On 18 February 2019, the Information Commissioner’s Office (the “ICO“) and the Financial Conduct Authority (the “FCA“) published a new Memorandum of Understanding (“MoU“) between them. This will no doubt be of interest to any business regulated by the FCA and while it is good news that regulators will be co-operating in the exercise of their functions, the MoU does not remove the risk for such businesses that they could, in the event of any data protection breach, face parallel investigation and enforcement action from more than one regulator, both with very significant sanctioning powers.
We have set out below a high-level overview of the MoU, the conduct of investigation and enforcement and the legal basis on which information can flow between the two regulators – paving the way for further joined-up regulatory thinking in the wake of the GDPR.
The MoU sets out the broad principles of collaboration and the legal framework governing the sharing of information and intelligence between the ICO and the FCA. The shared aims of the MoU are to enable closer working relations, including the exchange of appropriate information, to assist in and enhance the discharge of each of the regulators’ enforcement and regulatory functions.
Under the MoU the ICO and FCA agree, at their discretion, to:
- alert each other to potential breaches of the legislation regulated by either the ICO or the FCA, discovered whilst undertaking regulatory duties, and to provide relevant and necessary supporting information (subject to any legal or procedural restriction on the disclosure of information);
- communicate and consult on a regular basis to discuss matters of mutual interest and to address common issues and threats;
- share information on issues of interest including, but not limited to:
- investigations and notification of action taken against a person or entity by one regulator which may be relevant to the functions of the other;
- information held by either regulator in respect of fraud or criminal activity which may call in to question the fitness or propriety of an FCA-authorised firm, certified individual or approved person; or
- information or intelligence held by the ICO indicating there may be a failure of an FCA-authorised firm’s regulated activities;
- co-ordinate in respect of reviews, calls for evidence and recommendations directed at either regulator and if information gathered by one regulator is deemed to be materially relevant to the other, notification will be provided to that regulator so that it may request disclosure of such information;
- in the case of a major incident of mutual interest at an FCA regulated firm, work together in line with agreed incident protocols to secure optimum outcomes for consumers and ensure incidents are handled expeditiously;
- collaborate and harmonise in rule and policy making as well as ensuring respective awareness activities are complementary;
- where appropriate, share communication and publication plans to facilitate consistent messaging and effective resource planning;
- ensure that:
- appropriate security measures are agreed to protect information transfers in accordance with the sensitivity of the information and mitigate the risk of inappropriate disclosures;
- appropriate consultation is held prior to any onward transmission of information to a third party, or for use in an enforcement proceeding or court case; and
- in addition to the reporting obligations conferred by the GDPR and/or the Data Protection Act 2018 (“DPA“), the regulators shall notify the originating party of any wrongful disclosure of information without delay;
- monitor the operation of the MoU and perform biennial reviews.
Investigation and enforcement
The ICO and FCA have overlapping functions and powers and in mutual cases they will agree the most appropriate body to commence and lead investigations. Where the regulators agree that both bodies should carry out an investigation it is agreed that they will run in parallel unless the facts suggest that one investigation should take precedence. Further, the regulators have the ability to refer an action to the other if they are better placed to appropriately deal with the action. The MoU therefore does not rule out the possibility that businesses could face investigation and enforcement action from both the ICO and the FCA for the same data breach.
To the extent permissible by law and having regard to their respective powers, expertise and resources, the regulators will keep each other abreast of significant developments where the other is likely to have an interest and will allow for the proper exchange of views. If an enforcement decision is taken against a subject the regulators should consider if co-ordinated publication of enforcement announcements are possible and, in any event, will notify each other at least 24 hours in advance of any public statement or press release in which the other regulator may have an interest.
Information sharing between regulators
The FCA may share confidential information with the ICO in order to carry out its own statutory functions under the Financial Services and Markets Act 2000 (Confidential Information) Regulations 2001 or to facilitate the carrying out of a statutory function of the ICO. In respect of the disclosure of personal data, the FCA may disclose such information under the GDPR and the DPA as a controller to the extent there is a legal basis to share it and that in doing so would otherwise be compliant with data protection principles. Pursuant to Section 131 of the DPA, the FCA would not be prohibited or restricted from disclosing information to the ICO provided it is information necessary for the discharge of the ICO’s functions. Section 131 may therefore provide a legal basis on which the FCA can disclose personal data to the ICO.
The ICO will receive information from a range of sources, including personal data. The ICO may process personal data in accordance with the principles of the GDPR, the DPA and all other applicable legislation. Section 132 of the DPA provides that the ICO may share information obtained in the course of discharging its functions where there is lawful authority to do so. Disclosure will be lawful in circumstances where the sharing is:
- necessary for the purposes of the ICO discharging its functions;
- made for the purposes of criminal or civil proceedings; or
- necessary in the public interest, taking into account the rights, freedoms and legitimate interests of any person.
In the pre-GDPR era, businesses in the financial services sector had more reason to fear the long-arm of the FCA for data protection infringements. Since May 2018 and the new sanctioning powers conferred by the GDPR (fines of up to 4% of total global annual turnover or €20 million (whichever is the higher)) boards the UK over are rightfully concerned by the risk of potentially significant penalties being issued by the ICO. As we can see from the MoU, however, both regulators have the ability to investigate and take enforcement action on businesses, in parallel or consecutively. The regularity with which dual-investigations and enforcements will be undertaken remains to be seen but will continue to cause consternation among businesses regulated by both the FCA and the ICO.