Data security and outsourcing – the FSA turns up the heat
7 August 2008
In a report published in April by its Financial Crime and Intelligence Division (FCID), the FSA warns that many financial services organisations are still falling substantially short of what it expects of them in safeguarding the security of their customer data, and that this presents a “serious, widespread and high-impact risk” to the FSA’s objective of reducing financial crime.
The report is based on a review by the FCID of the approaches adopted by a range of FSA regulated organisations to protecting client information. Its key finding is that many of these organisations are failing to identify and understand the multi-dimensional nature of the data security risk which they face. One of its most significant subsidiary findings is that this failure is particularly marked in relation to access by third party suppliers to customer data, making the report essential reading for any financial services organisation engaged in IT or business process outsourcing.
Rather than simply an ‘IT’ or ‘compliance’ risk, the FSA emphasises that data security should be assessed and managed on a firm wide, joined up basis, with policies and procedures across all areas designed and implemented to provide a proportionate response. This approach requires ongoing cooperation between all relevant business areas, including IT, information security, HR, physical security and financial crime. A failure to take appropriate steps in any one or more of these parts of the business will create significant weaknesses in an organisation’s overall data security, no matter how extensive its efforts in any other area.
By way of example, the FSA found that regulated firms commonly concentrated their efforts on IT security, but failed to place sufficient emphasis on office procedures, monitoring and due diligence. This incomplete approach was exacerbated in many cases by the failure to appoint a data security officer or manager responsible for coordinating data security efforts on a firm wide basis.
Implications for outsourcing
The FSA presents many useful examples of good (and bad) practice in relation to data security across a number of key business functions, including governance, training and awareness, recruitment and vetting, controls (including in particular IT system access and monitoring), physical security, data disposal, third party supplier management and internal audit and compliance monitoring.
These examples include a number of important messages for anyone in the financial services sector involved in outsourcing:
• Where an external supplier will have access to customer data, the inclusion of suitable data processing obligations in a contract with the supplier is only part of the picture. It is equally as important to carry out suitable due diligence to determine any potential supplier’s data security arrangements and regularly to audit those arrangements in the course of any subsequent contract.
• The outsourcing services provider should be obliged to report any data security breach to its customer within an agreed timeframe. This greatly increases the effectiveness of any contractual data security obligations on the supplier’s part.
• Appropriate pre-recruitment vetting (and re-vetting as appropriate) play a crucial role in any organisation’s data security system. Where the personnel of an outsourcing services provider will have access to an organisation’s customer data, it should ensure that it understands and has approved the vetting procedures and criteria being applied by the supplier in respect of those individuals.
• Wherever possible, a secure internet connection should be used to transfer customer data to an outsourcing services provider and not, for example, physical media (such as CDs, USB devices, laptops or even paper) or less secure electronic means such as email.
These points are listed here by way of non-exhaustive examples only, but nevertheless clearly illustrate the FSA’s holistic approach in action. To comply with these recommendations a regulated organisation would need to employ a combination of technical and operational measures, suitable pre-contract due diligence (both practical and legal), appropriate provisions in the outsourcing contract and proactive contract monitoring and enforcement.
Status of report
While it does not amount to formal guidance from the FSA, financial services firms are nevertheless expected to use the report’s findings to more effectively assess and control data security risks across the full range of their operations. The FSA makes it clear in the report that failure to do so may result in its taking enforcement action.
The FSA has said that it is likely to repeat its recent review exercise to see if financial services organisations have taken on board its findings. Data security therefore looks set to remain high on the FSA’s list of priorities for the foreseeable future, with the related ‘sub’ issue of the effect on this of third party supplier arrangements an obvious candidate for further close scrutiny.
In this climate, failure to take data security seriously could prove extremely costly. More specifically failure by financial services organisations to factor data security into all relevant aspects of any outsourcing arrangement looks unlikely to go unnoticed (or unsanctioned) by the FSA.
Andrew Rigby is partner elect at Brodies.
To read another special report on data protection from Securecoms CEO and former Tarlo Lyons head David Ford, click here.