FCA

Subscribe to FCA

In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that focuses on the lessons learnt from the FCA TechSprint.

Background

The FCA TechSprint brought together teams from all over the world to explore how encryption techniques known as privacy enhancing technologies (PETs) can facilitate data and knowledge sharing among financial institutions, regulators and law enforcement agencies to detect and prevent money laundering and financial crime, while remaining compliant with data protection and privacy laws.

The teams worked towards developing solutions to the following use cases:

  • how can a network of market participants use PETs and data analytics to interrogate financial transactions stored in databases within institutions to identify credible suspicions without compromising data privacy legislation?
  • how can market participants efficiently and effectively codify topologies of crime which can be shared and readily implemented by others in their crime controls?
  • how can a market participant check that the company or individual they are performing due diligence on has not raised flags or concerns within another market participant, and/or verify that the data elements they have for the company or individual match those held by another market participant?
  • how can technology be used to assist in identifying an ultimate beneficiary owner across a network of market participants and a national register?

ICO’s Regulators’ Business Innovation Privacy Hub was present at the FCA TechSprint to offer guidance on the data protection implications of implementing PETs. Continue Reading At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements.

Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK

On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing.

Cooperation and information sharing

The ICO and FCA have set out what matters they will communicate with each other and the exchange of information between them. Subject to legal restrictions on the disclosure of information, the ICO and FCA have agreed to:
Continue Reading FCA and ICO strengthen cooperation in renewed memorandum of understanding

The UK Financial Conduct Authority (FCA) announced at the start of last month that it had fined Tesco Bank £16.4 million for a cyber-attack that occurred two years ago.

In November 2016, 8,261 personal current accounts at Tesco Bank were compromised. Attackers obtained customers’ debit card details and entered into thousands of unauthorised transactions.

This is the first cyber-attack-related fine to be imposed on a UK bank by the FCA. The fine was reduced from the initial draft penalty of £23.5 million on the basis that Tesco Bank agreed to settle at an early stage, to be cooperative, and to compensate customers.

FCA’s Final Notice

The FCA set out its findings and enforcement action in its Final Notice dated 1 October 2018.

The fine was issued on the basis that Tesco Bank breached the FCA’s second Business Principle, which provides that a firm must conduct its business with due skill, care and diligence.

FCA Enforcement Director Mark Steward commented that the FCA has “no tolerance for banks that fail to protect customers from foreseeable risks”.

The FCA criticised Tesco Bank, saying that the cyber-attack was “largely avoidable”. The failings of Tesco Bank to conduct its business with due skill, care and diligence included:

  • issuing debit cards with sequential card numbers, meaning that hackers could more easily work out details of active cards;
  • configuring its authorisation system to check only that a card’s expiry date was in the future, and not that the date was correct;
  • taking action to block the specific type of fraudulent transaction for its credit cards, but failing to do the same for its debit cards; and
  • not responding to the attack with sufficient “rigour, skill and urgency”. This is because Tesco Bank ineffectively contacted its fraud strategy team – contrary to procedure, used an incorrect code to block the unauthorised transactions, and failed to monitor the rule’s operation and therefore notice that the code was not working properly.

The Final Notice concludes by acknowledging that Tesco Bank’s cyber-crime framework was appropriate but that it was, in fact, individuals within the bank who had failed to exercise the required due skill, care and diligence.

Tesco Bank has since changed its issuing practice and no longer issues cards with sequential card numbers. It has also changed its authorisation system, and now checks that the expiry date is correct.Continue Reading Tesco Bank fined £16.4 million for cyber-security failings

Last month (September 2018), the House of Commons Treasury Committee issued a report on its inquiry into the regulation of crypto-assets. The inquiry examined, amongst other subjects, the role of digital currencies in the UK; the impact of distributed ledger (blockchain) technology; and how these should be regulated. The report recommends improvements to consumer and anti-money laundering protections (AML) when dealing in crypto-assets. The improvement will be achieved in part by extending the Financial Services and Markets Act (Regulated Activities) Order 2000 (RAO) to crypto-assets and associated activities.

‘Crypto-assets’, not ‘cryptocurrencies’

As a point of protocol, the report employs the term ‘crypto-assets’ instead of the more commonly used ‘cryptocurrencies’ on the basis that they do not demonstrate the functions of a conventional currency, such as a medium of exchange or store of value.

Crypto-asset concerns

The report also identifies a number of inherent problems with crypto-assets. It identifies the inherent risks to investments due to volatile crypto-asset markets, when compared to conventional fiat currencies. Related to this is the vulnerability of crypto-assets to market manipulation given that the exchanges currently sit outside of market abuse regulations.

There is also increased scope for hacking, which would inevitably lead to the theft of the crypto-assets. The Committee suggests that such risks were exacerbated by the lack of a deposit insurance scheme (such as the UK Financial Services Compensation Scheme) to compensate investors in the event of a hack. Investors themselves have also caused losses, particularly where they have lost their passwords and have, therefore, been barred from accessing the exchange.

The Committee believes that investors and consumers are further let down by the irresponsible nature of promoters, whose advertisements are often misleading (and in some cases initial coin offerings have used celebrities to advertise the offering). The Financial Conduct Authority (FCA) is powerless in mitigating this, as crypto-assets, conveniently (!) fall outside of its remit.

Crypto-asset platforms were widely considered to provide opportunities for money laundering and other criminal enterprises because exchanges allow anonymous access and are not governed by the AML regulation.

Each of the above concerns is underpinned by the absence of a secure regulatory environment that affords investors and consumers sufficient safeguards.Continue Reading The dawn of crypto-asset regulation

The initial coin offerings (ICOs) regulatory map has begun to take shape with the U.S. Securities and Exchange Commission (SEC), the Canadian Securities Administrators (CSA), the UK’s Financial Conduct Authority (FCA), Singapore, Hong Kong, China and Australia offering their opinions on ICOs.  The FCA recently stated that ICOs are “very high-risk, speculative investments.”  The Dubai

The Financial Conduct Authority recently released guidance regarding cyber resilience (in the form of new webpages) which FCA regulated firms should take account of. While many larger regulated firms have substantial cyber resilience systems in place, the FCA is well aware that all firms are still vulnerable to attack, and that cyber attacks can

In its speech at the FT Cyber Security Summit, the FCA has outlined its approach to cybersecurity in financial services firms. In addition to this, the Group of 7 (“G7”) has issued an 8-point framework for the financial sector as a push for financial firms to design a cybersecurity strategy.

We explore each piece of guidance below.
Continue Reading FCA and G7 issue cybersecurity guidelines for the financial sector