Other systems and controls
7.1. Client Data Protection and Business Continuity
7.1.1. Data Protection
The Data Protection Act 2018 (DPA) replaced the Data Protection Act 1988 and came into force on 25 May 2018. DPA 2018 anticipates a post-Brexit regulatory environment by ensuring UK data protection law is in line with the EU's General Data Protection Regulation ((EU) 2016/679) (GDPR) and implements the EU Data Protection Directive 2016/680 (Law Enforcement Directive).
GDPR sets out data protection principles, individual data rights, and defines lawful bases for processing. Crucially the regulation further defines specific responsibilities for data controllers and data processors, and places obligations on controllers to ensure that their processors comply with the GDPR.
The DPA defines and enshrines in UK law:
Data protection principles (GDPR Article 5)
Conditions for the lawful processing of personal data (GDPR Articles 6-8)
Additional conditions for the lawful processing of 'special category' personal data and criminal conviction data (GDPR Articles 9-10)
Data subjects' rights (Articles 12-22 GDPR)
Obligations on controllers and processors (Articles 24-43 GDPR)
International transfers (Articles 44-51 GDPR)
With respect of ShareIn's technology clients, ShareIn is a processor of investor data via its technology platform. ShareIn's technology clients are data controllers in the context of investor data on the platform.
ShareIn's data protection officer is responsible for ShareIn's compliance with the requirements of the DPA ("Data Protection Act"), where ShareIn are the data controller and where ShareIn are the data processor.
Jude Cook is ShareIn's data protection officer. ShareIn's ICO registration number is ZA029742.
The data protection principles laid out in GDPR and referenced in the DPA are as follows:
|1a.||Lawfulness, fairness and transparency||Personal data must be processed with the customer’s consent or processing must be necessary for the performance of a contract with the individual or it must be necessary for the performance of a legal contract.|
|1b.||Purpose limitation||Processing must be in accordance with the specified purposes described in the data controller’s register entry. It must also be compatible with the description given in terms and conditions and other documentation.|
|1c.||Data minimisation||Excessive data should not be collected. For example, names of children when conducting business purely with the parent.|
|1d.||Accuracy||All reasonable care should be taken to record personal data accurately and to action changes immediately they become effective.|
|1e.||Storage limitation||Personal data which is no longer required for legitimate business or legal reasons should be deleted.|
|1f.||Integrity and confidentiality||Data controllers must keep personal data on their customers and staff secure and confidential. Any agents or third-party processors of the data controller must be contractually bound to comply with this principle and meet the data controller’s security of data requirements.|
|2.||Accountability||Data controllers shall be responsible for, and be able to demonstrate compliance with, the six principles above.|
To assist in ensuring compliance with the DPA, the data protection officer should be able to answer 'yes' to the following questions:
Do we really need this information about an individual and do we know what it is going to be used for?
Do the clients whose information we hold know that we hold it, and are they likely to understand what it will be used for?
If we are asked to pass on personal information, would the clients whose information we hold expect it to be done?
Is the data protection officer satisfied that all personal information is being held securely, whether paper based or on computer, and is the website secure?
Are we certain that the personal information we hold is accurate and up to date?
Do we delete/destroy personal information as soon as we have no more need of it, and are data subjects aware of how long we are required to hold different pieces of personal data and why?
Have our staff been trained in their duties and responsibilities under the DPA/GDPR and are they putting such duties and responsibilities into practice?
Have we paid our data protection fee to the Information Commissioner's Office (ICO) or is our registration otherwise up to date?
Key points to remember about data protection:
There are six data protection principles of good practice, plus the accountability principle.
The Information Commissioner's Office is the independent supervisory authority.
The ICO charges a data protection fee, the size of which is meant to reflect the risks posed by the processing of personal data by controllers. We have determined neither ShareIn nor its Appointed Representatives qualify for an exemption for payment of fees. ShareIn and all its Appointed Representatives must therefore take steps to ensure they are up to date on payment of fees to the ICO.
All personal data, whether held on computer, in digital files or in paper filing systems, are affected.
Individuals have the right:
o To be informed
o To access their data (Subject Access Request)
o To rectification
o To erasure
o To restrict processing
o To data portability
o To object
o And have rights in relation to automated decision making and profiling.
ShareIn have set out a procedure to enable its technology platform clients to comply with Subject Access Requests. This procedure is laid out in the Appendices.
You can find more information and guidance as well as contact information on the Information Commissioner's website: www.ico.org.uk.
7.1.2. Client Data Security
The FCA requires us to ensure our systems are resilient. We must also ensure the way we use customer information is not vulnerable to distortion and does not lead to consumers being unfairly excluded. In general terms, the FCA requires all regulated firms to take reasonable care to establish and maintain effective systems and controls for countering the risk of being used to further financial crime. The number of high profile incidents where data loss has occurred in both the public and private sectors, shows the importance of considering the security measures in place for handling, storing and disposing of client data. Client data is any identifiable information about a client held in any format. Examples include National Insurance number, address, date of birth, family circumstances, bank details and medical records.
The key issues to consider are ensuring:
Physical security is appropriate to prevent unauthorised access to client data.
Senior management assess data security risk and put in place appropriate policies, procedures and controls to reduce it.
Recruitment and staff management processes give comfort that staff are not susceptible to stealing data or committing fraud.
Staff understand the importance and relevance of data security policies and procedures and that the misuse of client data may result in disciplinary action.
Systems and controls are appropriate to minimise the risk of data loss or theft.
Client data is disposed of in a secure fashion.
An awareness of the third-party suppliers employed, along with their security arrangements around any client data they hold or have access to and how they vet their own staff.
Compliance monitoring of data security is risk based.
7.1.3. Business Continuity Planning
Every organisation can experience a serious incident that can prevent it from continuing normal operations. Therefore, the FCA requires all regulated firms to regularly test and review their business continuity plans. Such reviews should ensure we have systems and processes in place which enable us to cope with major operational disruptions from high-risk events. Examples include terrorist attacks, natural disasters and global pandemics. Effective business continuity planning takes account of every possible impact on the business, such as a breakdown in communication links and damaged client relationships.
Our business continuity plan (BCP) sets out clear roles and responsibilities. For example, it details those individuals assigned to manage all liaison with clients, staff and the emergency services. It also lists a series of contingencies that enable key business activities to continue in the most difficult circumstances. For example, when a vital computer system or other equipment is unavailable. Importantly, it also details clear emergency procedures to ensure that the safety of staff is a top priority. As it requires an assessment of all critical areas of a firm, business continuity planning is as a valuable management tool.
If a serious incident occurs, which results in us being unable to continue normal FCA related operations, we must notify the FCA as soon as possible and explain the steps we are taking to deal with the consequences.
7.2. Outsourcing (SYSC 8)
Outsourcing is an arrangement of any form between us and a third party by which the third party peforms a process, service or activity which would otherwise be undertaken by us. We may delegate any of our critical or important operational functions or investment services on an ongoing basis, provided reasonable steps are taken to avoid undue additional operational risk. No outsourcing can be undertaken if internal systems and controls were to be materially weakened and regulatory obligations were to be seriously compromised.
An operational function would be regarded as critical or important if, in the event of a failure, it would materially impair:
Continuing compliance with regulatory obligations.
The continuity of the regulated activities we conduct under our regulatory authorisation.
The following are not subject to any outsourcing considerations, as they are not seen as critical or important under the SYSC 8 rules (SYSC 8.1.5R):
The provision of advisory services, including compliance, tax and legal advice to us.
The training of staff by external bodies.
The security of our premises and personnel.
The provision of market information services and price feeds.
Where an outsourcing arrangement is put in place, we still remain fully responsible for discharging all FCA related obligations. Such an arrangement cannot allow senior management to delegate its responsibilities. Nor can the regulatory relationship between us and our clients be altered. Similarly, the conditions in which we were authorised by the FCA must not be undermined, removed or modified.
Our respective rights and obligations, and those of the service provider, must be clearly allocated. They must be set out in a written agreement and, if deemed operationally critical, promptly notified to the FCA. The FCA will supervise the compliance of the outsourced activities' performance in line with the requirements of the regulatory system.
At all times, we must exercise due skill, care and diligence when entering into or terminating an outsourcing arrangement. With this in mind, it is recommended that the due diligence process be followed and reviews be undertaken at regular intervals thereafter. In entering into an outsourcing arrangement, the following conditions must be satisfied:
The service provider must carry out the outsourced services effectively. To this end we must establish methods for assessing the standard of performance of the service provider.
The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing.
Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.
We must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing. We must also supervise those functions and manage those risks.
The service provider must disclose to us any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements.
We must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to our clients.
We, our auditors, the FCA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider. The FCA and any other relevant competent authority must be able to exercise those rights of access.
The service provider must protect any confidential information relating to us and our clients.
We, together with the service provider, must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.
7.2.1. Non-Outsourced Referral or Delegation
The rules and guidance within SYSC 8 do not include the referral or delegation of services in relation to:
Services which we are not authorised to carry out under our permissions. For example, holding client money or assets.
Services which are not seen as critical or important under SYSC 8 rules.
Although these services are not subject to SYSC 8 rules, we nevertheless have a duty to oversee each service to ensure it is being operated appropriately. That oversight should be carried out on a proportionate basis (see general requirements under SYSC 4.1 et seq).
E-commerce activity is subject to the provisions of the E-Commerce Directive (implemented 8 June 2002). It consists of providing information from the UK to UK recipients via an electronic format and applies to firms that are electronic commerce activity providers. If engaging in such an activity, we must provide all the information as set out in FCA rules COBS 5.2.2 and 5.2.3.
An unsolicited commercial communication sent by email by a firm established in the UK must be identifiable clearly and unambiguously as an unsolicited commercial communication as soon as it is received by the recipient. Additionally, if we refer to price, we must do so clearly and unambiguously, indicating whether the price is inclusive of tax and delivery costs.
When placing and receiving orders electronically, we must:
- Give an electronic commerce activity (ECA) recipient at least the following information, clearly, comprehensibly and unambiguously, and prior to the order being placed by the recipient of the service:
a) The different technical steps to follow to conclude the contract.
b) Whether or not the concluded contract will be filed by us and whether it will be accessible.
c) The technical means for identifying and correcting input errors prior to the placing of the order.
d) The languages offered for the conclusion of the contract.
Indicate any relevant codes of conduct to which we subscribe and information on how those codes can be consulted electronically.
Acknowledge the receipt of the recipient's order without undue delay and by electronic means.
Make available to an ECA recipient appropriate, effective and accessible technical means allowing the recipient to identify and correct input errors prior to the placing of an order.
Contractual terms and conditions provided by a firm to an ECA recipient must be made available in a way that allows the recipient to store and reproduce them.
7.4. Professional Indemnity Insurance
ShareIn Limited maintains PI insurance cover for our investment business at least equivalent to the minimum limits set by our regulator. All correspondence seeking information on our cover or details of the nature of our insurances should be referred to the chief executive so that a correctly detailed response may be prepared.
Details of our policy are available from the chief executive.
7.5. Compliance Monitoring
In addition to our requirement to monitor the activities of our Appointed Representatives, ShareIn must design and implement an appropriate and rigorous compliance monitoring programme. This aims to review key areas of our regulatory obligations to ensure that the possibility of investor loss/detriment is detected at the earliest opportunity.
Monitoring, once conducted, results in a written exception-based report being produced by the compliance officer. This report sets out details of required remedial action and seeks to allocate timescales and responsibilities for achievement.
Where remedial action is warranted, the performance and outcome of the remedial action is reviewed for satisfactory operation by the compliance team at the next frequency-based monitoring exercise upon the area in question.
The compliance officer also produces an annual report for the management board's consideration. This sets out such matters as adequacy of resource, outstanding issues and looks at historical issues to confirm that appropriate action has been taken.
7.6. Compliance Manual Updates
The compliance officer will issue updates to this manual from time to time to assist you in fulfilling your compliance with these obligations.
If you have difficulty interpreting or understanding anything in the manual, or require guidance on any aspect of the rules and their bearing on your day-to-day work, please speak to the compliance officer.
7.7. Notification of Changes
The FCA requires us to keep it informed of any changes in the basic information it holds about our business. Further details of the information required can be found in Chapter 15 of the FCA Handbook-SUP.
The compliance officer is responsible for attending to all notifications that may be required.
The FCA must be given 'reasonable advance notice' of a change to any of the following:
Our principal business name or registered name.
Any business name under which we conduct a regulated activity in the UK.
Our principal place of business in the UK.
Any change in our legal status.
If we become, or cease to be, subject to supervision by a regulator in another country.
Any information given to the FCA must be factually accurate and complete, and include "anything of which the FCA would reasonably expect notice". If we become aware that any information supplied to the FCA is no longer accurate, we must notify it immediately. We must give it details of the inaccurate or misleading information, together with an explanation of how such came to be provided to it, and the correct information.
7.8. FCA Clearances and Notifications
To fulfil its role as our regulator, the FCA needs 'timely and accurate' information about us and our business. The FCA's full reporting requirements are contained in Chapter 16 of the FCA Handbook-SUP. The compliance officer is responsible for ensuring that the FCA's requirements are satisfied.
ShareIn Limited's reference number in the FCA's records is: 603332.
We are also registered with the Information Commissioner for data protection purposes, and our license number is ZA029742.
It is essential we keep orderly business and internal organisation records. Such records must include details of all services and transactions we undertake. These records must be sufficient to enable the FCA to monitor our compliance with regulatory requirements and have particular regard to compliance with all obligations in respect of clients.
All records must be stored in an easily retrievable manner that would allow the FCA to access them readily and to reconstitute each key stage of the processing of each transaction. Furthermore, it must be possible for any corrections or amendments and the contents of records prior to such corrections or amendments to be easily ascertained. It must also be impossible for records to be altered or manipulated.
The FCA record-keeping requirements stipulate retention periods varying from one year to six years. Certain pension related records must be held indefinitely. For simplification purposes, it is felt prudent to apply a retention period of six years for all non-pension related records. Accordingly, the following table details the records that should be retained for at least six years, unless otherwise stipulated. The exception is where records relate to pension transfers, pensions opt-out or FSAVC ("Free-standing additional voluntary contribution"). In such instances, records should be held indefinitely. Client agreements should be retained from whichever is the longer of five years or the duration of the relationship with the client.
All records must be accurate and updated regularly on a timely basis.
In meeting the record-keeping requirements, a number of key compliance registers/records must be maintained, as follows:
Record of apportionment - This details the allocation of responsibilities by the chief executive/partnership to regulated individuals throughout the firm. The record will remain a prime control document which will be amended by the compliance officer if responsibilities change, or new regulated staff are appointed.
Breaches register - This details breaches discovered through monitoring or general management of the firm in addition to issues drawn by employees and management to the attention of the compliance officer. The register will record all material breaches and will be the prima facie record available to the regulator and auditors. Our breaches register is available on Trello.
Complaints register - This details complaints received from clients, their handling and resolution. This document is the key control over our complaints handling mechanism. All complaints received must be recorded herein. Failure to notify the compliance officer of a complaint may result in disciplinary action being taken against any employee withholding information. Each Appointed Representative has its own Complaints register, found on the shared Dropbox.
Investments via Personal Accounts register - This details all relevant staff investments set out in the investments via personal accounts section of this manual.
Advertising/marketing register - This details all real time and non-real time investment promotions we issue. ShareIn store records of approved financial promotions and other client communications on an internal Trello board.
Registered individuals - Our register of FCA approved individuals. The compliance officer will maintain this record.
Financial records - These detail our financial position and will be maintained by the finance officer. The compliance officer will retain a copy of all FCA financial returns documentation.
Training & competence plan and register - Details of our T&C scheme, assessment and continuing education information. ShareIn store a copy of the T&C register on the internal Compliance dropbox. Each Appointed Representative has a link to provide details of any training undertaken that is outwith Compliance training delivered by ShareIn.
Compliance plan - This details the compliance officer's analysis of compliance activities and resource. This document is published annually and provided to the management board for consideration.
Compliance monitoring programme - This details the risk-based programme of monitoring which the compliance officer will undertake to assist in assessing our compliance with FCA rules.
Compliance manual and procedural documentation - These detail the compliance procedures and processes in operation throughout the firm. Individual line managers retain responsibility for updating procedural documents for their own areas of work. The compliance officer retains responsibility for the compliance manual, monitoring programme and plan. A copy of all documents, irrespective of origin, must be provided to the compliance officer for retention.
Gifts and entertainment register - This details all gifts and benefits in kind accepted by any FCA approved person.
The FCA operates an electronic reporting system known as GABRIEL (gathering better regulatory information electronically) for the collection, validation and storage of regulatory data. GABRIEL is designed to be a flexible and user-friendly web-based reporting platform.
Details of the financial reporting requirements applicable to regulated firms can be found in SUP 16.12 (integrated regulatory reporting). This section of the FCA Handbook includes details of the reporting requirements for firms (other than 'authorised professional firms') carrying on any of the regulated activities highlighted within each of 10 regulated activity groups (i.e. RAG 1 to RAG 10). The rules relevant to 'applicable data items', reporting frequency/period, and due date are included in a number of tables supporting each RAG ("Regulated activity group"). Firms will therefore need to be aware of the RAGs which apply to them to enable them to identify applicable data items, applicable reporting frequencies for submission, and applicable due dates for submission.
Applications and notifications are submitted through ONA.