FCA IT Controls
Whether your firm is authorised by or is applying for authorisation from the FCA, it will almost inevitably be using or be planning to use information technology in the provision of regulated products or services to its customers. The FCA requires all authorised firms to follow best practices for IT usage and to ensure customer data is properly protected, and that customers get the service they’re expecting.
The FCA’s scrutiny of IT processes and controls encompasses:
- IT governance and strategy
- IT risk management
- Project and change management
- Development, maintenance, testing and implementation of in-house and package software
- Internal IT audit
- Service delivery and incident handling
- Information security, controls and practices
- Security administration and monitoring
- Business continuity and disaster recovery
- Wind-down planning
- Outsourcing and offshoring
The degree of scrutiny the FCA applies to each of these areas will depend on the nature and scale of your firm’s operations, and the role IT plays in them. But any firm that relies on IT to conduct regulated business or which allows customers to transact regulated business online will be subject to the highest level of scrutiny.
Our FCA IT Controls service helps ensure you meet the FCA’s requirements in full.
- The first step is helping you complete the FCA IT Self-Assessment Questionnaire which determines whether you need to complete the Detailed IT Controls Form, the less exacting IT Controls Form or neither.
- If you do need to fill in one of the FCA IT Controls forms, we will manage this process for you from start to finish. This includes:
- Interviewing key employees to enable us to complete a first draft of the IT Controls Form and determine all gaps which need filling
- Partnering with you to develop a project plan that addresses all shortfalls, whether this entails operational changes, developing or updating written policies, making changes to supplier contracts, or bringing existing materials together to support your position
- Ensuring that your business continuity, wind-down and disaster recovery plans are robust and realistic
- Managing the delivery of all project activities, including the drafting of new policies or policy updates, if required
- Conducting a weekly progress update session with our primary contact at your firm
- Delivering a final draft of the IT Controls Form, along with all required supporting materials in a format suitable either for a new FCA application or in response to an FCA audit.
As well as reviewing all aspects of IT use across your business, our FCA IT Controls service provides a range of additional benefits, including:
- Ensuring, through our regulated group firm Absolute Cover that you hold adequate cyber insurance and are not invalidating existing cover
- Reviewing your data security arrangements
- Ensuring sufficiently demanding penetration testing of your IT platforms to help you avoid the huge reputational and commercial damage firms can suffer if affected by cyber theft, cyber extortion, denial of service attacks, etc.
- Identifying opportunities to increase your use of cloud computing and so achieve benefits including cost reduction, scalability, security and resilience.