Since 2018 the Financial Conduct Authority (FCA) has required banks to publish statistics on operational and security incidents. The latest annual and quarterly sets covering the period to the end of June 2019 make interesting reading. There are many inferences that could be drawn from the data, but one statistic that comes through clearly is how much higher the frequency of incidents are at the large, traditional banks compared to the challenger banks. For example, between them the big four banks account for over half the reported business banking incidents in the period from July 2018-June 2019. Over the same period, the frequency of personal banking incidents at challenger banks was typically half that of the more traditional banks. While the most recent quarter of personal banking incidents appears to show a drop in the frequency of incidents, business banking incidents appear to be on the increase.
Welcome to the latest edition of the GD Financial Markets Insights Journal, a collection of our Insight Notes published over the last quarter on themes and topics of interest to our clients.
In July 2019 the Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR). One day later it announced its intention to fine Marriott International £99.2M for failing to undertake sufficient due diligence when it bought Starwood Hotels and not sufficiently securing its systems. These are by far the most significant fines issued by the ICO since the new regulations came into force in May 2018. While it may seem harsh given that the data breaches resulted from external cyber-attacks, it is a clear indicator of the stance the ICO is likely to take in such situations. In issuing the BA notice the UK Information Commissioner, Elizabeth Denham, said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. “
What is a Data Subject Access Request?
Data subject access requests (DSARs) are not new, but are gaining increased prominence and public interest as a result of the introduction in May 2018 of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
Welcome to the GD Financial Markets Quarterly Insights Journal. This is a collection of our Insight Notes published over the last quarter on current themes and topics of interest to our clients.
70 million. This was the number of customers of the retail chain Target whose contact information, and/or credit and debit card records were stolen between November 27 and December 15, 2013. This was not the result of sophisticated hacking or burglary. Rather the source was an air conditioning company with just a 100 staff. The company fell victim to a simple phishing attack and, because it was connected to Target’s internal systems for billing and contract management via a vendor portal, this allowed the hackers to access the extensive information Target held on their customers.
The May 25th deadline for GDPR has come and gone and for most people the most tangible aspect was probably the flurry of emails they received in the run up to the deadline containing privacy notices from companies they had forgotten they had signed up with in the first place. Brief coverage of in the news over the go-live period highlighted that the majority of members of the public were unaware of what GDPR stood for or what it meant for them. This may well have been the first and last that they will hear about GDPR, and for companies, it may be tempting to think that the hard work is done and it is back to ‘business as usual’.
Anti-Money Laundering and Counter-Terrorist Financing (‘AML’) regulations have increased compliance costs and regulatory scrutiny in the past four years with no less than three European Directives published since 2015. The scopes of the first regulations were originally focused on financial services but were extended to other sectors including the real estate industry. Penalties have already been imposed on a number of agents. How can estate agents mitigate their regulatory risk? This note explores the regulatory landscape in the Real Estate industry, then use the lessons learnt for the financial services industry to explore the possibility to implement a real estate solution.
In the earlier note we looked at the Three Lines of Defence (3LoD) through a control engineering lens to provide a context for some of the practical challenges that financial services organisations are experiencing with the framework.
In the face of uncertainty we tend to do nothing. This has proven to be the case for many firms when it comes to the transition away from LIBOR. Despite the risk of LIBOR’s discontinuation in 2021, many affected businesses have yet to put in place plans to move to the alternative risk-free rates (RFRs).