Financial Services Email Compliance: The Checklist
In the financial services, email compliance is an important part of your company's daily obligation to protect sensitive information.
Email was the #1 medium involved in data incidents in the UK according to ICO trend reporting. Are your outbound emails up to spec?
Email compliance at a glance
With ever-changing guidance and laws surrounding data and communications, maintaining compliance can be a challenge.
Here's an overview of the latest regulatory guidance that financial services firms should be aware of when it comes to confidential email:
FCA - SM&CR
|Put prevention methods in place to stop a breach||"If a firm breaches one of our requirements, the Senior Manager responsible for that area could be held accountable if they didn’t take reasonable steps to prevent or stop the breach."|
|Encrypt emails containing personal data||"Have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be sent encrypted."|
FCA - COBS
|Keep auditable copies of outbound emails||"Keep a copy of relevant electronic communications, made with, sent from or received on equipment: (1) provided by the firm to an employee or contractor; or (2) the use of which by an employee or contractor has been sanctioned or permitted by the firm."|
ESMA - MIFID II
|Authenticate recipients to prevent unauthorised access||“Have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”|
ICO - GDPR
|Have the capability to revoke misfired emails||"[in the event of a data breach] act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails. The 72 hours following a personal data breach are particularly critical."|
FCA - Consumer Duty
|Provide customers a secure way to communicate with you||"Ensure consumers receive communications they can understand, products and services meet their needs and offer fair value, and the support they need."|
As a core channel for internal and customer comms, it's clear that email must be given specific attention by regulated businesses.
Key Guidance And Regulation
Although email is a fast and convenient method of transporting documents and other data, unprotected, it leaves data open to many threats.
Maintaining strong outbound email security standards doesn't just help you to keep the regulators happy. It also helps to ensure your messages, and the sensitive information within them, remain protected.
Let's take a look at the key pieces of legislation regarding digital communications to understand them in detail, and to learn how they help financial services companies to protect themselves.
1. The General Data Protection Regulation (GDPR) and The Data Protection Act (The DPA)
The GDPR (The General Data Protection Regulation) is a European Union data privacy regime, deployed as law in the UK under the 2018 Data Protection Act (The DPA).
It means that anyone responsible responsible for using personal data has to follow strict 'data protection principles'. These principles say personal data must be:
- Used fairly and lawfully
- Used for a specific purpose
- Used only when relevant or necessary
- Kept up to date and accurate
- Kept no longer than needed
- Handled in a secure manner, including protecting it against unauthorised access, processing, loss, destruction, or damage.
The DPA was brought in to allow people greater control over their information, giving them ‘rights’ over use of their data, such as the ability to to access it and to delete it, and to have it updated.
The FCA (Financial Conduct Authority) has advised the financial services companies it regulates that 'firms must make sure they lawfully process and transfer client data' in line with the GDPR guidance.
FCA-regulated companies including product providers, intermediaries, and retailers deal with a lot of personal data. Personal data is defined by GDPR as any information relating to an identified or identifiable natural person, including physical, physiological, genetic, mental, economic, cultural and social elements, such as a name, identification number or location data.
The FCA's anti-money laundering (AML) and know-your-customer (KYC) guidance ensures that a minimum standard of identification exists for high value transactions on behalf of both businesses and their customers.
Although AML and KYC checks are designed to protect people's privacy, they require again more personal data to be transferred in order to verify a person or business' identity, status, or history.
In a hybrid-working world, with so many of us transacting online, the risk of transferring personal data is exacerbated. The FCA advises that regulated financial services companies follow the ICO guidance surrounding sensitive data and communications.
When it comes to email, the GDPR and the DPA leave open-risk inadequate for messages or attachments containing personal data due to its lack of protection against access by unauthorised third parties.
"The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data. The new Act updates data protection laws in the UK...[and]... provides tools and strengthens rights to allow people to take back control of their personal data.”
— Elizabeth Denham, Information Commissioner, 2018
The Privacy and Electronic Communications Regulations (PECR)
The PECR Privacy and Electronic Communications Regulations sits alongside the DPA and GDPR, giving people specific privacy rights relating to electronic communications.
The PECR is a UK law, derived from the European e-privacy Directive, and it applies to anyone communicating digitally. It is regulated in the UK by the Information Commissioners Office (The ICO).
While GDPR regulates how you store a person’s data, PECR governs how organisations are allowed to contact them electronically. PECR includes rules on specific aspects, such as:
- Marketing calls, emails, and texts
- The use of third-party cookies
- Keeping communications secure
- Customer privacy in terms of traffic and location data, itemised billing, line identification, and directory listings.
It is important to consider PECR if you plan to or are sending marketing emails. In a nutshell - you cannot send marketing emails to individuals without gaining specific consent first, unless they are either a previous or current customer. You must also give the option to ‘opt out’.
Regarding confidential information, privacy, and data protection the PECR refers to the GDPR and DPA guidance and legislation.
Markets in Financial Instruments Directive (MIFID II)
MiFID helps the EU regulate financial markets by creating a singular market for investment services and activities.
It ensures standardised methods of protection, alongside:
- Conduct of business and organisational requirements
- Authorisation requirements for regulated markets
- Regulatory reporting to avoid market abuse
- Trade transparency for shares
MiFID II also requires that all communications regarding financial transactions are recorded and stored for up to seven years.
This includes communications channels such as voice and video calls, instant messaging, social media, SMS, and email.
Communications records must include an audit trail that is clear, easily accessible, and retrievable. Companies must store data securely and authenticate methods of information transfer.
“An investment firm shall have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”
— ESMA, 2021
As email, without protection, leaves data open to access by anyone, financial services companies must assess what data is getting sent by email, and where a more secure solution is required should provide it.
The Consumer Duty (FCA Guidance)
The Consumer Duty is designed to regulate interactions with and protect financial services consumers. The Consumer Duty is a mandate for FCA-regulated companies to ensure digital communications are:
Reliable and engaging – In order to enable consumers to make and act on well-informed decisions, reliable communication is key. No matter what communication channel you use, clients should be able to easily reach you, and vice versa.
Resilient and secure – As stated in an FCA consultation paper, "firms should be able to continue providing a reasonable level of support to their customers in the event of an issue arising with their services, which might include temporary works, an IT outage, or cyber-attack.” This means shifting your mindset to operational improvements that boost your resilience, implementing security measures that ensure your services and communications are protected from risk and remain consistent.
Compliant – As well as adhering to the new Consumer Duty, communications must also consider existing regulations, especially from the Information Commissioner’s Office (ICO). A large part of this will be ensuring comms are audited, allowing you to prove when and how you have supported and protected your clients.
The Consumer Duty says regulated businesses have the responsibility to do everything they can to support their customers to avoid harm and make the right decisions, including securing emails.
This also goes beyond other regulations regarding email in a sense, as it means regulated firms should provide their customers with more than just a securely delivered email and attachment.
Firms should also provide their customers with the support they need to send confidential data into them (especially when completing AML/KYC identification processes) to avoid their data being put at risk.
What Happens if you Don’t Comply?
Besides the damage to an organisation’s reputation, they may also be fined (in the UK by the either the ICO or the FCA, or both).
The UK GDPR and DPA can have a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
The EU GDPR sets a slightly higher maximum limit at €20 million (£18 million) or 4% of annual global turnover.
PECR has a maximum figure of £500,000 which can be issued against the organisation itself, or just its directors.
Finally, failure to comply with MIFID II or The Consumer Duty could result in fines of up to £5 million or a trade ban.
How to Remain Compliant: Encryption
As GDPR and DPA require businesses to safeguard data from unauthorised access, your outbound communications must have a suitable level of protection, especially email. Article 32 of GDPR lists encryption as a suitable method of protecting personal data.
Email encryption is the disguising or scrambling of the contents of your email into code that is unable to be read by human eyes. Content is encrypted and decrypted through the use of keys - strings of randomly generated numbers, with the length correlating to their strength.
Most email providers have a basic level of encryption built-in, however, it doesn’t provide the level of protection necessary to fully comply with regulations. Therefore, organisations should look at implementing an enterprise encryption solution, considering the following things:
- Key size and additional authentication
- Type of encryption - symmetric or asymmetric
- Type of encryption software - does it integrate?
- Scalability and business resilience impact
“You should use encrypted communication channels when transmitting personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.”
— ICO, 2021
How to Remain Compliant: Authentication and Auditing
Another method of ensuring third parties cannot access sensitive information within emails is authentication. When delivering personal data from inbox to inbox, authentication can help businesses to identify recipients before they can read the contents of a message. This eliminates the risk caused by human error and weak passwords.
Multi-factor authentication is considered best practice, providing multiple levels of identity checks before allowing the recipient access. These checks commonly include SMS, Q&A's and biometrics.
As MiFID II legislation requires secure records to be kept, finding an auditing solution that works for email communications is imperative for regulatory compliance. Audit logs can be used to track your messages, checking when emails and attachments were accessed and who by, ensuring only authorised users are reading and downloading the contents.
How to Remain Compliant: Additional Actions
Assign a compliance officer - Having an individual in charge of ensuring your organisation adheres to regulations is the best way to guarantee compliance. They can assess your current scope, assist with implementing a compliance strategy and advise what software and processes to put in place.
Create an internal security policy - Having a company-wide policy that everyone adheres to will help protect assets and demonstrates a strong commitment to security and compliance.
Educate employees - Compliance solutions are only as strong as the people using them. Teach staff of all levels the fundamentals of regulation and security and how to counteract threats.
Are you protected?
Is your firm compliant with industry regulations? Use our checklist to understand the current legislation and what processes and technology you can implement to adhere to it.
Originally posted on 13 05 22
Last updated on April 20, 2023
Posted by: Sabrina McClune
Sabrina McClune is an expert researcher with an MA in Digital Technologies. She was a finalist in the Women In Tech Awards 2022. Sabrina has worked extensively with B2B technology companies conducting and compiling thorough academically driven research to produce online and offline media. She loves to read fantasy novels and collect special edition books.
Get live updates
Subscribe to our exclusive secure communications content for professionals in regulated sectors.