Following the implementation of the General Data Protection Regulation in May last year, attention in the EU has turned to the enforcement of the new regime. Financial services firms may be particularly interested in how the GDPR is enforced alongside the existing financial regulatory regimes and in the possibility of co-ordinated enforcement actions. Although data protection and financial services regulators across the world are taking different approaches, the global trend is that the risk of joint and multiple enforcement actions is increasing.
In February last year, the UK’s Financial Conduct Authority (which brings the vast majority of financial services enforcement actions in the UK) and the Information Commissioner’s Office (which is primarily responsible for the enforcement of the GDPR in the UK) released a joint statement that provides some indication about areas of overlap between the GDPR and the existing financial services regime (and thus areas where there is a risk of joint enforcement). The FCA and ICO explained that there are a number of common requirements between the GDPR and the FCA’s rules and that one regulator might take into account a firm’s compliance with the requirements of the other. A data breach, therefore, might be enforced by the FCA, the ICO or by both regulators simultaneously. While statements similar to the UK’s joint statement have not been published in France, Germany, Hong Kong or the United States so far, there remains a risk of joint or multiple enforcement actions relating to data breaches being brought in those jurisdictions (and others).
The interest that financial services regulators now have in data breaches has been demonstrated by the FCA’s ongoing investigation into the widely-publicised IT issues at TSB Bank last year, during which customers were given access to and information about other customers’ accounts. The issue led to over 200,000 complaints and the resignation of TSB’s CEO, and has cost the bank £330m.
One of the practical challenges for firms dealing with multiple enforcement actions brought by financial services and data protection regulators will be navigating parallel sets of regulatory requirements. In some cases, the requirements maybe markedly different. In others, the differences will be nuanced, and in practice those distinctions can sometimes be harder to navigate. In the UK, for example, there are differences between the requirements imposed by the FCA and the ICO in relation to firms’ obligations to notify a breach. In the context of an investigation, there are also subtle differences between a firm’s statutory ability to withhold certain information from the ICO and its ability to do so from the FCA.
Looking at the enforcement landscape more generally, the risk of joint or multiple enforcement actions being brought in response to data breaches is a further example of the more far-reaching and co-ordinated approach that has been adopted by regulators globally in recent years. This approach has already been seen in the UK with the growing links between financial services and competition law. With the prospect of joint enforcement actions being brought across the world, financial services firms should continue to be aware of any inconsistencies between the overlapping regulatory regimes and the possibility of facing multiple enforcement actions in respect of the same underlying data breach.
For more information, see our briefing on this topic.