Man encrypting email using laptop in office wearing suit

Article

10 min

Updated 29 02 24

Financial Services Email Compliance: The Checklist

Posted by

In the financial services, email compliance is an important part of your company's daily obligation to protect sensitive information.

Email is the #1 channel involved in data incidents in the UK.

Protecting it is perhaps the most significant step you can take toward eliminating the risk of human error and cyber threat to your organisation.

Email Compliance At A Glance

With changing guidance surrounding data and communications, maintaining email data compliance can be a challenge.

We've dissected the guidance to provide clear and actionable measures that you can put in place. Here's an overview of the key regulations.

Source	Summary	Guidance
Prevent FCA - SM&CR	Put prevention methods in place to stop a breach	"If a firm breaches one of our requirements, the Senior Manager responsible for that area could be held accountable if they didn’t take reasonable steps to prevent or stop the breach."
Encrypt ICO - GDPR	Encrypt emails containing personal data	"Have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be sent encrypted."
Audit FCA - COBS	Keep auditable copies of outbound emails	"Keep a copy of relevant electronic communications, made with, sent from or received on equipment: (1) provided by the firm to an employee or contractor; or (2) the use of which by an employee or contractor has been sanctioned or permitted by the firm."
Authenticate ESMA - MIFID II	Authenticate recipients to prevent unauthorised access	“Have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”
Revoke ICO - GDPR	Have the capability to revoke misfired emails	"[in the event of a data breach] act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails. The 72 hours following a personal data breach are particularly critical."
Reply FCA - Consumer Duty	Provide customers a secure way to communicate with you	"Ensure consumers receive communications they can understand, products and services meet their needs and offer fair value, and the support they need."

⬇️ Download this table

Key Guidance And Regulation

Although email is a convenient way to transport documents and other data, unprotected, it leaves data open to many threats.

Maintaining strong outbound email security standards doesn't just help you to keep the regulators happy.

It also helps to ensure your messages, and the sensitive information within them, remain protected.

Let's take a look at the key pieces of legislation in detail and what you need to do to make sure your processes are aligned.

The General Data Protection Regulation (GDPR)

The GDPR (The General Data Protection Regulation) is a European Union data privacy regime, deployed as law in the United Kingdom under the 2018 UK Data Protection Act (The DPA).

It means that anyone responsible responsible for using personal data has to follow strict 'data protection principles'.

These principles say that personal data must be:

Used fairly and lawfully;
Used for a specific purpose;
Used only when relevant or necessary;
Kept up-to-date and accurate;
Kept no longer than needed;
Handled in a secure manner.

The FCA (Financial Conduct Authority) has advised that the financial services companies it regulates 'must make sure they lawfully process and transfer client data' in line with the GDPR guidance.

FCA-regulated companies including product providers, intermediaries, and retailers deal with a lot of personal data.

Personal data is defined by GDPR as any information relating to an identified or identifiable natural person, including physical, physiological, genetic, mental, economic, cultural and social elements, such as a name, identification number or location data.

The FCA's anti-money laundering (AML) and know-your-customer (KYC) guidance ensures that a minimum standard of identification exists for high value transactions on behalf of both businesses and their customers.

Although AML and KYC checks are designed to protect people's privacy, they require again more personal data to be transferred in order to verify a person or business' identity, status, or history.

In a hybrid-working world, with so many of us transacting online, the risk of transferring personal data is exacerbated.

The FCA advises that regulated financial services companies follow the ICO guidance surrounding sensitive data and communications.

When it comes to email, the GDPR and the DPA leave open-risk inadequate for messages or attachments containing personal data due to its lack of protection against access by unauthorised third parties.

"The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data. The new Act updates data protection laws in the UK...[and]... provides tools and strengthens rights to allow people to take back control of their personal data.”
— Elizabeth Denham, Information Commissioner, 2018

The Privacy And Electronic Communications Regulations (PECR)

The PECR Privacy and Electronic Communications Regulations sits alongside the DPA and GDPR, giving people specific privacy rights relating to electronic communications.

The PECR is a UK law, derived from the European e-privacy Directive, and it applies to anyone communicating digitally. It is regulated in the UK by the Information Commissioners Office (The ICO).

While GDPR regulates how you store a person’s data, PECR governs how organisations are allowed to contact them electronically. PECR includes rules on specific aspects, such as:

Marketing calls, emails, and texts
The use of third-party cookies
Keeping communications secure
Customer privacy in terms of traffic and location data, itemised billing, line identification, and directory listings.

It is important to consider PECR if you plan to or are sending marketing emails. In a nutshell - you cannot send marketing emails to individuals without gaining specific consent first, unless they are either a previous or current customer. You must also give the option to ‘opt out’.

Regarding confidential information, privacy, and data protection the PECR refers to the GDPR and DPA guidance and legislation.

Markets in Financial Instruments Directive (MIFID II)

MiFID helps the EU regulate financial markets by creating a singular market for investment services and activities.

It ensures standardised methods of protection, alongside:

Conduct of business and organisational requirements
Authorisation requirements for regulated markets
Regulatory reporting to avoid market abuse
Trade transparency for shares

MiFID II also requires that all communications regarding financial transactions are recorded and stored for up to seven years.

This includes communications channels such as voice and video calls, instant messaging, social media, SMS, and email.

Communications records must include an audit trail that is clear, easily accessible, and retrievable. Companies must store data securely and authenticate methods of information transfer.

“An investment firm shall have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”
— ESMA, 2021

As email, without protection, leaves data open to access by anyone, financial services companies must assess what data is getting sent by email, and where a more secure solution is required should provide it.

The Consumer Duty (FCA Guidance)

The Consumer Duty is designed to regulate interactions with and protect financial services consumers. The Consumer Duty is a mandate for FCA-regulated companies to ensure digital communications are:

Reliable and engaging – In order to enable consumers to make and act on well-informed decisions, reliable communication is key. No matter what communication channel you use, clients should be able to easily reach you, and vice versa.

Resilient and secure – As stated in an FCA consultation paper, "firms should be able to continue providing a reasonable level of support to their customers in the event of an issue arising with their services, which might include temporary works, an IT outage, or cyber-attack.” This means shifting your mindset to operational improvements that boost your resilience, implementing security measures that ensure your services and communications are protected from risk and remain consistent.

Compliant – As well as adhering to the new Consumer Duty, communications must also consider existing regulations, especially from the Information Commissioner’s Office (ICO). A large part of this will be ensuring comms are audited, allowing you to prove when and how you have supported and protected your clients.

The Consumer Duty says regulated businesses have the responsibility to do everything they can to support their customers to avoid harm and make the right decisions, including securing emails.

This also goes beyond other regulations regarding email in a sense, as it means regulated firms should provide their customers with more than just a securely delivered email and attachment.

Firms should also provide their customers with the support they need to send confidential data into them (especially when completing AML/KYC identification processes) to avoid their data being put at risk.

What Happens If You Don’t Comply?

Besides the damage to an organisation’s reputation, they may also be fined (in the UK by the either the ICO or the FCA, or both).

The UK GDPR and DPA can have a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.

The EU GDPR sets a slightly higher maximum limit at €20 million (£18 million) or 4% of annual global turnover.

PECR has a maximum figure of £500,000 which can be issued against the organisation itself, or just its directors.

Finally, failure to comply with MIFID II or The Consumer Duty could result in fines of up to £5 million or a trade ban.

How To Remain Compliant: Encryption

As GDPR and DPA require businesses to safeguard data from unauthorised access, your outbound communications must have a suitable level of protection, especially email. Article 32 of GDPR lists encryption as a suitable method of protecting personal data.

Email encryption is the disguising or scrambling of the contents of your email into code that is unable to be read by human eyes. Content is encrypted and decrypted through the use of keys - strings of randomly generated numbers, with the length correlating to their strength.

Most email providers have a basic level of encryption built-in, however, it doesn’t provide the level of protection necessary to fully comply with regulations. Therefore, organisations should look at implementing an enterprise encryption solution, considering the following things:

Key size and additional authentication
Type of encryption - symmetric or asymmetric
Type of encryption software - does it integrate?
Scalability and business resilience impact

“You should use encrypted communication channels when transmitting personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.”
— ICO, 2021

How to Remain Compliant: Authentication And Auditing

Another method of ensuring third parties cannot access sensitive information within emails is authentication. When delivering personal data from inbox to inbox, authentication can help businesses to identify recipients before they can read the contents of a message. This eliminates the risk caused by human error and weak passwords.

Multi-factor authentication is considered best practice, providing multiple levels of identity checks before allowing the recipient access. These checks commonly include SMS, Q&A's and biometrics.

As MiFID II legislation requires secure records to be kept, finding an auditing solution that works for email communications is imperative for regulatory compliance. Audit logs can be used to track your messages, checking when emails and attachments were accessed and who by, ensuring only authorised users are reading and downloading the contents.

How To Remain Compliant: Additional Actions

Assign a compliance officer - Having an individual in charge of ensuring your organisation adheres to regulations is the best way to guarantee compliance. They can assess your current scope, assist with implementing a compliance strategy and advise what software and processes to put in place.

Create an internal security policy - Having a company-wide policy that everyone adheres to will help protect assets and demonstrates a strong commitment to security and compliance.

Educate employees - Compliance solutions are only as strong as the people using them. Teach staff of all levels the fundamentals of regulation and security and how to counteract threats.

Are You Protected?

Is your firm compliant with industry regulations? Use our checklist to understand the current legislation and what processes and technology you can implement to adhere to it.

⬇️ Download the full guide