigations simultaneously and, in any event, to endeavour to give each other no less than 24 hours prior notice of a press release or other public statement.

Where does this leave us?

The Financial Conduct Authority has made clear that its remit extends to the way businesses in the financial sector use and protect data. It considers that businesses should be free to hold and use big data to develop what they can offer the market on condition that customers do not suffer harm from that use, and it has and will continue to develop rules aimed at achieving that balance. In particular, businesses are required to hold data securely. Not to do so is to fail to conduct business with due skill, care and diligence.  

The Financial Conduct Authority does not see the development of data protection rights and the consequent expanding role of the Information Commissioner as in any way absolving it of its responsibilities. It is correct to do so: its functions are defined by statute and nothing in the data protection statutes impacts on, or detracts from, those functions. Similarly, the Information Commissioner has her own source of authority quite unaffected by the framework of financial service regulation.

It follows that the two regulators have no option but to co-ordinate activity with each other as much as possible where each other’s interests are engaged. The memorandum of understanding is a manifestation of that reality and has plainly been drafted to give each of the regulators as much freedom of manoeuvre as possible. The only clue to how they might approach matters is the reference to making referrals to each other by reference to the statutory powers each has, which suggests that in discussions they will consider not just whose powers are best suited to any investigation but also the sort of outcomes they might achieve. So, in the case of a cyber attack exploiting lax data protection systems the regulators might agree that the company should have a penalty imposed by the Information Commissioner whilst the Financial Conduct Authority considers whether the people who were responsible for the systems should be permitted to continue to work in the regulated sector. We will learn more when we see how they co-operate in practice, including learning what action, if any, the Financial Conduct Authority takes in the Equifax case. In the meantime, the only certainty is that a business operating in the regulated sector which suffers a data loss will have to report to, and be ready to co-operate with, both regulators. 

Alun Milford is a partner at Kingsley Napley LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.