Compliance
Compliance Corner: The FCA, Equifax
The latest compliance news: regulatory developments, punishments, guidance, permissions, new product and service offerings.
FCA
The Financial
Conduct Authority (FCA) has fined Equifax Ltd (Equifax)
£11,164,400 (about $13.58 million) for failing to manage and
monitor the security of UK consumer data that it had outsourced
to its US-based parent company.
The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of being victim to financial crime. In 2017, Equifax’s parent company, Equifax Inc, was subject to one of the largest cybersecurity breaches in history. Cyber hackers were able to access the personal data of about 13.8 million UK consumers because Equifax had outsourced data to Equifax Inc’s servers in the US for processing.
The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The cyber attack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. Consequently, it failed to provide sufficient oversight of how the data it was sending was properly managed and protected.
There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data, the FCA said in a statement late last week.
Equifax did not find out that UK consumer data had been accessed until six weeks after Equifax Inc had discovered the hack. The firm was informed about the incident approximately five minutes before it was announced by the American parent company. This meant that Equifax was unable to cope with the complaints it received when the incident was announced, leading to delays in contacting UK customers.
Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected. Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning that complaints were mishandled.
The watchdog stressed that regulated financial firms must have effective cybersecurity arrangements in place to protect the personal data they hold. To this effect, they must keep systems and software up to date and fully patched, and remain responsible for the data they outsource.
When an FCA-authorised firm becomes aware of a data breach, it is essential that it promptly notifies affected individuals in a way which is fair, clear and not misleading. It should also implement fair complaints handling procedures.
“Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not,” Therese Chambers, joint executive director of enforcement and market oversight, said.
“Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards,” Jessica Rusu, FCA chief data, information and intelligence officer, said.