The Information Commissioner’s Office (ICO) has announced that it has signed an updated Memorandum of Understanding (MoU) with the Financial Conduct Authority (FCA). This MoU establishes a framework for cooperation, coordination and information sharing between the two parties. The MoU sets out the principles of collaboration and the legal framework governing the sharing of relevant information and intelligence.
The MoU is aimed at enabling a closer relationship between the parties so as to assist them in carrying out their regulatory functions. It is important to bear in mind that the MoU is simply a statement of intent, and does not give rise to any legally binding obligations.
The ICO acts as the UK’s independent regulator for information rights (primarily data protection and freedom of information). The ICO has a broad range of responsibilities, these include monitoring and enforcing GDPR, as well as the promotion of good practice and adherence to data protection obligations. Additionally, the ICO has a number of enforcement powers, these include issuing enforcement notices, administering fines and prosecuting criminal offences before the courts.
The FCA is the conduct regulator for 58,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms. The FCA has three strategic objectives to ensure that the relevant markets function well, these are to:
- protect consumers;
- protect financial markets; and
- promote competition.
Co-operation between the parties
Both parties agree that they will alert each other to any potential breaches of the legislation regulated by either party. They will communicate regularly to discuss matters of mutual interest and will consult one another on any issues which might have significant implications for the other organisation.
In addition to this, the FCA and ICO may request information from each other. A reasonable deadline may be set for a response, including an explanation of any urgency.
Legal basis for sharing information
Information shared by the FCA with the ICO
The FCA may disclose confidential information to the ICOto facilitate the carrying out of a statutory function of the FCA or the ICO. This is subject to any disclosure restrictions.
Information shared by the ICO with the FCA
The ICO may share information with the FCA in a more limited set of circumstances. Whilst carrying out the duties of ICO, information may be identified which ought to be shared with the FCA as it would assist them performing their responsibilities. Section 132 of the Data Protection Act 2018 (DPA) states that such information may only be shared with others if there is lawful authority to do so. Sharing information will be lawful in situations where:
- the sharing was necessary for the purpose of the ICO discharging its functions;
- the sharing was made for the purposes of criminal or civil proceedings; and
- the sharing was necessary in the public interest, taking into account the rights, freedoms and legitimate interests of any person.
Investigation and Enforcement
The two regulators recognise that there are areas in which they have complementary functions and powers. In these cases, the parties will ensure that the most appropriate body will commence and lead investigations. The parties will also seek to notify each other of significant developments where the other is likely to have an interest.
The parties may agree that an investigation should be carried out by both regulators. In this instance it will usually be appropriate that both investigations proceed in parallel. However, in the appropriate circumstances, they will consider whether the facts suggest that one party’s investigation should progress before the other’s.
In relation to enforcement, if a decision is made by either party to take action against a subject, the parties should consider whether it is possible and would be appropriate to coordinate publication of applicable enforcement announcements so that both parties publish the outcome of their investigations simultaneously. In any case, the parties will endeavour to give each other appropriate notice before any relevant notable press releases or public statements.
Confidentiality and data breach reporting
The parties, under the MoU, agree to take appropriate security measures in order to protect information transfers in accordance with the sensitivity of the information. Additionally, before either party passes on any information it has received from the other, it will consult the other party to ensure it is appropriate.
The MoU demonstrates a clear intention for stronger collaboration between the FCA and the ICO moving forwards. The MoU also sets out a clear framework for this collaboration to take place.
Financial services firms are typically heavy users of personal information, and the consequences of a breach of data laws in the sector can be severe for consumers and for financial markets. In recent years, we have seen the ICO step up the seriousness of its enforcement activity, commensurate with the newly strengthened powers it has under the GDPR.
Firms regulated by the FCA need now, more than ever, to have a joined-up approach to FCA and ICO regulation – both in terms of day-to-day compliance with data protection laws and FCA requirements, and also in terms of engaging with the regulators when breaches and other incidents occur.