Photo of Howard Womersley Smith

At the end of 2019, the UK Prudential Regulation Authority (PRA) released its consultation paper (link here) setting out its proposals on a regulatory framework to modernise outsourcing and third-party risk management. The original deadline for responding to the proposals was 3 April 2020, but this has now been extended to 1 October 2020, which was announced as part of the Bank of England’s and the PRA’s measures to respond to the economic shock caused by COVID-19.

Background

In response to the growing dependency on third-party technology solutions (e.g. cloud outsourcing), the PRA wants to highlight the new risks associated with such an increasingly complex and constantly evolving area. As firms find themselves increasingly dependent on such services, any major disruption or outage could result in adverse consequences for financial stability. The consultation seeks to modernise the PRA’s expectations and sets out how firms should comply with existing requirements on such risks.

Continue Reading PRA extends deadline for responses to consultation on outsourcing and third-party risk management

All businesses are concerned with whether their revenue and custom will continue during a crisis.

When their services (more importantly those involving technology) depend on the use of third party suppliers, businesses should also think about their own ability to deliver.

Questions that business managers will be agonising over during a crisis include:

Will our

Since March 11, when the World Health Organization (WHO) officially categorised the coronavirus disease (COVID-19) as a pandemic, it has become clear that the world is immensely struggling with the outbreak. It has even led to a massive slowdown in economic activity, causing volatility and turbulence in the financial markets. Therefore, apart from being a

Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways.

Background

The EBA released a previous version of the guidelines back in 2017. The Guidelines will incorporate and repeal the 2017 guidelines once the Guidelines come into force on 30 June 2020. The Guidelines are also intended to be read alongside the guidelines on outsourcing that came into force at the end of September 2019.

The Guidelines aim to harmonise requirements for ICT and security risk management.

Their scope will cover:

  • Credit institutions and investment firms (as defined in the EU Capital Requirements Directive) for all of their activities
  • Payment service providers (subject to the revised Payment Services Directive) for their payment services


Continue Reading The EBA releases its final ‘Guidelines on ICT and security risk management’ report

On 19 November 2019, the Basel Committee on Banking Supervision (BCBS) published its report on open banking and its implications for banks and banking supervision. The report builds on the BCBS’ previous findings on open banking and application programming interfaces (APIs) in its 2018 report (“Sound practices on the implications of FinTech developments for banks and bank supervisors”). We highlight findings from the report from a data protection perspective below.

Background

The report (including the 2018 report) recognises that technological advances and customers’ need for greater access to information and services have transformed traditional banking, and potentially opened a divide between incumbent banks, and specialised FinTech firms and new intermediaries.

Data sharing in third party arrangements has been increasingly prevalent due to the diversity of services that open banking brings: financial management tools, seamless payment transmissions between banks, vertically integrated financial services – the list goes on. The BCBS has focused on ‘customer-permissioned data sharing’, where customers grant permission to third party firms to access their data through the customers’ banks. These third party firms would collect such data through data aggregators – which may employ various techniques, such as screen scraping or reverse engineering, to access and store customer credentials.

Continue Reading Open banking: the Basel Committee on Banking Supervision has its say

In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that focuses on the lessons learnt from the FCA TechSprint.

Background

The FCA TechSprint brought together teams from all over the world to explore how encryption techniques known as privacy enhancing technologies (PETs) can facilitate data and knowledge sharing among financial institutions, regulators and law enforcement agencies to detect and prevent money laundering and financial crime, while remaining compliant with data protection and privacy laws.

The teams worked towards developing solutions to the following use cases:

  • how can a network of market participants use PETs and data analytics to interrogate financial transactions stored in databases within institutions to identify credible suspicions without compromising data privacy legislation?
  • how can market participants efficiently and effectively codify topologies of crime which can be shared and readily implemented by others in their crime controls?
  • how can a market participant check that the company or individual they are performing due diligence on has not raised flags or concerns within another market participant, and/or verify that the data elements they have for the company or individual match those held by another market participant?
  • how can technology be used to assist in identifying an ultimate beneficiary owner across a network of market participants and a national register?

ICO’s Regulators’ Business Innovation Privacy Hub was present at the FCA TechSprint to offer guidance on the data protection implications of implementing PETs.

Continue Reading At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include:

  • how to maintain uninterrupted

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force

The UK Jurisdiction Taskforce (UKJT) recently published a consultation paper requesting submissions from stakeholders working with, or interested in, cryptoassets, distributed ledger technology (DLT) and smart contracts. Submissions will inform a legal statement by UKJT which will aim to settle questions on the legal status of cryptoassets and smart contracts. UKJT is drawn from industry,

R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements.

Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK