Data security

You are responsible for securing your customer data and protecting it from fraudsters. Read more about the measures you should consider.

Customer data is any identifiable personal information held in any format, for example National Insurance records, addresses, dates of birth, family circumstances, bank details and medical records. This information must be kept securely not only to comply with your obligations under the UK’s Data Protection rules within the Data Protection Act 2018[2] and the UK General Data Protection Regulation[3], but also because criminals may use it to commit offences such as identity theft.

Data security is not just an IT issue, nor is it only a concern for large firms. All firms, regardless of size, should think carefully about how they protect their data. Strong data security policies, systems and controls will help keep customer data safe. You must also ensure employees understand these policies and procedures and your firm keeps up to date when people move on.

IT security measures

You should use risk-based, proactive monitoring to check staff only access or change data for genuine business reasons, and that they follow good password standards and do not share or write down their usernames and passwords.  

If employees work from home or use laptops and portable devices such as USB sticks and CDs to store customer data, you must be vigilant about the risks of loss or theft. Unencrypted customer data should never be stored on these devices.

Unsecure backup and storage of customer data leave you at risk. We expect you to review your data backup procedures regularly and consider threats from all angles, including the transit or upload process and ultimate place of storage. If your data is held off-site by a third party, you should encrypt it and make sure you carry out regular due diligence.

Broader security measures

Customer data can be compromised in many ways, so you should also:

  • check the physical safety of your business premises
  • keep a sign-in book for visitors and ensure they are supervised while onsite
  • carry out enhanced recruitment checks
  • conduct credit and criminal record checks on anyone who has access to customer data

Outsourcing to a third party does not remove your responsibility for protecting customer data. You should carry out due diligence on third-party suppliers before hiring them, understand their vetting procedures, and ensure they follow your firm’s security requirements.

For further detail and examples of good and poor practice in data security, see FCG 5 in the Financial Crime Guide[4].

: Editorial amendment No content changes
First published: Last updated: 16/01/2026 See all updates

Financial crime[5]

Bribery and corruption[6]
Cash-based money laundering[7]
Cryptoassets: AML / CTF regime [8]
Data security[9]
Financial crime resources[10]
Fraud [11]
Money Laundering Regulations[12]
Payment Service Providers that repeatedly fail to provide information[13]
Reporting sanctions evasion page[14]
Reporting sanctions evasions[15]
Financial sanctions[16]
Financial crime systems and controls during coronavirus situation[17]
Money laundering and terrorist financing[18]

More on data security

Compliance and other support[19]

Source URL: https://www.fca.org.uk/firms/financial-crime/data-security

Links