FCA technology head warns adviser trade body members of the scale of the cyber threat 

The delegates at a recent Financial Crime Conference received some stark warnings from the head of technology at the Financial Conduct Authority (FCA) regarding just how severe the threat of a cyberattack could be.

Addressing the Personal Investment Management and Financial Advice Association (PIMFA), Robin Jones, Head of Technology – Resilience and Cyber Specialist Supervision – at the FCA, cited the following statistics:

  • There have been more than 600 ‘significant‘ cyberattacks in the UK in the last three years
  • Over the last three months, cyberattacks have been occurring at a rate of 10 per week
  • The NotPetya attack of June 2017 took just 19 minutes to infect 10,000 systems across the world
  • A major global corporation, FedEx, said it incurred a $300 million loss simply due to the effects of NotPetya, with one of its major subsidiaries, TNT Express, having to cease doing business for a period of time

Mr Jones then called on authorised firms to take the following steps:

  • To understand what their critical assets are, and what back-up arrangements are in place for these
  • To ensure staff are trained as to their cybersecurity responsibilities
  • To understand which third parties have access to the firm’s systems
  • To put in place comprehensive plans for how the firm might deal with a cyberattack were one to occur, so that the plan can be activated should the worst happen

The PIMFA conference also heard from Paul Hoare, Senior Manager, Protect and Prevent at National Crime Agency, who revealed that:

  • One-eighth of the UK’s GDP comes from internet-based activity
  • 47% of reported crime now has some form of cyber element
  • 68% of large firms (across all business sectors) had reported some form of cyberattack or attempted cyberattack
  • 92% of cybercrimes involve an element of phishing

Mr Hoare concluded by saying that, in a worst-case scenario, firms could be forced out of business if they fell victim to a severe cyberattack.

Terry Wilson, from the Global Cyber Alliance, told delegates that it was merely a matter of time before the UK was hit by a major cyberattack, and made reference to firms in all business sectors being “woefully unprepared”.

Even the smallest financial services firms must take the subject of cybersecurity seriously. Any firm unsure as to what they need to do regarding cybersecurity is advised to seek professional advice.

However, Mr Hoare’s comments indicate that a good starting point for authorised firms is to train their staff on what the main cyber threats are, and how suspicious activity might be identified at an early stage. Given that he revealed 92% of cybercrimes are facilitated via phishing, staff need to know that they should never disclose personal details or passwords to anyone. Phishing is a type of fraud where the criminal tries to get the other party to disclose information such as: login details (usernames and passwords), account numbers and credit card numbers. An honest third party will never phone or email to ask for information of this kind. Any email attachment that looks in any way suspicious should not be opened without the approval of the firm’s IT department or external IT consultant.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


Arnie returns in PPI ad campaign, as FCA announces 40% complaints increase

The Financial Conduct Authority (FCA) has launched a new television advertisement to promote the payment protection insurance (PPI) claims deadline, and once again it features actor Arnold Schwarzenegger and his animatronic head.

Like the previous TV adverts, Arnie urges people to “make a decision” as to whether they want to claim, and to “do it now”, before highlighting that the complaints deadline is August 29 2019.

The regulator has also launched two new radio advertisements, which highlight that consumers do not need to remember whether they had PPI, as providers have the facilities to check this.

Andrew Bailey, Chief Executive of the FCA, said of the advertising campaign:

“We know that PPI was sold on a huge variety of credit products throughout the 1990s and 2000s, but many people just don’t realise they had it.

“Since we launched our campaign the largest firms have told us that the proportion of people complaining to them directly has increased. This may in part be due to the improvements we asked firms to make to their complaint handling processes, including the introduction of online checking and complaining tools. This means that more customers get to keep more of the redress that they are due.

“We want people to act before the deadline. Dig out that old paperwork, visit our website or call our helpline to find out how to check if you had PPI and how to decide whether to complain.”

Shortly after the new TV adverts were first screened, the FCA announced that the total number of PPI complaints made during the second half of 2017 was 40% higher than in the first six months of the year. The number of complaints made to authorised firms about this form of insurance rose from 1,112,043 to 1,551,897. However, given the publicity about the deadline, and the fact that the second half of the year was the first six-month period in which Plevin-related PPI complaints could be considered, the increase perhaps comes as no surprise.

The FCA reported a 13% increase in the number of complaints made about all financial products, with some 3.76 million complaints being received by firms, but when PPI is excluded, total complaints were actually down by 1%.

£2.05 billion in redress was paid for PPI complaints in the second half of 2017, compared to £1.99 billion in the first half of the year. A further £415.8 million was paid in PPI compensation in January 2018, taking the total amount of compensation paid to consumers since the start of the scandal above £30 billion.

Christopher Woolard, Executive Director of Strategy and Competition at the FCA, said of the complaints figures:

“Having set a deadline for PPI complaints, we are encouraging consumers to decide whether they want to claim, and if they do, to make their complaint as soon as possible, as many already have.

“We are continuing to monitor and challenge all firms to ensure they maintain the expected standards and are delivering on their commitments to make it easy for people to complain about PPI.

“When PPI is taken out of the mix, the numbers of complaints firms are receiving has remained stable. Firms should be doing all they can to reduce complaints and ensure they are treating customers fairly.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


Consultation launched regarding the FCA claims management regulation regime

The legislation that will see the Financial Conduct Authority (FCA) become the new claims management regulator is still to complete its passage through Parliament, and the change of regulator is not expected to occur for another 12 months, in spring 2019.

However, the Government has nonetheless published a consultation paper. At present, the consultation concerns only proposals for secondary legislation, and new conduct rules for claims management companies (CMCs) are not being proposed at this stage.

As well as transferring regulation of CMCs in England and Wales to the FCA, the Financial Guidance and Claims Bill will also provide for the FCA to regulate claims management activity in Scotland. CMCs in Scotland are at present not subject to any form of regulation.

Under the new proposals, there will be seven separate ‘permissions’ that CMCs may need to apply for. Depending on the activities they undertake, a CMC may need to apply for just one, or more than one, or all of these permissions:

  • Seeking out, referring and identifying claims in relation to any type of claim
  • Advising, investigating and representing in relation to personal injury
  • Advising, investigating and representing in relation to financial services and products
  • Advising, investigating and representing in relation to employment
  • Advising, investigating and representing in relation to criminal injuries
  • Advising, investigating and representing in relation to industrial injuries disablement benefit
  • Advising, investigating and representing in relation to housing disrepair

Applicant firms will need to demonstrate that they have the necessary competence to operate in their chosen business sector but will not need to satisfy FCA competency requirements for the other sectors. For example, a CMC that handles only personal injury claims may require the first two permissions in the above list, but not the others.

The FCA proposes that from the date of the handover of regulation, a temporary permissions regime will apply for a period of 15 months. All CMCs currently regulated by the Ministry of Justice (MoJ) will be eligible to register for temporary permissions, as will any CMC who will become regulated for the first time on the handover date, such as those operating in Scotland.

Any CMC that does not register for temporary permissions will have to cease trading prior to the handover date.

During their temporary permission period, each CMC will need to comply with the FCA’s rules and pay the necessary authorisation fees. Companies must then submit an application to the FCA for ‘full authorisation’. Each CMC will be given an application window during which this application must be submitted. If an application is not submitted by the appropriate deadline, then the company must cease trading.

Other proposals include retaining the existing exemption whereby trade unions do not require regulatory authorisation to carry out claims activity, provided that they comply with a Code of Practice published by the Government.

The Treasury invites responses to this consultation, which closes on June 1 2018.

The FCA’s Business Plan, published in April 2018, says that a consultation on its proposed conduct rules for CMCs will be issued later in the year. The financial watchdog also promises to open communication with claims companies.

Over the coming months, CMCs should keep a close eye on communications from the FCA and the MoJ, as the handover date approaches.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


FCA issues Business Plan

The Financial Conduct Authority (FCA) has published its Business Plan for the 2018/19 financial year. Unsurprisingly, the regulator says it will need to devote a significant amount of resource to preparing for the UK’s impending exit from the European Union, referring to “its impact both on our regulation and the firms we regulate.”

Aside from Brexit though, the FCA has identified seven priority areas for the year ahead:

  • Firms’ culture and governance, and whether these are likely to produce outcomes that will benefit consumers and markets
  • Continued supervision of the high-cost credit sector
  • Continuing the fight against financial crime, including fraud, scams and money laundering, with the central aim of protecting consumers
  • Data security and related issues
  • Innovation and competition, and how these are delivering change in the financial sector
  • Whether firms are treating existing customers fairly, ensuring they don’t end up worse off than new customers
  • Inter-generational issues, such as those concerning long-term savings and pensions, noting that the demographics of UK population are changing, and that different generations have differing financial needs

Andrew Bailey, FCA Chief Executive said:

“The Business Plan is an important way in which we are transparent about our priorities for the year. We recognise that this year we need to dedicate a significant amount of resource to withdrawal from the EU. As a result, setting our priorities this year has involved a particularly rigorous level of scrutiny and challenge to focus on areas where we see the greatest potential for harm.”

Specifically regarding the issue of inter-generational issues, Mr Bailey said this was “a significant public challenge, both in terms of the need for new and affordable savings products and in the information firms give consumers to help them take decisions.”

All firms should note the emphasis on culture and governance, and here the FCA confirms that it will be publishing final rules in summer 2018 on the extension of the Senior Managers and Certification Regime to all authorised firms, and that it will also be examining firms’ remuneration arrangements. The report says that culture and governance “should be a collaborative effort driven forward by staff at all levels”, and adds:

“We expect firms to be able to demonstrate that their purpose, leadership, governance arrangements and approach to rewarding and managing staff do not lead to avoidable or unnecessary harm to their customers.”

Regarding data security, the regulator says it will be carrying out assessments of firms’ ‘operational resilience’, i.e. how prepared they are for a cyberattack, IT systems failure etc. As the FCA will be covering this issue in its focused thematic work, some smaller and lower risk firms will still have their security arrangements scrutinised.

Firms in the high-cost credit sector should again note that they have been singled out in the FCA’s list of seven priority areas as being worthy of special attention. The Business Plan says that firms active in the rent-to-own, home-collected credit, catalogue credit and overdrafts markets can expect particularly close scrutiny.

Specifically, some of the regulator’s main concerns in this area include:

  • Rent-to-own – charges for add-ons like insurance and warranties, which can be significant
  • Home-collected credit – some consumers paying significantly more interest on the amounts originally borrowed as a result of a re-financing
  • Catalogue credit – the high level of arrears among catalogue credit customers and the associated fees and charges; the complexity of these products; and the quality of the information firms provide to customers.
  • Overdrafts – the long-term use of arranged overdrafts at levels which can be persistent and unsustainable; and the high charges associated with unarranged overdrafts

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


ICO chief says data protection ‘essential for democracy’

The Information Commissioner has described an effective data protection regime as being “essential for our democracy.” Giving the keynote speech at the IAPP Europe Data Protection Intensive 2018, Elizabeth Denham began by saying that” there has never been a better time to be in data protection.” To support this, she went on to mention the fact that data protection is now being discussed at the highest levels of government in both the UK and the US, in light of the Facebook/Cambridge Analytica scandal.

Ms Denham went on to speak of the increased powers her organisation will enjoy under the General Data Protection Regulation (GDPR), which now comes into force in less than one month, by commenting:

“Under the GDPR I will have the power to audit all those who hold, use and share personal data. In other words, soon I will be able to look behind the curtain and see what those who hold our data and personal information are doing with it.”

She next warned firms that the heightened publicity surrounding data protection is likely to make consumers ever more willing to complain should they disapprove of the way their personal data has been handled.

The Commissioner commented:

“We’re expecting more of everything. More breach reports because the law requires it in high-risk cases. More complaints, because people will be better informed of their rights. Greater engagement as you turn to us for advice at the outset of projects and submit your [Data Protection Impact Assessments] to us.”

However, for any firms feeling daunted by all the talk of how the data protection regime is about to get tougher, Ms Denham also made mention of the extensive guidance on GDPR that is available via the Information Commissioner’s Office (ICO) website.

Ms Denham also highlighted that it will certainly not be the case under GDPR that firms will need to report every single data breach to the ICO. She also said that the largest fines will only be imposed for serious breaches of the law, when she said:

“I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route.

“But we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.

“Report to us, engage with us. Show us effective accountability measures. Doing so will be a factor when we consider any regulatory action.”

Ms Denham also gave a speech to the National Cyber Security Centre’s CYBERUK 2018 event. Whilst most of this speech concentrated on cybersecurity issues, she also took the opportunity to summarise firms’ obligations under GDPR as:

“The law requires you to be transparent and tell people what you will do with their data. You then have to stick to what you said.”

This speech also allowed her to highlight that data breaches will need to be reported to the ICO within 72 hours if the incident is “likely to result in a risk to people’s rights and freedoms.”

Specifically regarding cybersecurity, she called on firms’ boards of directors to address the issue personally, and not just leave it to their IT departments and/or external IT consultants.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


MoJ highlights data issues and other matters in latest claims compliance bulletin

The new April 2018 compliance bulletin for claims management companies (CMCs) contains a lot of important information, and companies authorised by the Ministry of Justice (MoJ) would do well to read this document closely.

Unsurprisingly, the first issue covered in the bulletin is data protection. The introduction of the General Data Protection Regulation (GDPR) is now little more than one month away, and CMCs should ideally have already made preparations for its introduction. However, it is never too late to address the issue of improving data security within companies, and CMCs are again urged to read the ’12 steps to take now’ document, the ‘GDPR checklist’ and the other information on the Regulation that has been published by the Information Commissioner’s Office.

The next issue is possibly being highlighted in an MoJ bulletin for the first time, and it concerns outstanding funds in client accounts where the company is unable to trace the client. The regulator says that CMCs should make all reasonable efforts to trace the individual via: email; post; telephone calls; texts; information held by third parties, such as the firm who are the subject of the complaint; telephone directories; the electoral roll; and internet and social media searches. If these efforts fail, the bulletin highlights the availability of other tracing and forwarding services, such as those offered by the Department of Work and Pensions. CMCs should record on the client file details of all attempts they have made to trace the client. If all options for tracing the client have been exhausted, the company should contact the MoJ for further advice.

Next, CMCs are reminded that all marketing must be “clear, transparent, fair and not misleading.” The bulletin highlights two specific issues, namely that marketing material must always clearly identify the name of the advertiser, and also that the regulator does not approve of marketing that suggests consumers can find out immediately whether they might have grounds for a claim. With regard to the latter issue, the bulletin says that wording such as “Try this brilliant new trick to find out if you have a PPI claim”, “Find out in 30 seconds if you have a PPI claim” and “Look up your name to see if you get a PPI payout” is likely to be considered “misleading” or “sensational” by the regulator.

CMCs handling Plevin-related payment protection insurance claims are urged to re-read previous guidance issued by the regulator on this topic.

Companies are reminded that the new Conduct of Authorised Persons Rules are now in force. Changes to the rules include: a ban on upfront fees for PPI and other financial claims, a ban on imposing any charges where the client does not have a relationship or relevant policy with the firm in question, and a requirement to ensure that all cancellation charges are reasonable – an itemised bill setting out details of what the cancellation charges relate to must also be provided.

The third reading and report stage of the Financial Guidance and Claims Bill in the House of Commons did not proceed as scheduled in March 2018, due to other urgent parliamentary business taking precedence. However, the Financial Conduct Authority (FCA) has said it still expects to take over as claims management regulator in spring 2019, and that it will consult later this year on proposed new rules for the claims sector.

Finally, CMCs are encouraged to read the third quarter enforcement bulletin issued by the MoJ. Reasons why other companies were subject to enforcement action can often provide a valuable ‘compliance checklist’ for the sector as a whole.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


FCA highlights areas of focus in its Sector Views document

The Financial Conduct Authority (FCA) has published its Sector Views document for 2018. This reveals what the regulator’s primary areas of focus are in its seven key markets, and consequently provides something of a checklist for firms seeking to remain compliant with its requirements.

The FCA’s areas of focus in the retail banking sector include:

  • The impact of technology and regulatory change – potential harms to consumers from increasing use of digital channels and data sharing, the impact of cyber-attacks and IT stability and security issues that may cause disruption to consumers as a result of service disruption
  • Financial crime and anti-money laundering controls
  • Whether business models encourage competition

The FCA’s areas of focus in the retail lending sector include:

  • Consumers being sold unaffordable or unsustainable products – the FCA is particularly concerned about money being lent to consumers who would be unable to continue repayments if they experienced some form of financial shock
  • Treatment of consumers with financial difficulties – this could mean for example selling them inappropriate debt solutions, or firms failing to manage an arrears situation appropriately
  • Unsuitable products – mention is made here of a tendency to focus on fixed rate mortgages without considering other options
  • Cyber-crime

The FCA’s areas of focus in the general insurance and protection sector include:

  • Operational resilience – whether firms’ IT systems are sufficiently robust, and whether they can withstand cyber-attacks
  • Data security
  • Governance and culture – including concerns over inadequate oversight of appointed representatives by principal firms, giving rise to issues over mis-selling and insufficient risk management
  • Product suitability – the tendency for consumers to concentrate on the headline price of an insurance policy, without closely examining product features
  • Access for high-risk customers – people with medical or other conditions can experience difficulties buying insurance, even if it may sometimes be doubtful whether these conditions actually increase the underwriting risk

The FCA’s areas of focus in the pensions sector include:

  • Poor value products – mention is made here of consumers’ unwillingness to shop around, and of complex charging structures
  • Unsuitable products – including customers who may enter drawdown without appreciating the risks involved, and individuals who may end up investing in non-standard areas via self-invested personal pensions
  • Unsuitable advice – especially regarding transfers out of occupational schemes where valuable benefits are being given up

The FCA’s areas of focus in the retail investments sector include:

  • Unsuitable products – the document suggests the FCA believes customers could end up with unsuitable investment products for a number of reasons, including difficulties in accessing appropriate advice
  • Poor value products – including issues over complex charging structures and lengthy switching times
  • Market confidence – mention is made here of a variety of issues, including firms having poor financial crime controls, failing to meet prudential requirements, or not having appropriate systems to safeguard client money

The FCA’s areas of focus in the investment management sector include:

  • Investment product quality and value
  • Technology and cyber-security
  • The impact of the UK’s withdrawal from the EU

The FCA’s areas of focus in the wholesale investment sector include:

  • Conflicts of interest
  • Market abuse
  • Financial crime
  • Technology and IT systems
  • Misuse of confidential information
  • The impact of the UK’s withdrawal from the EU

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.


ICO chief says Cambridge Analytica is a ‘game changer’

The head of the UK’s data protection watchdog has described the recent events surrounding Facebook and Cambridge Analytica as “a game-changer.”

Addressing the Data Protection Practitioners’ Conference in April 2018, Information Commissioner Elizabeth Denham commented:

“The investigation [into this matter] is ongoing and it would not be appropriate for me to make further comment, other to acknowledge that I welcome the focus on data rights for citizens and consumers in the centre of public discussion and debate.

“One thing is certain. The dramatic revelations of the last few weeks are a game changer in data protection.

“Suddenly everyone is paying attention. The media, the public, parliament, the whole darn planet it seems.”

Facebook has admitted that as many as 87 million users of the social media site – one million of whom are based in the UK – could have had their data improperly shared with Cambridge Analytica.

Even before the Cambridge Analytica scandal, a number of people within the industry had suggested that firms could expect more complaints about the way their data had been handled.

Financial Ombudsman Service chief ombudsman Caroline Wayman appeared before Parliament’s Treasury Select Committee in January 2018, where she said:

“There are quite a few areas of our work where you see the convenience versus security as a real inherent tension.

“It is great, mostly, that you can take out a loan very quickly through a few clicks on your phone but there is also with that greater convenience there is also the flip side of that, when things go wrong and the need to protect against things going wrong and how people use their data.

“I think that is a really interesting area. Not just big data, but in general. I think that is an area to watch.”

Rob Walton, chief operating officer at Intelliflo, a provider of financial services software, recently referred to Article 82 of the new General Data Protection Regulation (GDPR) as “the ambulance chasing article”. Mr Walton clarified his remarks by saying:

“Article 82 makes it possible for data subjects to sue firms for any breach of their rights under the GDPR, even if it does not cause a material loss. We could be about to see the next ‘no win, no fee’ industry.”

Many industry commentators have offered their own opinions as to what might be ‘the new PPI’, i.e. what area consumers and claims management companies might turn their attentions to once the PPI saga has ended. So, could complaints about the use of consumers’ data become ‘the new PPI’? There has certainly been a lot of publicity about GDPR, and about the Cambridge Analytica affair, and the issue will be uppermost in many people’s minds. Furthermore, whilst by no means every financial services firm got involved with PPI, every single firm in the financial industry, and elsewhere, needs to observe data protection laws. There is therefore the potential for every firm in the country to receive more data protection-related complaints if they do not have sufficiently robust procedures for the processing of personal data with which they are entrusted.

Ms Denham’s conference speech also tried to calm fears that GDPR will see a raft of huge fines imposed on firms, simply because they inadvertently breached the new legislation in a small way. The Commissioner said:

“Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.”

She also reminded her audience that the Information Commissioner’s Office does not always impose fines when it finds evidence of wrongdoing, and that other enforcement tools available to the regulator include “compulsory data protection audits, warnings, reprimands, and enforcement notices.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.


Debt manager has application refused over advice and systems & controls issues

The Financial Conduct Authority (FCA) has refused an application for full authorisation from a Bolton-based debt management firm, after concerns were identified with its record keeping, advice standards, systems & controls, customer disclosure, debt management plan reviews, financial promotions and human resources provision.

The firm has actually been trading in the debt management arena since 2010, initially under the supervision of former consumer credit regulator the Office of Fair Trading (OFT), and then under the FCA’s interim permission regime. Now that the FCA has had time to consider the firm’s application for full authorisation, it has decided that its practices and procedures do not meet its high standards.

Firms across the consumer credit sphere were repeatedly warned that the FCA’s regulatory regime would be much tougher than that of the OFT. The fact that the FCA has refused the application of a firm who had traded under the OFT regime for four years seems to illustrate this point very well.

The FCA notice refusing the firm’s application first highlights issues with its record keeping, specifically relating to records to evidence that suitable advice has been provided. The FCA says that, in the files it reviewed, the firm’s “assessment of the customer’s circumstances and the advice given during the meeting is limited to one or two sentences at most.” As such limited records were kept, it was impossible for the regulator to ascertain whether suitable advice had been given in each case.

Despite the lack of record keeping, the FCA was still able to find issues with the firm’s debt advice in a number of ways. The only debt solution offered by the firm was a Debt Management Plan (DMP), and the FCA notice comments that of the 137 DMP customers the firm had as of June 2017, 23 had just a single creditor included within the Plan, and 24 more plans included only two creditors. The FCA suggests that customers with a low number of creditors may have been better off self-managing their debts, a strategy which could have resulted in them becoming debt-free more quickly, and at a lower overall cost, as a result of not needing to pay fees to the firm.

The FCA was also concerned to find that a significant proportion of the firm’s customers would take more than 10 years to become debt-free, and that other solutions may have been more suitable, such as an individual voluntary arrangement (which typically lasts a maximum of six years) or a debt relief order (which typically lasts 12 months).

Next, the regulator turned its attention to the firm’s quality assurance process, and noted that:

  • The firm never supplied a documented QA procedure to the FCA
  • No QA reviews were conducted for a period of eight months
  • The QA document did not contain any detail to guide the user as to how to evaluate the advice given

Wide-ranging issues were identified with the firm’s website and other financial promotions, including:

  • Falsely implying that the firm was a law firm regulated by the Solicitors Regulation Authority
  • Failing to provide a link to the Money Advice Service website
  • Failing to provide a link to the Financial Ombudsman Service website, and not stating that complaints could be referred to this organisation
  • Not making it clear that the firm’s services are profit-making
  • Not stating the advantages, disadvantages and risk of each debt solution option, including that entering into the debt solution in question would have a negative impact on the customer’s credit rating

The FCA also commented that:

  • The firm failed to provide evidence to demonstrate that it was conducting client money reconciliations in accordance with the rules in the CASS section of the Handbook
  • The firm was not providing customers with annual statements that included the necessary information
  • The fee disclosure document was unclear as to what fees could be charged

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.


Facebook admits scale of Cambridge Analytica improper data sharing

Social media giant Facebook has now admitted that as many as 87 million people – one million of whom are based in the UK – could have had their data improperly shared with Cambridge Analytica. Facebook CEO Mark Zuckerberg has admitted that issues with the sharing of data stored on his site could have affected 37 million more people than was first believed to be the case.

The issue came to light when a young employee of Cambridge Analytica opted to ‘blow the whistle’ regarding the illegal data sharing.

Data analysis company Cambridge Analytica – which worked on the Leave campaign in the Brexit referendum, and for Donald Trump’s successful presidential campaign – was seeking to develop software that would predict the behaviour of voters in elections, and to do this it accessed the Facebook profiles of millions of users. Not only did Facebook incorrectly allow individuals’ data to be accessed in this way, but it compounded its offence by failing to admit that it knew about the improper practices as far back as 2015.

Cambridge Analytica claims to have obtained the personal data from the creator of an app called This Is Your Digital Life, which contains a personality questionnaire. It maintains that it was unaware that the data had been improperly obtained and says that the data was deleted as soon as it became aware of the issues. It should also be noted that Cambridge Analytica disputes Facebook’s 87 million figure and says that it accessed the data of no more than 30 million people.

Facebook has confirmed that any app which requests access to information in the future will be subject to strict new requirements. For example, these apps will no longer be allowed access to sensitive personal information such as religious or political views or a person’s relationship status. Nor will they receive information relating to a user’s education, work history or news consumption habits.

Additionally, it will no longer be possible to access the guest list or event wall of any event listed on Facebook.

Facebook added that the new safeguards iit is introducing in Europe, in order to comply with the European Union’s General Data Protection Regulation, will also be applied to its activities across the globe.

The company has also updated its terms of service document and its data use policy.

From April 9, Facebook users may notice that a new link has appeared at the top of their news feed. This will allow them to see what apps they use and what information has been shared with those apps. This will also allow users to see if their data has been accessed by Cambridge Analytica.

Most data protection breaches are not of the same scale as this story. However, companies across all business sectors, large or small, must take the issue of data protection very seriously. Companies must explain to their customers what data they will be collecting, why this is necessary, and to whom that data might be passed. Companies cannot collect data unless they actually need to know the information contained in it, and once it is no longer required, the data must be destroyed. Privacy notices must clearly explain to customers what a company’s legal basis for processing data is, together with how long they will retain the data for.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.


Posts navigation