MoU between the ICO and the FCA – a match made in heaven?

For many, February is the month of love and Valentine’s Day got me thinking about the memorandum of understanding (“MoU”) between the Information Commissioner's Office (“ICO”) and the Financial Conduct Authority (“FCA”). It is not hearts and roses but it might be the start of something far deeper…

What is it?

Like the unveiling of a secret celebrity engagement, the FCA only recently went public with the news that it entered into a MoU with the ICO on 29 September 2014. The aim of the MoU is to “facilitate and provide a framework of co-operation and co-ordination” between the ICO and the FCA “in carrying out their respective regulatory responsibilities” under certain legislation (*) by setting out “arrangements for co-operation and exchange of relevant information”.

The MoU covers all of the essentials needed for a long and prosperous relationship: (1) the roles and responsibilities of each party; (2) a framework for co-operation; (3) information sharing; (4) policy and rulemaking; (5) investigation and enforcement; (6) confidentiality; and, to celebrate their anniversary each year, (7) an annual review.

What does it mean for businesses?

This relationship could be a good thing for FCA-regulated businesses as it offers some clarity and reassurance on how the ICO and the FCA will work together. Over the years, there have been a number calls for the ICO and FCA to work closely to ensure effective regulation and avoid duplication. There has been evidence of this happening when things go wrong, with the FCA (or the FSA as it used to be) taking the lead as it is currently able to pack a harder punch. This new focus on co-operation could be a great opportunity for both to develop a co-ordinated strategy for regulating personal data handling by FCA-regulated businesses and to provide increased support to those businesses by producing more specific guidance.

If the fining power of data protection authorities is increased by the proposed new data protection regulation, the ICO will be able to take stricter enforcement action independently, which would also impact non-FCA regulated businesses. In working more closely, the ICO and the FCA will learn from one another; making each partner in the relationship stronger. So it is likely that the ICO will learn the FCA’s techniques and be more confident in using any increased fining powers that come its way.

What you should be doing

The marriage is likely to be productive and so both FCA-regulated and non-regulated businesses should prepare to deal with a stronger, more confident regulator by looking at the controls they have in place around personal data handling in the form of governance, policies, procedures, staff training, information security and monitoring and implement improvements where needed.


(*) The Data Protection Act 1998 (DPA), the Freedom of Information Act 2000 (FOIA), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR), the Environmental Information Regulations 2004 (SI 2004/3391) (EIR), the INSPIRE Regulations 2009 (SI 2009/3157) and the Financial Services and Markets Act 2000 (FSMA).


Krysia Sturgeon | Senior Associate | PwC Legal - UK
[email protected] | +44 (0)20 7804 2637

More articles by Krysia Sturgeon