Data Regulations in the UK’s Financial Sector

Introduction

In the financial sector, data protection is not just a regulatory requirement but a foundational pillar of trust and operational integrity. Financial institutions handle vast amounts of personal and financial data every day, fostering opportunities for innovation while also exposing themselves to data-related vulnerabilities. If exploited, these vulnerabilities can result in severe consequences such as identity theft, fraud, or financial instability.

These risks emphasize the need for financial institutions to have robust data governance frameworks. These frameworks must align with key regulations such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), The Privacy and Electronic Communications Regulations 2003 (PECR) and regulatory guidance issued by the Information Commissioner’s Office (ICO). Additionally, compliance with sector-specific laws, including the Financial Services and Markets Act 2023 (FSMA), Payment Services Regulations 2017 (PSR), and sector-specific guidelines from the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England, is essential for financial institutions to effectively navigate the regulatory landscape.

For the purpose of this paper, the term "financial institutions" refers to a broad range of entities engaged in financial services within the UK, including banks, building societies, credit unions, insurance companies, investment firms, payment service providers, and other relevant entities specific to each law or regulation. These financial institutions are subject to oversight by regulatory authorities such as the FCA and the PRA. Together, these financial institutions form the backbone of the UK's financial system. This blog focuses on financial institutions’ obligations regarding data privacy, security, and governance.

Significance of Customer Data

Handling customer data responsibly is central to maintaining trust and adhering to regulatory expectations in the financial sector. FCA defines customer data as any identifiable personal information held in any format. Customer data includes:

1. Data obtained during customer onboarding checks.
2. Details required for suitability and appropriateness checks.
3. Information collected to comply with Money Laundering Regulations (MLRs).
4. Additional personal information, including national insurance records, addresses, dates of birth, family circumstances, bank details and medical records.

Therefore, to fulfill the primary purpose of safeguarding customer data, financial sector regulators, such as FCA and PRA, impose obligations relating to data privacy, data security and data governance on the financial institutions.

Data Privacy Obligations

Compliance with data privacy obligations requires embedding privacy principles into operational practices, which promote accountability, and mitigate risks to individuals.

1. Data Collection

Under the UK GDPR and ICO guidelines, financial institutions must ensure they have a valid legal basis for data collection. This can include:

1. Consent: When relying on consent, financial institutions must obtain freely given, specific, informed, and unambiguous indications of consent from customers before processing their data. Consent requests should be prominent, concise, easy to understand, and separate from other information, such as general terms and conditions.
2. Legal Obligation: Institutions may process data to comply with legal requirements, such as obligations under MLRs.
3. Legitimate Interest: Data processing may also be carried out if it serves the legitimate interests of the financial institution or a third party, provided it does not override the rights and freedoms of the customer.
4. Performance of a Contract: Processing is necessary for the performance of a contract to which the customer is a party or to take steps at the customer's request before entering into a contract. For example, processing personal data to provide banking services or assess a loan application.
5. Public Task: Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the financial institution. They may rely on this basis when processing is required to comply with regulatory obligations or to support functions of public interest, such as preventing financial crimes.

Securiti’s Consent Module automates consent tracking and management, simplifying the management of first-party and third-party consent, and enabling organizations to obtain, record, track, and manage individuals' explicit consent.

The FCA favors a risk-based approach to data collection under the Money Laundering Regulations 2017, as amended. This approach emphasizes the importance of proportionate data collection and verification practices, especially during the customer due diligence process. Specifically, the FCA requires financial institutions to gather and verify customer information in a way that matches the level of risk associated with the individual or entity. Key components of this approach, as specific in Section 28 of the Regulation, include:

1. Identifying and verifying customer identities through reliable documentation, including digital methods, to ensure data integrity.
2. Assessing the purpose and intended nature of the business relationship or transaction, ensuring that the information collected aligns with the declared objectives.
3. Conducting ongoing monitoring to maintain current and accurate information, especially for high-risk accounts, such as those held by politically exposed persons.

Additionally, the FCA encourages leveraging digital tools for identity verification, as outlined in the UK Government’s Good Practice Guide. This guide provides a framework for financial institutions to collect identity-related data through five key steps:

1. Strength: Gathering evidence of the claimed identity.
2. Validity: Ensuring the authenticity of identity evidence.
3. Activity: Confirming that the claimed identity has remained consistent over time.
4. Identity Fraud: Assessing the risk of fraudulent identities.
5. Verification: Ensuring the identity belongs to the individual presenting it.

The Transforming Data Collection Initiative, led by the Bank of England and the FCA, seeks to modernize data collection in the UK financial sector, enhancing accuracy, reducing redundancy, and improving quality. Financial institutions are encouraged to adopt standardized collection methods to meet these goals effectively.

Securiti’s Data Mapping solution automates the discovery, classification, and cataloguing of client data across systems, ensuring data is accurate and accessible. This supports compliance by enabling real-time updates to KYC records and maintaining secure access.

2. Data Processing Principles

Financial institutions must process personal data in compliance with the following principles outlined in Article 5 of the UK GDPR:

1. Lawfulness, Fairness, and Transparency: Financial institutions must ensure that data processing is lawful and transparent. For instance, when collecting data for fraud detection, customers should be made aware of the purpose and legal basis for processing. This can be achieved through clear and comprehensive privacy notices that explain how the data will be used and outline customers' rights regarding their personal information.
2. Purpose Limitation: Data should only be collected for specified, explicit, and legitimate purposes. Repurposing data without obtaining a new lawful basis is prohibited.
3. Data Minimization: Only data strictly necessary for the specified processing purpose should be collected.
4. Accuracy: Financial institutions must implement regular validation procedures to ensure customer data remains accurate and up-to-date.
5. Storage limitation: Data should not be kept longer than necessary. Financial institutions must have clear retention schedules and securely delete data once it is no longer needed.
6. Integrity and confidentiality: Data must be protected against unauthorized or unlawful processing using technical and organizational measures, including encryption, secure storage, and access controls. Ensuring confidentiality is particularly critical during data sharing with third parties.

Securiti’s Data Privacy solution automates compliance with evolving global privacy regulations and principles.

3. Data Subject Rights (DSRs)

Under Chapter III of the UK GDPR and the DPA 2018, financial institutions are obligated to uphold the rights of individuals regarding their personal data. These rights include:

1. Right to access: Customers must be able to request and obtain a copy of their personal data in an accessible format. For financial institutions, this often involves providing detailed transaction histories or account information.
2. Right to rectification: Financial institutions must promptly correct errors in customer data, such as incorrect account details, to prevent adverse financial outcomes.
3. Right to Erasure: Customers have the right to request data deletion, especially in cases where retention is no longer necessary or lawful. Financial institutions must ensure compliance while balancing obligations for legal or regulatory record-keeping.
4. Right to Object: Customers can challenge processing activities, particularly automated decision-making, such as credit scoring or loan eligibility assessments, ensuring transparency and fairness.
5. Right to Data Portability: Customers can request their data in a structured commonly used format that enables them to transfer their financial data to another service provider.

As per ICO guidance, financial institutions must respond to DSRs within one calendar month of receiving them. If additional information, such as ID verification, is required, the time limit starts once this is provided. For complex or multiple requests, the response period may extend to three months. Financial institutions must have robust mechanisms in place to handle DSRs efficiently, ensuring timely compliance with regulatory requirements.

Securiti’s Data Subject Rights Management solution automates handling requests like access, deletion, and correction. It streamlines request tracking, identity verification, and secure data transfer, ensuring timely compliance and reducing administrative workload.

4. Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory under Article 35(1) of the UK GDPR for processing activities that are likely to result in a high risk to individuals' rights and freedoms. It emphasizes assessing both the likelihood and severity of potential harm, with "high risk" indicating either a higher probability of harm, greater severity, or a combination of both.

In the financial sector, such risks frequently arise due to activities like credit scoring, fraud detection, and customer profiling. Scenarios outlined by the ICO and WP29 guidelines (WP248) include evaluation or scoring, systematic monitoring, large-scale profiling, combining datasets, processing data about vulnerable individuals, and the use of innovative technologies. These scenarios are closely linked to the data-driven operations of financial institutions.

By conducting DPIAs, financial institutions can identify and mitigate risks, and ensure regulatory compliance.

Securiti’s Assessment automation solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

5. Incident Response and Breach Notification

Under Article 33 of the UK GDPR, financial institutions must notify the ICO within 72 hours of becoming aware of a data breach that poses risks to individuals’ rights and freedoms, and Article 34 mandates that, when a breach is likely to result in a high risk to the rights and freedoms of individuals, the affected data subjects must be informed without undue delay. A breach involving sensitive financial information, such as account credentials or transaction details, may require immediate customer notification. Comprehensive breach response plans should include risk assessments and communication strategies to minimize harm and regulatory penalties.

The FCA also mandates that regulated financial services firms notify them immediately of any cyber incidents. This obligation enables the FCA to monitor firms' compliance with the rules and to react quickly to matters.

Securiti’s Breach Management solution automates breach notifications and compliance actions, providing incident response workflows that help organizations respond to privacy incidents promptly and effectively.

6. Vendors and Third Parties

Under Article 28 of the UK GDPR, vendors and third-party processors are required to protect personal data and support financial institutions in their compliance efforts. Contracts must clearly outline responsibilities, data handling protocols, and mechanisms for audits and security verification. Financial institutions, as controllers, remain responsible for ensuring that vendors and sub-processors adhere to these standards, requiring them to provide sufficient guarantees of technical and organizational measures as per the ICO Guidance on contracts and data sharing.

Article 32 of the UK GDPR mandates that vendors implement strong security protocols to safeguard personal data. Contracts should specify requirements for encryption, secure backup and recovery plans, ongoing monitoring, and periodic security testing. Controllers are responsible for validating vendor compliance through audits or certifications to maintain data protection standards across the relationship.

Additionally, Policy Statement PS16/24 and Supervisory Statement SS6/24, issued by the Bank of England, PRA, and FCA, provide specific compliance requirements for the financial sector. These documents emphasize operational resilience, thorough due diligence in outsourcing, and effective risk management frameworks to address dependencies on critical third parties.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, enabling organizations to assess third-party privacy risks, track subcontractor engagements, and provide automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

7. Data Protection Officer (DPO)

Financial institutions engage in large-scale processing and systematic monitoring of personal data, such as analyzing customer transactions to detect unusual activities or reviewing patterns to identify potential risks. This level of processing significantly increases the risk to individuals' rights and freedoms, making it crucial to appoint a DPO to ensure compliance with data protection obligations.

Under Article 37 of the UK GDPR, the appointment of a DPO is mandatory for institutions that carry out large-scale, systematic monitoring of individuals. The DPO is tasked with overseeing compliance with data protection laws and managing risks related to personal data processing. To perform these duties effectively, the DPO must be independent, an expert in data protection, adequately resourced, and report directly to the highest level of management.

Securiti’s Data Mapping module can equip (DPOs) with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.

8. Record of Processing Activities (RoPA)

Under Article 30 of the UK GDPR, financial institutions must maintain a ROPA as part of their accountability obligations. While this requirement typically applies to organizations with 250 or more employees, smaller institutions are also required to maintain ROPA if they engage in frequent data processing or processing data that poses high risks to individuals' rights and freedoms, such as sensitive financial data. This ensures that financial institutions can effectively manage and demonstrate their compliance with data protection laws, particularly given the volume and sensitivity of the data they process.

In addition to the UK GDPR, the FCA’s Senior Management Arrangements, Systems, and Controls (SYSC) handbook outlines specific recordkeeping requirements for financial institutions. Chapter 9 mandates that firms maintain orderly records of their business activities, services, and transactions. These records must be sufficient to allow the FCA and other relevant authorities to assess compliance with regulatory requirements, particularly those related to customer obligations.

Moreover, SYSC 10A.1.6 requires firms to retain records of electronic communications, including SMS, emails, social media posts, and chats. This provision is vital for addressing compliance challenges related to mobile and digital communications in the financial sector, ensuring that firms can effectively track and maintain records of all relevant interactions related to regulatory and business operations.

Security’s Assessment Automation module allows users to Automate records of processing (RoPA) aligning with global privacy regulations.

9. Cross-Border Transfer

Financial institutions must comply with data transfer obligations outlined in the UK GDPR to ensure robust protection of personal data during cross-border transfers. Transfers must have a lawful basis, such as compliance with legal obligations or contractual necessity. Under Article 45 of the UK GDPR for transfers to countries outside the UK, financial institutions must rely on adequacy decisions for approved destinations or implement appropriate safeguards such as the International Data Transfer Agreement, the Addendum to the EU SCCs, Binding Corporate Rules, approved codes of conduct and certification mechanism under Article 46. In exceptional cases, derogations under Article 49 may allow transfers, provided explicit consent or other given specific conditions are met.

Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions.

Data Security Obligations

FCA regulates the conduct of financial markets in the UK. FCA’s operational objectives are to protect consumers from bad conduct, safeguard the UK’s financial system’s integrity, and promote effective competition in the consumers’ interests.

1. Data Security Expectations

FCA puts great emphasis on the security of the customer data held by the financial institutions operating in the financial market. FCA defines customer data as any identifiable personal information held in any format. Customer data includes:

1. Data obtained during customer onboarding checks.
2. Details required for suitability and appropriateness checks.
3. Information collected to comply with Money Laundering Regulations (MLRS).
4. Additional personal information, including national insurance records, addresses, dates of birth, family circumstances, bank details and medical records.

As per FCA’s Guidance on Data Security, financial institutions shall ensure the security of customer data by taking the following steps:

1. Establishing good data security policies and having appropriate systems and controls in place.
2. Ensuring that the employees working in financial institutions understand the established data security policies and procedures.
3. Keeping the records of such policies and procedures updated during staff transitions.

2. Data Security Risks

Since financial institutions deal with customer data daily, they should be aware of the financial crime risks associated with holding customer data. Drawing from FCA’s Guidance, financial institutions should steer clear of the following misconceptions related to data loss and identity fraud risks:

1. ‘The customer data that we hold is too limited or scattered to prove valuable to fraudsters.’ It is a fallacy because skilled fraudsters can combine small pieces of data with public information and use tricks to gather more details. Eventually, they gather enough to pretend to be the victim.
2. ‘Only individuals with high net worth are targeted by identity fraudsters.’ This is not true as anyone, regardless of age, job, or income, can become a victim if their personal data is exposed.
3. ‘Only big companies with millions of customers are likely to be targeted.’ It is untrue. Even small companies’ customer data can be valuable and sold multiple times.
4. ‘Data security threats are only external.’ This is not always the case as employees inside the company often have easier access to customer data and may steal it for personal use or sell it to criminals.
5. ‘No customer has reported identity theft, so our company must be safe.’ This assumption is flawed. Companies that detect data loss often have strong risk-management systems. Those with weak controls may not even realize data is missing. Moreover, victims rarely know where their data was stolen since it is stored in many places.

Given the gravity of the aforementioned risks to data security posed by identity thieves and fraudsters, financial institutions need to develop policies and procedures to restrict unauthorized access to customer data by incorporating information technology and physical security measures and controls.

3. Key Data Security Measures

Based on FCA’s Guidance on Data Security, Article 32 and Recital 83 of the UK GDPR, the following are some information technology security measures that financial institutions are required to internally adhere to when dealing with customer data:

1. Implement risk-based, proactive monitoring of staff to ensure they access or modify data only for genuine business reasons.
2. Ensure all staff adheres to strong password standards and refrain from sharing or writing down usernames and passwords.
3. Be vigilant about the risks of loss or theft for employees working from home or using laptops, USB sticks, and CDs for customer data storage.
4. Prohibit the storage of unencrypted customer data on portable devices.
5. Regularly review data backup procedures to address threats to data during transit, upload, or storage.
6. Encrypt customer data held off-site by third-party providers and conduct regular due diligence on them.

Additionally, FCA urges the financial institutions to undertake the following physical security measures to ensure that customer data is not compromised:

1. Assess the physical security of their business premises.
2. Maintain a visitor sign-in book and ensure onsite supervision.
3. Conduct enhanced recruitment checks, including credit checks and criminal record checks on people with access to data.
4. Acknowledge that outsourcing to third parties does not absolve the financial institutions of their responsibility to protect customer data.
5. Perform due diligence on third-party suppliers before engaging them.
6. Confirm the vetting procedures of third-party suppliers and compliance with the financial institution’s security arrangements.

Securiti’s Assessment Automation solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

4. Third-Party Risk Management

Financial institutions may engage with third parties for the performance of a service on their behalf. In such circumstances, they are required to deal with operational risks associated with third-party providers and outsourcers. Therefore, financial institutions must have appropriate controls and risk management systems designed to manage such third-party or outsourcing-related risks.

a. What is Outsourcing?

FCA defines outsourcing as an arrangement between a financial institution and a service provider where the provider performs a process, service, or activity that the financial institution would otherwise handle internally, such as outsourcing the hosting of a data centre or business process. However, certain services that would otherwise not be undertaken by a financial institution, like cleaning, buying a standard "off-the-shelf" software, and providing vending machines, do not count as outsourcing. Arrangements that fall outside the scope of outsourcing are not subject to FCA’s requirements for outsourcing.

b. FCA Third-Party Risk Management Expectations

Financial institutions shall take the following steps to manage third-party risks:

1. Assess whether a third-party relationship falls within the definition of outsourcing or not, so that financial institutions can identify correct applicable rules and guidance.
2. Ensure that the financial institutions effectively follow the relevant rules and guidance.
3. Effectively apply the rules and guidance throughout the outsourcing setup.

Regardless of the functions being outsourced, it remains the responsibility of the financial institutions to manage the risks arising from the outsourcing arrangements and to keep an eye on the harm that may arise from the operational disruption of the outsourced services. The following are different types of outsourcing arrangements:

i. Material, Critical or Important Outsourcing

A financial institution that outsources its material, critical or important functions is required to notify FCA to enable FCA to monitor its compliance with regulatory obligations. Principle 11 of the FCA Handbook requires financial institutions to notify their regulators of anything relating to the financial institution that has a serious regulatory impact and that the regulator would expect notice of.

FCA enlists the following matters as the matters having a serious regulatory impact:

• the financial institution fails to meet one or more threshold conditions; or
• any matter that could significantly damage the financial institution's reputation; or
• any matter affecting the financial institution's ability to provide adequate customer services, potentially causing serious harm to customers; or
• any matter involving the financial institution that could lead to severe financial consequences for the UK financial system or other financial institutions.

Lastly, a financial institution that outsources its material, critical or important functions must notify FCA whenever it enters a material outsourcing arrangement.

ii. Intra-Group Outsourcing

Intra-group outsourcing means that a financial institution enters into an outsourcing arrangement with a company belonging to the same group, including cross-border arrangements with its parent or sibling companies outside the UK. These arrangements must meet the same standards as outsourcing to external third parties under outsourcing laws and FCA rules. Financial institutions should not view intra-group outsourcing as less risky or exempt from requirements but can consider their influence over group members to identify and manage risks effectively.

iii. Critical Third Parties (CTPs) Outsourcing

An increasing number of financial institutions are becoming reliant on third parties which are known as critical third parties. These third parties are critical to the functioning of financial institutions as failure or disruption of the services provided by these CTPs can adversely affect many customers and financial institutions and can also even impact the stability of the UK’s financial system.

Under FSMA, the UK government has granted new powers to the regulators to oversee the operational resilience of CTP services provided to financial institutions. FCA, PRA, and the Bank of England have also recently released a policy statement PS 16/24: Operational resilience: Critical third parties to the UK financial sector that lays out requirements and expectations that CTPs are obligated to abide by.

c. Outsourcing and Data Security Obligations

Financial institutions deal with a vast amount of data primarily belonging to their customer and it is a crucial part of financial institutions’ operations to store, process, or transmit this data for the provision of their services. When such institutions outsource their services to third parties, these third parties also store, process, or transmit data. However, the FCA places a primary obligation on the financial institutions to manage the data being stored, processed, or transmitted by third-party service providers on behalf of the financial institutions.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, enabling organizations to assess third-party privacy risks, track subcontractor engagements, and provide automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

5. Operational Resilience

Operational resilience refers to the capacity of financial institutions to prevent, adapt, respond to, recover, and learn from operational disruptions. As per FCA’s Guidance on Outsourcing and Operational Resilience, it is only possible for financial institutions to be operationally resilient when they have a comprehensive understanding of the processes, technologies, and facilities, including their dependencies on third parties, necessary for them to provide their services as a business.

As per FCA, key elements of operational resilience are as follows:

1. Identify key services whose disruption could lead to unacceptable harm to consumers and financial institutions.
2. Define the maximum acceptable duration and severity of disruptions to these critical services, ensuring no harm is caused to consumers and financial institutions.
3. Assess their operational resilience through regular testing to identify weaknesses, with plans in place to address these vulnerabilities.
4. Conduct exercises to evaluate how well they respond and recover from disruptions, using insights to prioritize and invest in improvements.
5. Establish clear internal and external communication strategies to manage disruptions to critical services effectively.

6. Cyber Resilience

Cyber resilience refers to the ability of financial institutions to prepare for, withstand, respond to, and recover from cyber threats while ensuring the continuity of critical financial services. To support the financial sector in achieving robust cyber resilience, regulators have introduced several cyber assessment tools, including the following:

a. Critical National Infrastructure Banking Supervision and Evaluation Testing 

The FCA, PRA, and the Bank of England have developed the Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST) program to assess and enhance the cyber resilience of the financial institutions or Financial Market Infrastructure (FMI). CBEST employs simulated cyber-attacks to evaluate financial institutions' defenses, threat intelligence capabilities, and their ability to detect and respond to both external and internal threats.

The 2024 CBEST thematic Implementation Guide provides valuable insights and good practices for cyber resilience. It emphasizes the importance of robust cyber hygiene and the necessity for financial institutions to conduct a variety of cyber testing scenarios to remain resilient against evolving threats.

CBEST assessments can be initiated under the following circumstances:

• Voluntary Participation: A financial institution or  FMI opts to undergo a CBEST assessment as part of its resilience program.
• Regulatory Request: Regulators, such as the PRA and FCA, may request a CBEST assessment in line with thematic focus and supervisory strategy.
• Post-Incident Evaluation: Following a significant cyber incident or related event, a regulator may mandate a CBEST assessment to evaluate and enhance the institution's cyber resilience.

The FCA emphasizes that financial institutions and FMI should review the CBEST thematic findings and integrate the recommendations into their cyber strategies. By doing so, institutions can enhance their cyber defenses, ensure alignment with regulatory expectations, and contribute to the overall stability of the financial system.

b. Cyber Resilience Questionnaire

Developed by the Bank of England, PRA, and FCA, the Cyber Resilience Questionnaire (CQUEST) is a comprehensive self-assessment tool comprising 50 questions across six domains: Governance and Leadership, Identify, Protect, Detect, Respond, and Recover. It enables financial institutions to evaluate their cyber risk and resilience maturity, identify potential vulnerabilities, and enhance their ability to respond to and recover from cyber incidents. While primarily a supervisory tool, CQUEST can also be utilized by financial institutions for internal assessments to strengthen their cyber defenses.

c. Simulated Targeted Attack and Response – Financial Services

Launched as part of the PRA and FCA's supervisory toolkit, Simulated Targeted Attack and Response – Financial Services (STAR-FS) focuses on intelligence-led penetration tests that mimic real-world cyber-attacks. This assessment allows financial institutions to evaluate their protection, detection, and response capabilities against sophisticated threats. By identifying vulnerabilities within systems, people, and processes, STAR-FS helps financial institutions implement appropriate remedial actions to enhance their cyber resilience. The framework promotes a consistent, high-quality standard for testing and is accessible to a broad range of financial institutions, enabling them to experience and learn from simulated attack scenarios.

7. Other Laws Related to Data Security

There is also some legislation relating to the payments aspect that is closely associated with the financial sector. Apart from the general obligations of financial institutions, PSR outlines certain data security obligations of the payment service providers (PSPs). PSPs are the entities that facilitate the transfer of funds, enable cash withdrawals, and process payments through various means. PSPs should ensure that:

1. The security credentials of the person who holds a payment account should not be accessible by other parties and should be transmitted through safe and efficient channels.
2. Any information about a payer is not provided to any person except a payee and is provided to the payee only with the payer’s explicit consent.
3. They do not access, process or retain any personal data for the provision of payment services unless they have the explicit consent of the payment service user to do so.

Moreover, stakeholders in the financial industry that deal with the payment data can also choose to abide by the industry standards relating to payment security. One example of such a standard is the Payment Card Industry Data Security Standard (PCI DSS).  The purpose of this standard is to ensure the security of payments worldwide by protecting the people, processes, and technologies across the payment ecosystem. PCI DSS is a set of security requirements and guidelines established to ensure the secure processing of sensitive debit and credit card data. This standard is administered by The PCI Security Standards Council (PCI SSC). PCI DSS is not legally binding and is enforced through the contractual agreement between an organization and its bank or card issuer.

Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies​. It enables organizations to leverage granular insights and discover the security posture of data assets across on-premise, IaaS, SaaS, and data clouds.

Data Governance Obligations

Data governance refers to the policies, procedures and controls to ensure secure and effective management of an organization’s data. It is vital for financial institutions to have data governance frameworks in place to ensure data protection and maximize the value of their data assets. Data governance inside a financial institution requires a collaborative effort across different departments, including IT, human resources, internal audit, and compliance.

As per FCA SYSC 4.1.1, the following governance arrangements are crucial for financial institutions to have effective data governance:

• Robust governance arrangements, which include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility.
• Effective processes to identify, manage, monitor, and report the risks it faces or might be exposed to.
• Internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

To ensure effective data governance, financial institutions need to be transparent about the collection of customer data, and the processing and storage activities performed on such data. Valid consent should be obtained under Article 7 of the UK GDPR, as explained above. Additionally, financial institutions are also obliged to comply with data processing principles, uphold the rights of data subjects/customers, and abide by the incident response and breach notification requirements under Article 5, Chapter III, and Article 33 of the UK GDPR, respectively.

Securiti’s Data Governance provides a unified approach to managing data assets, ensuring compliance, security, and data quality across the organization. It automates policies, access controls, and data lifecycle management, enabling transparent, accountable, and consistent data practices aligned with regulatory standards.

Moreover, claim management companies (CMCs) that provide claim management services also operate within the financial sector. Claim management services mean services, such as advice, financial services, or assistance and the making of inquiries in relation to making a claim. A claim refers to a demand for compensation, restitution, repayment, or other relief due to loss, damage, or an obligation. Regulation 21A of PECR prohibits these CMCs from making unsolicited calls for direct marketing purposes in relation to claim management services. The only exception to making such direct marketing calls is when the person being contacted has previously notified the caller that, for the time being they consent to such calls being made by, or at the instigation of, the CMC on that line.

Securiti’s Consent Module automates consent tracking and management, simplifying the management of first-party and third-party consent and enabling organizations to obtain, record, track, and manage individuals' explicit consent.

Conclusion

To sum up, in this dynamic era of technology, data continues to shape the financial ecosystem. Complying with the obligations surrounding data privacy, quality, security, and governance are not just regulatory requirements but critical pillars for maintaining trust and integrity. By ensuring compliance with the aforementioned regulatory obligations, financial institutions can mitigate risks to data, ensure operational resilience, and unlock opportunities for innovation and growth in the financial sector.

Securiti’s automation modules help financial institutions navigate their obligations under the UK’s regulatory regime by offering them a comprehensive set of solutions to ensure compliance with data regulations in the UK financial services industry.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.