FCA Forces UK Banks to Come Clean on Security Incidents

UK banking regulator the Financial Conduct Authority (FCA) has unveiled sweeping new rules which will force high street lenders to be more transparent to customers about security incidents.

Published on Tuesday, the final rules are designed to make it easier for consumers to compare the service offered by banks, in a bid to drive greater competition in the market.

From August 18 next year, all UK banks offering personal and business current accounts will be forced to reveal how often they have had to report “major operational and security incidents.”

However, it’s unclear how much detail, if any, lenders will be forced to go into on each incident.

A “major” incident in this instance refers to one which prevents customers from using banking services.

The new reporting rules are required by forthcoming EU legislation the Second Payment Services Directive (PSD2), which will feature “a matrix of quantitative and qualitative impact thresholds” taking account of things like length of incident and size of firm.

The FCA’s move comes after director of supervision, Megan Butler, claimed last week that there’s “currently a material under reporting of successful cyber-attacks in the financial sector.”

Of course, most major security incidents affecting customer data will also have to be reported under the GDPR from May 2018.

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK&I, argued that banks are undergoing “a period of intense structural change”.

“With the number of threats continuing to increase exponentially, customer trust has never been so valuable or hard to come by and as such it has never been more important for banks to be open and honest about their security,” she added. “It is paramount that the industry does not overlook, or get complacent about, security or place it in the ‘too big to fix’ category, and instead takes a proactive approach.”

What’s Hot on Infosecurity Magazine?