Welcome to Legal Shorts, a short briefing on some of the week’s developments in the financial services industry.
If you would like to discuss any of the points we raise below, please contact me or one of our other lawyers.
020 7585 1406
ICO expands its GDPR guidance on accountability and governance and security
ICO has updated its guide to the GDPR in relation to accountability and governance and security. It now explains why accountability is important and what organisations need to do to ensure compliance including introducing data protection policies and understanding the "data protection by design and default" approach to designing new products, processes and systems. The guide also outlines the requirements the GDPR imposes in respect of information security and the differences to the requirements under the previous Data Protection Act 1998 regime. The expanded Guide now covers: (i) why accountability is important and what organisations need to do to ensure compliance including introducing data protection policies and understanding the "data protection by design and default" approach to designing new products, processes and systems; and (ii) what requirements the GDPR imposes in respect of information security and the differences to the requirements under the previous Data Protection Act 1998 regime. The section of the Guide dealing with security also sets out the organisational and technical measures that organisations should adopt.
ICO expands its guidance on data portability
ICO has updated its guidance on data portability contained in its guide to the General Data Protection Regulation. It now explains what data portability is and when the right will apply, the kind of data that the right to data portability will apply to, and the types of permissible formats for data portability requests and responsibilities of controllers and third parties sending and receiving data. The expanded section of the Guide now covers: (i) what data portability is and when the right will apply; (ii) the kind of data that the right to data portability will apply to; and (iii) the types of permissible formats for data portability requests and responsibilities of controllers and third parties sending and receiving data.
UK Finance FAQs on GDPR
UK Finance recently published a set of FAQs on the GDPR. The FAQs consider a range of issues, including: (i) how will the GDPR impact on consumers of financial services and what changes will they notice; (ii) how will firms' obligations change; (iii) will firms always need customer consent to process personal data; (iv) how will the GDPR affect marketing; (v) is there any connection with Open Banking or the revised Directive on payment services in the internal market; and (vi) what impact will Brexit have. UK Finance is working closely with its members, the government and regulators to ensure that the GDPR is effectively implemented in the UK. In particular, this means ensuring that firms can continue to meet their wide-ranging obligations, including protecting customers, managing risk and preventing crime (such as money-laundering and fraud). Firms must achieve these important objectives while also meeting the GDPR's data protection and privacy standards.
New ESMA one-stop company portal
ESMA has recently published a new one-stop company portal, which enables investors to establish whether a financial service provider is authorised within the EU. An accompanying press release explains that the portal provides investors with information on certain types of firm including the following: (i) investment firms authorised under the MiFID II Directive (2014/65/EU), including systematic internalisers; (ii) MiFID trading venues; (iii) MiFID data reporting service providers; (iv) UCITS management companies; and (v) fund managers authorised under the AIFMD, including funds that are managed, or marketed, in the EU. The portal also refers to sanctions applied by competent authorities in member states under various EU legislation.
ECB Supervisory Board Chair comments on money laundering risk
The ECB published a letter from Daniele Nouy, ECB Supervisory Board Chair, to Sven Giegold, Member of the European Parliament, on money laundering risks. Among other things, Ms Nouy commented on the assignment of competences in AML matters and the flow of information between relevant authorities. Ensuring compliance with, and enforcement of, national AML legislation is a national competence. The ECB fully co-operates with national authorities to the extent permitted by law and the ECB relies on them to share information proactively. Closer co-operation among relevant authorities is needed. MLD5 is a step towards enhancing co-operation however, it may not be sufficient to ensure co-operation is smooth and all-encompassing. Establishing a European AML authority could bring about this degree of improved co-operation. Ms Nouy commented on the integration of money laundering risks in prudential supervision. AML is incorporated to some extent in the ECB's supervisory assessments. The SSM supervisory review and evaluation process methodology includes the components necessary for a comprehensive prudential treatment of AML risk.
ECB framework for testing resilience to cyber attacks
The ECB recently published the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first EU-wide framework for controlled and bespoke tests against cyber-attacks in the financial sector. TIBER-EU is designed to enable EU and national authorities to work with financial infrastructures and institutions to put in place a programme to test and improve their resilience against sophisticated cyber-attacks. A test involves the use of a variety of techniques to simulate an attack on an entity's critical functions and underlying systems (that is, its people, processes and technologies) to help an entity to assess its protection, detection and response capabilities. Financial infrastructures and institutions are encouraged to work closely with their regulators to establish a framework that will enhance the cyber resilience of their sector.
Investment Association and KPMG report on building cyber resilience in asset management sector
The Investment Association (IA) recently published a report, produced jointly with KPMG, on building cyber resilience in asset management. The report provides an overview of the key cyber security risks facing the asset management sector. Among other things, it also provides guidance on the practical steps firms can take to protect their business from cyber-attacks, and considers the advantages of a more collaborative sector-wide response to tackling cyber threats. In particular, the report calls on boards and senior management at firms to increase collaboration across the sector, and invest in developing a cyber-response framework that allows firms to rapidly detect, respond and recover from potential attacks. In a related press release, the IA explains that to help firms with cyber resilience it has also launched a Cyber Security Committee. The committee, which met for the first time in April 2018, will work with firms, regulators and public authorities to ensure the sector is leading edge, and to develop industry guidance on cyber security. In the press release, the IA also advises that the City of London Police are launching "Cyber Griffin". This is a new initiative designed to make the Square Mile more secure from cyber-attacks. Specially-trained officers will lead a series of community-focused exercises that will include threat briefings, intelligence sharing and incident response training.
Tel: + 44 20 7585 1406
Mob: + 44 7734 057 327
42 Brook Street
London Greater London W1K 5DB
11 05 2018