December 9, 2022

Are you ready for the FCA data protection "hit squad?"

Tough new regulatory measures imposed by the Financial Conduct Authority (FCA) is seeing a wind of change blowing through financial institutions. With the categorisation of firms into one of four conduct groups, fewer supervisors allocated to specific firms and a “hit squad” ready to pounce on firms unannounced, implementing better data security and protection is now top priority for many firms.

The new rules follow a string of high profile cases involving security failings at major institutions. In 2011, the UK operation of Zurich Financial Services was fined £2.3m by the Financial Services Authority (FSA) for losing the personal details of 46,000 customers. Similarly, Europe’s largest bank HSBC Holdings was fined £3.2m for a series of data breaches at three of its subsidiary companies. Such fines are gaining in frequency as the FSA increasingly sees data retention and potential loss as a major regulatory issue. A record £312m in fines was levied by the FSA in 2012 on big name companies for compliance failings that put client and investor money at risk.

Stepping up to the new changes with the measures needed to implement more robust data security and protection measures will vary from business to business. But there are some features of the FCA rules that are common to all. Importantly, firms outsourcing parts of their business to others must now take responsibility for the data protection practices of their outsourced partners. For example, in the case of transferring data, while the third party may follow best practice and ensure your back-ups are sent online over a secure encrypted link direct to a secondary data centre, you must be able to prove to an FSA supervisor that the data cannot be compromised if it’s lost or stolen.
The new measures also require businesses to know the exact location of the backup data. Is it in the EU and at the recommended distance from your primary business location? Seven miles is the approximate minimum acceptable location. Checking the data centre’s disaster recovery plan and knowing the safeguards they have in place will also help you mitigate risk.

While the FCA is non-prescriptive on the subject of Business Continuity, following best practice has multiple business benefits for any company, regulated or not. Helping to assess how quickly you can recover employee and customer records, key servers and the procedures you need to follow in the event of an office disaster also helps to prove to the FCA you’ve taken measures to protect against data loss. Evidencing this is a vital part of the new rules, and files should be easily accessible and archived files saved in non-destructible form.

For many, the new data protection measures may seem a touch austere but with data theft at an all-time high and data loss compromising customer data and business functions, data protection is a subject no company can afford to side-step. With this in mind, DATAFORT data protection solutions encompass the needs of disaster recovery, offsite back-up, business continuity, email archiving and file retrieval in one system, helping you meet regulations, protect against loss and avoid those six figure FSA fines.



DATAFORT provides dependable and secure data protection services that offer enterprise-level functionality with a focus on security and reliability. Its software and services are used by thousands of organisations worldwide, ranging from SMBs through to large enterprises and local government departments. Every hour of every day someone, somewhere backs up with DATAFORT. The company was founded in 2000, is headquartered in Guildford, UK and has offices in London and New York. For further information please visit or call 0800 45 44 35.Guildford, UK and has offices in London and New York.

Press and analyst contacts:

Nabeel Qureshi
01483 872 052