On 18 February 2019, the UK’s Information Commissioner’s Office and FCA published an updated memorandum of understanding setting out the terms of the relationship between them, including the exchange of information in relation to potential failures of systems and controls in relation to data security and related investigations.

The MOU comes in the context of the FCA’s increased focus on and enforcement of data protection and cyber security issues and follows the ICO and FCA’s joint update on GDPR published in February 2018, the FCA’s July 2018 joint discussion paper with the PRA and Bank of England in relation to operational resilience, and the FCA’s £16.4m fine imposed on Tesco for failures in relation to a 2016 cyberattack.

The MOU provides for regular communication between the ICO and FCA to discuss matters of interest in relation to FCA-authorised firms, certified individuals and approved persons of interest and consult on any issues with significant implications for both organisations. Information that may be shared includes information:

  1. regarding investigations and relevant action taken against a person or a firm;
  2. relating to fraud, criminal or other activity that might cast doubt on the fitness or propriety of a party of interest; and which
  3. indicates that there may be a failure of a firm’s regulated activities.

For a full copy of the MOU, please visit https://ico.org.uk/media/about-the-ico/documents/2614342/financial-conduct-authority-ico-mou.pdf.