• No results found

THE ACTIVITIES AND MISTAKES OF THE FINANCIAL SERVICES INSTITUTION

The regulators have cited Information Technology as one of the main areas of risk.

Applying for authorisation: IT environment

When applying to the regulator for authorisation, a firm must be able to provide an assurance that its Information Technology systems will be robust, secure and capable of supporting its business operations. As part of the information that it submits with its formal application, a firm with expected annual revenue in excess of £25 million must submit an IT Controls Form to the regulator. This covers seven main areas: • governance and strategy;

• IT risk management;

• project and change management; • service delivery and incident handling; • information security and controls;

• business continuity planning and disaster recovery; and

• outsourcing and offshoring.

In our experience, the following four areas usually receive the most attention from the regulators: Governance and strategy

An applicant for authorisation must set out details of the governance arrangements that will ensure that IT risks will be managed in an appropriate way. This includes not only the governance structure, but key management roles and responsibilities. It will also need to clearly evidence that proposed role holders have the appropriate skills and experiences to fulfil these roles. It should also explain its IT strategy, demonstrating how its IT systems will support the business over the short, medium and long term.

Data loss prevention and leakage of information High profile cases of data loss and leakages of confidential information have created much publicity, and have prompted regulatory action against the financial institutions responsible. There is also a cost to the reputation of a financial institution from such reported instances.

The UK regulators expect regulated entities to have a clear understanding of the risks to the data they hold and to identify the security measures they have (or will) put in place to address them. This includes the entire security lifecycle from categorisation of data types, through physical and electronic security, to action plans to address data loss scenarios.

The most common incidents of information leakage occur when unprotected data is downloaded to a removable storage device (USB or CD drive), printed, or sent by e-mail.

UK legislation for the protection of data includes the: • Data Protection Act, which is concerned with the

protection of personal information about individuals. • Disclosure of Confidential Information regulations

of the Financial Services and Markets Act. • Payment Card Industry Data Security Standard

(PCI DSS).

Disaster recovery (IT resilience)

The regulators hold financial services institutions to account for technology failures, especially where these affect payments, customers or market participation. They therefore want to have confidence in the resilience of the IT systems of an applicant for authorisation, and their ability to recover quickly in the event of system failure.

Most institutions try to ensure that they are able to respond to IT failures quickly and effectively. However some struggle to do so, especially when their business is handling increasingly large and more complex amounts of data.

Outsourcing and offshoring

Outsourcing is the use of external organisations to perform some business activities instead of doing them internally with the organisation’s own staff. Offshoring means moving some operations and activities to another country.

Outsourcing and offshoring may be used by financial institutions to achieve cost savings and greater operational flexibility, or to provide a better quality of service to customers. Work may be outsourced and moved offshore to a parent company or to another company in the same group.

Whenever an applicant proposes to outsource services that are important to the day-to-day operations of its business, the regulator will expect to see a robust contract and governance model put in place to manage the delivery of that service.

This must demonstrate that suitable controls are in place, data is appropriately protected, the service is well managed and that the applicant retains suitably skilled and experienced staff within its own organisation to manage the relationship with the service provider. The applicant organisation will be held responsible for the service, including regulatory compliance associated with that service, by the regulator and must therefore ensure that it has suitable control over that service. When an applicant has an outsourcing arrangement with another subsidiary in the group (or with the parent company), the two entities should establish an inter- firm memorandum that details the services, service levels, governance and controls associated with the arrangement in much the same way as if the service provider was a third party.

Deloitte’s Financial Services practice offers thought leadership and strategic and operational expertise, combined with deep industry knowledge and expertise through four core sector teams: Insurance; Retail Banking; Capital Markets; and Investment Management.

These sector teams draw together financial services experts from across our practice, embracing the disciplines of consulting, corporate finance, tax and audit, including accounting, regulation and enterprise risk services.

Deloitte has decades of experience in bringing financial services institutions to the UK and helping them meet their growth needs. In addition to guiding UK-inbound financial services institutions through the relevant entry authorisation processes, Deloitte provides ongoing support to financial services institutions by liaising between the institution and the regulatory authorities,

as well as helping the institution understand and manage its tax exposure, advising on human capital issues, helping to obtain business premises, and developing fit-for-purpose IT environments. Within the UK, Deloitte has also helped both local and global financial services institutions to grow their business through other transactions, including off-shoring and near-shoring to alternative financial centres.

Deloitte’s network of member firms, located in more than 150 countries, has over 200,000 staff. In the UK firm, there are over 12,000 people working in 23 offices across the UK.

THECITYUK

TheCityUK is the independent, cross-sector voice for UK financial and related professional services and champions the international competitiveness of the sector.

Created in 2010, TheCityUK supports the whole of the sector, promoting UK financial and related professional services at home and overseas and playing an active role in the regulatory and trade policy debate.

TheCityUK provides constructive advice and the practitioner voice on trade policy and all aspects of taxation, regulation, and other legislative matters that affect the competitiveness of the sector. It conducts extensive research and runs a national and international events programme to inform the debate. TheCityUK is tasked with creating a new vision for the financial services sector.

Related documents