Outsourcing and data loss

A large fine (£2.275m) was imposed on Zurich Insurance Plc for systems and controls failings following the loss of customers’ confidential information.

Although, at first sight, the problems of a large global insurance entity may not be thought relevant to more modest sized investment firms, the case does provide a couple of useful reminders for all firms.

Key here was the loss of data (of 46,000 policy holders out of a universe of 51,000 UK customers) by an outsource service provider (albeit – mostly – within the larger group as a whole).

Data security is a topic that the FSA takes very seriously and we draw attention to Regulatory Roundup 15 which included an article on ‘The Small Firms Financial Crime Review’ issued by the FSA in May. Section 3.2 concerned data security, including issues to think about when a firm outsources any customer data responsibilities to third parties – a term which included using IT companies to administer data systems. Annex 2 of the FSA paper contains examples of good and bad practice.

The other aspect is to bear in mind the maxim that one can delegate a function but not the responsibility. SYSC 8 tells us that when outsourcing ‘critical’ functions (see SYSC 8.1.4R) a firm must take steps to avoid undue additional operational risk. We would remind firms that where they do outsource, SYSC 8.1.8 lists various conditions that need to be satisfied. By virtue of SUP 15.3.8(e) a firm should notify the FSA when entering into, or significantly changing, a material outsourcing arrangement.

In passing we would confirm that whilst the Final Notice makes frequent reference to SYSC 3, this chapter will not be relevant to investment firms, who will need to look elsewhere for equivalent rules and guidance e.g. SYSC 4 covers general organisational requirements; SYSC 6 concerns financial crime etc.