Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

The FCA Business Plan and Risk Outlook 2015 review – technology and data remain key risks

John Salmon’s Financial Services blog27 Mar 2015

Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.

Earlier this week the Financial Conduct Authority released its Business Plan and Risk Outlook for 2015. As was the case last year, technology and data issues were again listed among its most pressing concerns.

It identified the potential for technology to move too quickly and outstrip investment decision making, consumers' capabilities and the ability of regulators to respond as its number one 'forward-looking area of focus'. Financial crime was elevated to its list of seven key concerns, as was the effects of unfair contractual terms.

Visibility of IT resilience and risk will continue to be an ongoing area of work for the regulator, while it has also promised to conduct a market analysis of the use of big data by insurers.

Below we look at what this means for the financial services sector as businesses look to balance legal risk and compliance management against the need to innovate quickly.

Technology moving too fast

The FCA has said that there is a need for the pace of technology adoption to be managed more effectively. While it acknowledges that digital channels are creating positive consumer outcomes by making financial services faster, more convenient and more competitive, it also suggests that focus on these channels is having negative consequences as well – increasing IT security and resilience risk, excluding certain groups of customers from the market and could have the potential to be misused by others.

The FCA sees a danger in younger people becoming "over-reliant on easy access (often high-interest) credit when a more affordable source could be available to them." It is also concerned about the ways in which risk warnings, advice and guidance are presented in a digital context and the possibility of consumers being encouraged to make poor choices and purchase unsuitable products.

These are all important concerns which need to be addressed by both the regulator and the sector. The regulator must provide clear guidelines as to what practical steps regulated firms can take to overcome these issues. The sector must share its ideas on the solutions that have been or could be developed to overcome the issues or lessen their effect.

The FCA has worked hard to encourage collaboration with the sector through its investment in an Innovation Hub and commitment to Project Innovate. But if collaboration between the regulator and the sector is to be effective, the FCA needs to spend more time understanding the different approaches firms could potentially take to overcoming its concerns without requiring that they engage in a direct dialogue about commercially sensitive plans for innovative propositions.

On many occasions it will not be commercially constructive to involve the regulator at particular stages of the innovative process. But firms need to know whether their planned digital propositions are addressing the regulator's concerns before substantial investments are made; not after.

It may be that the FCA could achieve a better understanding of the possibilities available to firms if it not only engages with them and their technology providers, but also other stakeholders which are less constricted by the sensitivities around revealing innovative ideas. Increased involvement of key consultants and professional advisers within each sub-sector may be a good starting point.

Unfair terms

The FCA noted the progress that has been made by the UK parliament in moving forward with its reforms to consumer protection laws. It highlighted that the Consumer Rights Act will "widen the scope for the assessment of fairness", including for financial services, and provide more transparency in relation to which specific contractual terms should be considered unfair.

But unfairness is not only about the contents of terms, it is also about how those terms are communicated to a customer. Acknowledging this, the FCA said that firms need to take positive steps to address the known "behaviours and traits consumers may exhibit, rather than seeking to capitalise on them." Those steps could include "shortening their terms and conditions and making them more accessible as part of communicating more smartly overall." Most would agree with its assessment that currently, in general, terms and conditions are "too long and complex".

The FCA's decision to focus on the fairness of contractual terms is consistent with recent views expressed by the Information Commissioner's Office (ICO). Like the FCA, the ICO has suggested that the traditional approach to presenting information online through long and complex policy documents could be a "hindrance" to the fair treatment of consumers, particularly in the mobile context.   

This consistency of approach between the two regulators seems to signal a change in view as to how contractual information should be presented online. It may be a good time for financial services organisations to explore news ways of representing information – whether through a layering of links approach, the use of infographics or by other means.     

The risk of financial crime

The FCA's elevation of financial crime to its list of seven key risks is largely due to growing concerns about the impact of cyber crime on digital transactions. The FCA said that cyber exposure "is exacerbated by the increased reliance on web-based front-end channels that increase the risk of personal data and consumer funds being compromised".

One of the key issues here revolves around effective use of data. Initiatives such as the government's Cyber-security Information Sharing Partnership (CiSP) are encouraging private sector organisations to share data in order to better detect and potentially prevent criminal activity. However, concerns remain as to how far these organisations can go without getting caught by data protection laws.

The FCA should collaborate with the ICO on this issue specifically and provide clarity as to the extent to which organisations can share data for these purposes.

Big data in insurance  

The market study on the use of big data in insurance should provide the sector with a better understanding of the regulator's key concerns so long as the FCA engages with insurers effectively. The danger is that the regulator will seek too specific information which insurers may see as commercially sensitive or subject to data protection requirements of uncertain application.

No insurer will hand over details of the extent to which it uses data without first being given assurance that it will not be penalised for doing so. The opportunity in terms of targeting new clients through using data for marketing purposes is too great for any insurer to take a chance. Unfortunately however, it will be difficult for the FCA to give any such assurance as the boundary between when an insurer can use data for 'legitimate business purposes' and those that are 'illegitimate' remains unclear.

While the current prevailing view of regulators would place 'complex profiling' clearly outside 'legitimate use', no court or regulator has provided sufficient guidance to determine what constitutes a 'complex profile' and whether 'less than complex profiles' fall outside the scope of data protection restrictions on use. These questions need to be answered before the regulator expends significant effort and resources in conducting what could otherwise be a highly useful market analysis exercise.

IT resilience

In terms of exposure to regulatory fines, a lack of understanding of the importance of oversight of IT infrastructure may be the leading technology area of concern for many financial services organisations.

In this respect, it is good to see that the FCA is concerned about the effectiveness of cyber insurance – it is striking that headlines are still saying that only 2% of large businesses in the UK have "explicit cyber cover." The discussion around cyber insurance must become more sophisticated during the next 12 months and it should also be better linked to the more general discussion of cyber crime, data security and IT resilience risk management.

Signs of progress?

Overall the FCA said that it will be looking to reach an 'appropriate mix' of policy making initiatives, market and thematic reviews and supervision and enforcement activity. We hope that this means that in respect of technology and data issues, these tools will have definite and genuine outcomes and impact on the FCA's interpretation of its rules and applicable EU legislation.