Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

FCG 5.3 Further guidance

FCG 5.3.1

1FCTR contains the following additional material on data security:

  1. FCTR 6 summarises the findings of the FSA’s thematic review of Data security in Financial Services and includes guidance on:

    1. ◦ Governance (FCTR 6.3.1G)

    2. ◦ Training and awareness (FCTR 6.3.2G)

    3. ◦ Staff recruitment and vetting (FCTR 6.3.3G)

    4. ◦ Controls – access rights (FCTR 6.3.4G)

    5. ◦ Controls – passwords and user accounts (FCTR 6.3.5G)

    6. ◦ Controls – monitoring access to customer data (FCTR 6.3.6G)

    7. ◦ Controls – data back-up (FCTR 6.3.7G)

    8. ◦ Controls – access to the internet and email (FCTR 6.3.8G)

    9. ◦ Controls – key-logging devices (FCTR 6.3.9G)

    10. ◦ Controls – laptop (FCTR 6.3.10G)

    11. ◦ Controls – portable media including USB devices and CDs (FCTR 6.3.11G)

    12. ◦ Physical security (FCTR 6.3.12G)

    13. ◦ Disposal of customer data (FCTR 6.3.13G)

    14. ◦ Managing third party suppliers (FCTR 6.3.14G)

    15. ◦ Internal audit and compliance monitoring (FCTR 6.3.15G)

  2. FCTR 10 summarises the findings of the Small Firms Financial Crime Review, and contains guidance directed at small firms on:

    1. ◦ Records (FCTR 10.3.5G)

    2. ◦ Responsibilities and risk assessments (FCTR 10.3.7G)

    3. ◦ Access to systems (FCTR 10.3.8G)

    4. ◦ Outsourcing (FCTR 10.3.9G)

    5. ◦ Physical controls (FCTR 10.3.10G)

    6. ◦ Data disposal (FCTR 10.3.11G)

    7. ◦ Data compromise incidents (FCTR 10.3.12G)