HTL's recommended solution was backed by their reliable IT support team throughout the entire migration process, which made us feel in control of the situation at all times

Paul Bonter, Company Secretary, Nafas

7 Ways to Better Meet FCA and ICO/DPA Technology Guidelines

Technology Compliance for Alternative Investment Companies and Other Organisations in Scope of FCA and ICO/DPA Regulation

Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale for robust regulatory oversight of the financial industry is compelling.

Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly reliant on technology. Technology changes quickly and the threat environment may be characterised as agile and blended, with a need for constant vigilance.

Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms. Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information Commissioner’s Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA).

As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.

The objective of this regulatory approach appears to be to create a culture where financial services businesses demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need to be mitigated.

In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using technology within their businesses.

7 ways to better meet FCA and ICO/DPA technology guidelines
  1. Drive it from the top down

    Where ever there is a failure of leadership to assert control and set high standards for a business and its employees, there is often the potential for significant problems.

    Take responsibility at board level

    Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should never be complacency around the value of information and cyber security.

    The board should set up a process to ensure it is satisfied about policies and procedures for protecting information, especially where dependencies lie with third parties or with a parent group. Cyber security should be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board level.

    It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications through both voice and email; and safeguarding against money laundering activities are all in place.

    Enforcement action

    The Money Shop

    Date: 06 August 2015
    Type: Monetary penalties
    Sector: Finance insurance and credit

    The ICO has issued a £180,000 civil monetary penalty to The Money Shop in response to the loss of computer equipment containing a significant amount of customer details.

  2. Keep your systems up-to-date

    Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit ‘vulnerabilities’ (that’s IT code for holes in security) to gain unauthorised access to networks, systems and data.

    Simple to plug security gaps

    One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software versions. This is done by regular updating or ‘patching’ with updaters downloaded or automatically pushed out by software vendors. Many of the firms that have been fined could have escaped financial penalty by simply taking the reasonable step of ensuring systems were kept up-to-date.

  3. Tighten up staff security

    Employees are only human, and even in the most secure environments, people are often responsible for breaches, either through deliberate action or failing to observe security policies and procedures.

    Passwords

    One key aspect is password access and control. Companies should have strict password control policies. Users should not use the same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a user/password combination is not enough to permit access.

    Data loss

    Incidences of employees taking data offline (e.g. on a USB stick or a laptop) and then losing it are frequent. Consider prohibiting the practice or only allowing download to secure devices - those managed by the business and with encrypted storage - that are only accessible using a username/password combination.

    Activity monitoring

    Consider monitoring communications activity. Record all telephone calls and archive all email. Some companies record all network activity, although this is more for internal security rather than for FCA compliance.

    HR Policies

    Consider consulting with HR to review any points where security has touch points with HR policies. Some examples where issues may arise include:

    • Hiring
    • New hire induction
    • Ongoing training
    • Disciplinary procedures
    • Termination of employment
    • Dual Factor Authentication
    • Offline working with company data
    • Online working with data encryption
    • Activity Monitoring

    Enforcement action

    Jala Transport Limited

    Date: 26 September 2013
    Type: Monetary penalties
    Sector: Finance insurance and credit

    A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.

  4. Keep on top of documentation

    Always ensure up-to-date network documentation is available. Similarly, request documentation from your partners and any other 3rd parties.

    Typically, documentation should include information on:

    • Who has access to what?
    • What is the update procedure?
    • How is data secured?
    • What is the backup procedure?
    • What is the disaster recovery plan?

    Enforcement action

    Think W3 Limited (Thomas Cook subsidiary)

    Date: 23 July 2014
    Type: Monetary penalties
    Sector: Online technology and telecoms

    Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.

    RFI

    External firms may submit a Request for Information (RFI) before commencing trading with your company. This will almost certainly include questions on software, versioning and IT security. Likewise, your business should consider issuing an RFI to any new partner before doing business. Also consider formalising documentation for existing partners if an RFI has not previously been part of the partner engagement process.

    Demonstrating a responsible approach

    Maintaining up-to-date documentation means you have the right information to hand whenever it is requested from your business. It reassures senior management everything has been given reasonable thought and appropriate systems are in place. Documentation can easily be passed to the FCA if required, to demonstrate a responsible approach.

  5. Plan for disaster

    Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many areas of IT there is no absolutely right or wrong way. There is a ‘menu’ of different elements that may be mixed and matched together to form the right solution to meet the specific needs of a business.

    The core question is: How long can you afford the business to be offline? Once you establish this maximum tolerance to a loss of IT services, you work backwards from there. Some points to consider are:

    Avoid backup tapes

    A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There are a number of examples of companies losing them and getting fined. Tapes and autoloaders are also expensive and prone to failure because they are mechanical. Online backup is more reliable and secure.

    Data retention

    Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for compliance with FCA data retention rules. Ideally, legacy data needs to be kept accessible but out of the way and this could guide the design any hierarchical storage system for filing and retrieval.

    FCA Retention Periods for Data
    Record type Retention period
    Emails 6 years
    Record of election to comply Indefinite
    All other financial records 3 – 6 years
    MiFID 1 – 5 years
    Basel II risk legacy data 2 – 5 years
    Telephone & electronic communications 6 months

    Identify single points of failure

    Typical single points of failure include power, network and servers. Search for anything where there is just one of. At the top level, the whole of an office or site is a single point of failure. To mitigate the loss of an entire site, it’s often easier to replicate all of your data to another site. Then comes the question – How far away is far enough?

    Data replication

    The potential for disasters – both natural and man-made - is a key consideration when determining the distance to the replication site. Many businesses in the UK conclude that a distance of 50 miles is appropriate. For even better risk reduction consider replicating in more than one place. Remember to include telephone systems.

    Document disaster recovery plans

    Whatever the specific process for disaster recovery it’s vital to document the disaster plan.

    Key DR plan information includes:

    • Who instigates the plan?
    • Where is the recovery site?
    • How are employees notified?
    • How long before the business returns to operational status? (Sometimes referred to as the Recovery Time Objective, RTO)
  6. Commission an external audit

    Consider assessing your systems against ISO27001, the management system for IT security, by checking credentials, external audit or penetration testing.

    External IT partner

    If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and should adhere closely to industry best practice for information security.

    Internal IT team

    If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited company to audit your network. An internal IT team may only have in depth experience in your environment. Employing an external team to check the systems often gives an insight into your own network you may otherwise not be able to obtain.

    Penetration testing

    Consider penetration testing or pen testing. This is the process of ‘stress’ testing your systems to see if a ‘tiger team’ of computer security professionals acting as hackers is able to break through to gain access to your network, servers and data.

  7. Review physical security

    Companies that keep all their data in the office should review physical security with an audit. Some typical questions that might be used to audit physical security include:

    • Who has access to the office? (Don’t forget cleaners, caterers & security guards)
    • Are all computer workstations including laptops and tablets locked when not in use?
    • Who has access to the server cupboard, comms room or data centre?
    • Are there access control records documenting entry and exit of the premises?

    Offsite datacentre

    To mitigate physical security risks, consider the benefits of locating data in an offsite data centre. Any choice of data centre should be governed by accreditation to ISO 27001 and means the facility is audited for physical security in line with the management system standard.

    Data sovereignty

    It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored. When evaluating offsite data storage it is essential to understand where data may be stored by service providers. Changing legislation and challenges to agreements such as Safe Harbour mean the landscape may shift suddenly.

    Enforcement action

    Staysure.co.uk Limited

    Date: 24 February 2015
    Type: Monetary penalties
    Sector: Finance insurance and credit

    An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk.

Top