On 13 October 2023, the UK Financial Conduct Authority (FCA) published its press release and Final Notice to Equifax Limited (Equifax Ltd), the UK subsidiary of US company Equifax Inc, in relation to a major 2017 data breach which affected over 13.7 million UK consumers. The FCA determined that the firm had breached Principles 3, 6 and 7 of its Principles for Businesses and imposed a fine of over £11m on Equifax Ltd. The firm agreed to resolve the matter and so qualified for a 30% discount for early settlement. While the breach itself may be a distant memory, the FCA's Final Notice helps to explain the rationale behind the UK regulatory authorities developing and enhancing the operational resilience regime in 2019. It also highlights some particular pitfalls in managing intra-group outsourcings effectively.
- Firms which enter into intra-group outsourcing (or similar) arrangements are expected to meet the same FCA requirements, and apply the same standard of rigour in overseeing and managing the risks in those intra-group arrangements, as outsourcing to (or similar arrangements with) an unrelated third party.
- Intra-group outsourcing can involve special risks. For example, firms must be careful about intra-group reporting structures (such as relevant senior managers having 'hard' reporting lines up into the group service provider) which might compromise effective oversight of the service provider.
- Contractual risk management mechanisms (eg audit rights) alone are not sufficient: they must be exercised in practice, even where the firm is overseeing services provided by its own parent.
- Firms remain responsible for compliance with the FCA rules and may not delegate responsibility when outsourcing or engaging in a third party arrangement.
- The FCA expects prompt notification of, and accurate information about, incidents of the type to which Equifax Ltd was exposed. Firms and individuals performing Senior Manager Functions (SMFs) must ensure that their outsourcing and third party arrangements facilitate rather than hamper the ability to make such notifications.
- Communication with customers, particularly retail customers, is expected to be accurate and timely. Typically, in circumstances where there is no existential risk to the firm, delivering fairness to its customers should be the primary consideration, rather than whether an exercise is 'resource intensive'.
- UK-based firms which adopt 'global' policies without ensuring appropriate caveats to accommodate the UK operating jurisdiction, UK customers and the UK regulators may exacerbate their exposure to operational, regulatory and litigation risk.
- Getting the basics right – not least deploying software patches and keeping certificates up to date – is essential for good data security. At an even more fundamental level, knowing where data is and how it is kept secure is critical.
- Firms should also prepare for handling the aftermath of operational risk incidents, including complaints handling, as it will be difficult for business as usual (BAU) processes to handle the kind of volumes of complaints which arise.
The 2017 data breach
In May 2017, Equifax Inc's servers were hacked; the data which Equifax Inc held about millions of US, UK and Canadian citizens was accessed by the hackers without authorisation. They were able to access the system because there was a known software vulnerability which had not been patched (fixed). Fixing the vulnerability was delayed because:
- individuals within Equifax Inc that should have been notified were not notified, as the company's list of those who should receive such notifications was not up to date;
- an employee responsible for patching software on the relevant part (a sub-directory) of the server did not identify the vulnerability and therefore the patch was not applied;
- an expired certificate prevented the correct operation of a security rule which would have blocked the intruders; and
- vulnerability scanning software used by Equifax Inc did not scan all parts of the server with the result that only some, rather than all occurrences of the software vulnerability on Equifax Inc servers were patched.
Equifax Ltd did not find out that its customers' data had been accessed until a month after the hack was discovered by Equifax Inc. Equifax Ltd was informed only minutes before its US parent company publicly announced the incident. Equifax Ltd struggled to cope with consumer inquiries and appropriately handle complaints following the incident, and itself made public statements about the incident which gave an 'inaccurate impression' about the impact on UK customers.
As mentioned above, the FCA determined that Equifax had breached three of its Principles for Businesses:
- Principle 3 requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
- Principle 6 requires a firm to pay due regard to the interests of its customers and treat them fairly.
- Principle 7 requires a firm to pay due regard to the information needs of its clients and communicate information to them in a way which is clear, fair and not misleading.
The FCA imposed a fine of over £11m on Equifax Ltd. The firm agreed to resolve the matter and so qualified for an early settlement discount of 30%. As part of the FCA's penalty calculation, Equifax also received a 15% credit for mitigation which recognised the high degree of cooperation, the voluntary redress offered to consumers, and the global transformation programme instituted in response to the breach.
A changed financial services regulatory environment
Since 2014 when Equifax Ltd came within the purview of the FCA and since 2017 when the incident occurred, the regulatory environment has significantly changed:
- Operational Resilience: The UK financial services regulators have introduced new rules on operational resilience; these came into force on 31 March 2022, and firms are currently working towards the 31 March 2025 compliance deadline. Firms should note that in another recently concluded enforcement action, the UK Prudential Regulation Authority (PRA) specifically highlights its operational resilience requirements even though the incident which that enforcement action is concerned with occurred prior to the introduction of the current regime. It said: 'the PRA's requirements and expectations as regards managing operational resilience consolidate many long standing and well understood areas of prudential regulation that have formed part of the PRA Rulebook for several years...' (For more on operational resilience, see our 2021 article on the final rules here.)
- Individual Accountability: The Senior Managers and Certification Regime (SMCR) was extended to capture all solo-regulated firms, including credit rating agencies, in 2019. If the same incident were to happen today, individuals holding SMF roles could face enforcement action as individuals. In April 2023, the PRA fined a former Chief Information Officer (CIO) £81,620 for failing to take reasonable steps to ensure that their firm adequately managed and supervised appropriately its outsourcing arrangement in relation to an IT migration programme. The CIO was found by the PRA to be in breach of Senior Manager Conduct Rule 2. It is not possible to predict the precise level of sanction which either the FCA or the PRA might impose in relation to any particular individuals in connection with the Equifax incident, but the fine provides a reference point (noting that the number of customers impacted in relation to Equifax was higher than in the previous PRA case). Other sanctions are available to the FCA and PRA, including industry bans or public censures.
- Customers: The FCA's new Consumer Duty (the Duty) came into force in July 2023. The FCA has said that the Duty is a 'significant shift' in what the FCA expects of firms. The rules articulating the Duty require consideration of 'the needs, characteristics and objectives of their customers – including those with characteristics of vulnerability – and how they behave, at every stage of the customer journey. As well as acting to deliver good customer outcomes, firms will need to understand and evidence whether those outcomes are being met.' Were the same incident to occur today, with the related complaints handling issues, the financial penalty imposed could be even greater given the volume of customers impacted. Firms will have noted the comment made by the FCA's Chief Data, Information and Intelligence Officer, Jessica Rusu in the press release accompanying the Final Notice; Ms Rusu highlights 'an ethical responsibility in the processing of consumer information' and says that the Duty, 'makes it clear that firms must raise their standards'. In the run up to the Duty coming into force, the FCA said that it would 'act swiftly and assertively' where a breach of the Duty was identified. (For more on the Duty, see our 2022 article on the final rules, here.)
One area which is not new is the requirement for firms to handle complaints in accordance with regulatory requirements. Failure to do so can further impact customers, who have already been negatively affected by the initial breach (here, the loss or unauthorised access/use of their data). It is not unusual for firms to struggle with the volumes of complaints generated by major incidents and, consequently, to deal with them in time. However, this Final Notice highlights both the difficulties in managing large scale complaints programmes (and tracking relevant data about them) and also that it is not acceptable to cut corners with the quality of the process in response to this challenge. Failure to deliver the right outcomes to complainants will simply delay the payment of appropriate redress and increase the regulatory penalty (in this case by almost £2.5m, before application of the settlement discount).
Here it appears there were already weaknesses with the BAU complaints processes, which were exacerbated by the volumes arising from the incident. Equifax Ltd did not take sufficient steps to mitigate this – for example, by bringing in additional resource – until too late and quality assurance oversight of the complaints handling was lacking as a result.
Paragraph 4.22 of the Final Notice may particularly stand out for readers who have been monitoring the FCA's statements on firm culture. It relates to the statements made by the UK Security Officer – the senior individual responsible for security in Europe, including the UK – when told of the incident in late August/early September; they said:
...that the global security executive told him that there was an 'ongoing investigation about an incident, that it was potentially one of the largest incidents on record'. The Security Executive said that he asked the global security executive whether 'it would be safe to conclude that it was solely affecting the US'. The global security executive replied that it was 'not necessarily safe to assume' ... The Security Executive said that the global security executive explained that, 'If you ask any further questions then you will be walked off site. And if you tell anyone about the incident then you will be walked off site'.
We have recently written about the FCA's proposals to require firms to disclose and report on employees' responses to questions about culture as part of their diversity and inclusion (D&I) reforms. One of those survey questions is: 'I feel safe to express disagreement with, or challenge, the dominant opinion or decision without fear of negative consequences'.
Returning to the changed environment theme, the UK Security Officer is unlikely to have had the same experience had they been a Data Protection Officer (DPO) under the data protection legislation now in force, which provides holders of that role with valuable protection. Today, under the Data Protection Act 2018 (DPA 2018) a data controller such as Equifax, would have to ensure that a DPO has independence; Part 3, Chapter 4, section 70 (3) (a) of DPA 2018 specifically requires the controller to ensure that the DPO does not receive any instructions regarding the performance of particular tasks, including monitoring compliance with policies of the controller in relation to the protection of personal data. Further, a controller may not dismiss or penalise a DPO for performing the statutory duties.
A late sting in a very long tail
The FCA Final Notice comes nearly six years after the incident occurred. During that time:
- in 2018, the UK Information Commissioner (ICO) fined Equifax Ltd £500k, reduced to £400k for prompt payment;
- in 2019, Equifax Inc agreed a $575m settlement with the US Federal Trade Commission (FTC), the US Consumer Financial Protection Bureau (CFPB), 48 US states, Washington DC, and Puerto Rico; and
- in 2020, the US Department of Justice (DoJ) indicted the suspected hackers.
The ICO's £500k fine was the highest available under the regime in place at the time – the UK Data Protection Act 1998. Had the incident happened when the UK General Data Protection Regulation (UK GDPR) was in place, then the ICO would have been able to impose a larger fine – up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
To those unfamiliar with the FCA's enforcement case load, the regulator looks a little late to the table, particularly as it appears to have commenced its investigations at the same time as the ICO. However, according to the latest published data, the mean average duration of an FCA investigation in 2022/23 was 41 months, with the mean average duration of the resolution or litigation stage being 23 months. While not every case which is investigated is pursued to enforcement, five years from commencement of an investigation to Final Notice is not unusual. Though, we note, in this regard, the critical comments from Upper Tribunal Judge Herrington in the Seiler case (which also involved five years from commencement to notice) as to whether it is appropriate for the FCA to 'continue with an investigation which it does not have the resources to complete within a reasonable period of time'.
From a firm's perspective, the delay may remind customers and other stakeholders of events past. The impact will depend on a range of factors, from the tone and content of the FCA's press release to whether there is a bigger news story that day. However, it is sensible to have reputational risk management tools at the ready; teams managing media relations, shareholder relations, government affairs and customer service should be briefed in advance and well-resourced to respond to queries and, potentially, complaints.
FCA highlights credit for cooperation – a new emphasis in enforcement?
In the notes to its press release, the FCA explains that in addition to a 30% Stage 1 discount under executive settlement procedures, Equifax Ltd 'received a 15% credit for mitigation in acknowledgement of its high level of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident.' While the FCA's Final Notices always set out the steps taken in determining the fine, including whether there are mitigating or aggravating factors, it is unusual for these detailed workings to be cited in a press release.
Whilst taking appropriate and prompt action to redress customer loss has always been an important matter for firms to consider, with a positive impact on the levels of penalty imposed and the relationship with the regulators more generally, this case further signals that this looks to be something of increasing significance to the current FCA Enforcement leadership.
Critically, to obtain a discounted penalty (or even better, limit action to a public censure), emphasis appears to be placed on 'voluntary' actions firms take which may go beyond their strict legal requirements. This echoes the message delivered by FCA Joint Executive Director of Enforcement and Market Oversight, Therese Chambers in June of this year.
Ms Chambers described the FCA's Final Notice issued to Lighthouse Advisory Services in relation to a censure for unsuitable advice in respect of the British Steel Pension Scheme as 'a case where a firm not only took responsibility, but it took responsibility for a harm it did not cause. And then, it offered redress and co-operation beyond what was expected of it'. Specifically, 'The amount of redress paid by Quilter [the new owner of Lighthouse] was far more than the fees Lighthouse received for the unsuitable advice'. As we explored in our June article: this gives rise to some questions about what level of action is necessary to get credit for cooperation in the enforcement context. There is little clarity on what the FCA considers to be a 'high level of cooperation' by Equifax and how this differs from the 'very high levels' in Lighthouse. It is to be hoped that the FCA's new enforcement leads will provide some guidance for the industry on this and how sanctions might be impacted accordingly. The FCA has indicated that it will review its 2017 Mission and related Approach documents, which includes the Approach to Enforcement, by April 2025. However, this is some time to wait, and there is potential for this, and any of the other Approach documents, to be retired.
Principle 11 breach? Can you report what you don't know?
Some may speculate on whether the FCA should have pursued a Principle 11 breach. Perhaps an argument could have been made that Equifax Ltd's actions – or inactions – had created the circumstances which led to it being unaware of the breach and therefore not making a notification which the FCA would have expected. On balance, this appears to be stretching the point somewhat and the infraction sits more sensibly under the Principle 3 breach.
There is also a fair argument against a Principle 11 breach as the Final Notice indicates that Equifax Ltd commenced its processes to notify the FCA on learning of the incident. It was unfortunate for Equifax Ltd that its US parent entity made a public announcement before it reviewed Equifax Ltd's intended communication to the FCA. Further, this case demonstrates that it is always a bad starting point when the FCA becomes aware of something through the press rather than from a proactive report from the firm.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.