This page explains how and why we use personal data to fulfil our supervision functions.
We define supervision as the continuing oversight of firms and of individuals controlling firms to reduce actual and potential harm to consumers and markets.
Part of our duties as a regulator includes the supervision of around 58,000 firms serving retail and wholesale consumers. To make the best use of our resources and deliver the greatest public value, we take a proportionate approach to supervising firms.
We supervise using the different approaches described below.
- Forward looking, pre-emptive. All firms are members of a portfolio that share a common business model. We analyse each portfolio and agree a strategy to take action on firms posing the greatest harm. We communicate our expectations, priorities and examples of good or poor practice. For a small number of firms with the greatest potential impact on consumers and markets, we have dedicated supervision teams. These teams have a view of the whole firm across all the sectors it operates in. They assess the potential harm that the firm may cause, and agree a strategy to reduce or prevent this.
- Dealing with issues that are emerging or have happened as quickly and efficiently as possible to prevent the harm growing. We get information from sources including the general public, regulated firms, whistleblowers and other bodies or firms.
- Diagnostic work that focuses on risks and issues affecting multiple firms or a sector as a whole.
We intervene early where we see poor behaviour, taking action to prevent harm to consumers and markets, and getting redress where appropriate.
Our supervisory work often involves an element of research. Read more about how we use personal data as part of our research work.
The personal data we use
In order to properly undertake our supervisory work we are often required to collect a wide range of information on the firms, individuals and markets that we regulate. To support our analysis we often request data relating to the customers of the above (data collected as part of an application for a financial product, or when a customer gets into financial difficulty). This is to help us make informed judgements on how those we regulate are operating in practice and whether their customers are experiencing harm. The type of personal data that we typically receive as part of our supervisory work includes:
- employment history
- contact details
- criminal records
- personal opinions
- allegations of criminal offences
- health information
- date of birth
- National Insurance number
- financial information such as salary, transaction statements
- credit checks
We work hard to minimise the personal data that we collect for this purpose. In certain limited circumstances we may also receive the following special categories of personal data:
- political views
- information about a person’s sex life and sexual orientation
- trade union membership
- race or ethnicity
- information about a person’s religion or religious beliefs
The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.
How this personal data is collected
We collect personal data in a variety of ways in order to undertake our supervisory duties. In order to get a holistic and accurate view of the firms and markets we regulate, understand consumer behaviour and properly identify issues, trends and risks, we collect information from third parties as well as from individuals directly. Examples of the third parties we receive information from include:
- media sources
- other regulators
- members of the public/consumers
- law enforcement agencies
- other government organisations
Why we use this personal data
We use this personal data to ensure that we are able to fulfil our statutory functions under FSMA and other relevant legislation and, in particular, to help us to ensure that the markets work well, for example by:
- exploring and analysing identified risks within regulated firms through firm-specific and cross-firm work
- ensuring regulated firms behave appropriately, particularly when detriments arise
- effectively monitoring firms entering any regulated sectors, including reviewing and assessing individuals working in and impacting those sectors
- developing and sharing intelligence about regulated firms and sectors
- working with trade bodies, segment advisers and other third parties to help determine and communicate trends, forward views and gauge risks in the market
We also collect technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical metadata. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.
The lawful basis for us using this personal data
We use this personal data under Article 6(1)(e) of the GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that we use any special categories of data as part of our supervision work, we do so under Article 9(2)(g) of the GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing. Our supervisory work is essential to enable us to monitor firms and the markets and properly undertake our statutory functions as a regulator of financial conduct and the related markets.
When we share personal data as part of our supervision work
Where it is appropriate to do so, we share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and, in others, we are obliged for legal reasons to share the information.
When this personal data is transferred outside the EU
As mentioned above, given our role as a regulator we do occasionally share personal data with other regulators, public authorities and law enforcement agencies outside the EU. Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such a transfer. The FCA is a signatory to the IOSCO-ESMA administrative arrangement for the transfer of personal data between EEA authorities and non-EEA authorities. This arrangement acts as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed the arrangement. View the full text of the administrative arrangement and the list of signatories. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.
Learn about your rights
Under the GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.