Procedure for monitoring, handling and following up on security incidents and security-related customer complaints | Template for FCA Applications

FCA and PRA authorisations and ongoing compliance support. Contact us 7 days a week, 8am-11pm. Free consultations. Phone/Whatsapp: +4478 3368 4449  Email: info@hirett.co.uk

We use a software system that has robust built-in mechanisms for the prevention of fraud and unauthorised access comparable to what many banks use for online banking, including password, memorable information, codes sent to authorised users’ mobile phones and email notifications. If a user logs in to the system from a new location or a new device, that user will have to go through additional layers of authentication. Login attempts are constantly monitored by the system itself and when an attempt to access the system as an administrator is made from a new device or location, a notification is sent to the known administrators informing them of the location and device of the user. The administrators can immediately restrict access if a login attempt seems suspicious.

Complaints procedure checklist

  • Definition/examples of what constitutes a complaint – oral or written.
  • Confirmation of who in the firm is assigned to deal with complaints and how complaints are passed to them (must be a competent person, and may include an outsourced service)
  • Any actual or suspected incident must be immediately reported (and in any event within 4 hours) after becoming aware of the incident
  • Any incidents involving lost or stolen equipment or a network security issue will be reported immediately to telephone number: __________________________
  • Final report should be completed and submitted to FCA within two weeks.

A summary of key steps to take in order to investigate the complaint

  • Review file/facts
  • Speak to relevant individual
  • Record outcome/recommendation in writing
  • If changes/improvements to procedures required flag for action
  • Confirmation of requirement to respond to complaints in line with FCA rules (all deadlines apply from the date the original complaint was received):
  • A prompt written acknowledgment – to include a written summary of your internal complaints procedure (may double up as final response)
  • Further holding letter or final response within four weeks
  • Final or other response within eight weeks
  • Requirement to inform customers of their right to refer the complaint to the Financial Ombudsman Scheme (FOS) if they’re unhappy with the final response or if they don’t get a response within eight weeks
  • The need to inform customers of the six month deadline for contacting the FCA from the date of the final response
  • Encouragement also to use the phone to keep customers informed of progress/delays – and, where possible, to record the conversations
  • Confirmation that copies of correspondence and notes from telephone conversations must be kept on file for each complaint
  • Outline procedure for systematic logging of complaints by date, nature, name, whether or not considered justified and confirmation of response dates/outcome
  • Confirmation of how/when/to whom the complaint handler should report complaints internally and make recommendations for revised practice where appropriate
  • Confirmation that customers are made aware in writing of the availability of the internal complaint handling procedures at or immediately after the point of sale (this may be in the initial disclosure document or the offer document)
  • Also confirmation that the details of the internal complaint handling procedures are published, and that a copy is supplied to a customer on request, or in response to a complaint not resolved by the end of the next business day of being received
  • Confirmation of the requirement to report complaints to the FCA twice a year for the six month periods preceding and following the firm’s accounting reference date
  • Confirmation of the requirement to use the FCA’s standard Complaints Form and electronic reporting procedure via the Firms Online service

Data Access

Our data is only accessible to authorised staff who require all of five means in order to log in to our system:

  1. A password
  2. An access card with encrypted credentials
  3. A code is generated on the system log-in interface. This code is then input into a tailored application on a mobile device which then generates a token
  4. This token is then input into the system which if correct, allows the user access into the system
  5. The aforementioned token generation is linked to the IMEI number of the mobile device, which ensures that only a specific mobile device may be used, which in itself also requires biometric and facial recognition to access the token generating application.

How the data stored on our server and how breaches are prevented and addressed

Client and transactional data is stored remotely on an AES 256 bit end-to-end encrypted device which allows access to devices with a specific MAC address. As each device has its own unique MAC address, no other devices will be allowed access to the file storage device, even if the correct credentials are provided. This eliminates the possibility of a data breach from external devices. Only a limited number of specific devices can be allowed access to the aforementioned file storage device. The file storage device self-destructs its data contents if physically connected to any other device except for the pre-registered devices. The possibility of a breach is therefore reduced to practically nil. An identical device is used as a failsafe which follows the same security protocol in the event of a failure of the primary storage device.

Monitoring data and how data is used

Monitoring algorithms as per the FCA handbook have been programmed to monitor in real-time all transactions, comparing them with previous transactions.

Data is automatically monitored via in-built algorithms and any client attempting to exceed the pre-defined limits is automatically logged and a report is automatically generated to be sent to the FCA as per the reporting procedures detailed in the FCA guidelines.

Security Policy

We use a bespoke IT system, features of which have been outlined above in terms of access control, breach prevention, data analysis, logging and reporting in section.

Our premises is completely secured with the following:

  • Locked doors
  • Intrusion detection alarm linked to live local rapid response unit
  • CCTV system installed both internally and externally with images stored both locally and remotely.
  • Access control devices are used throughout the premises with all entries and exits logged on our secure servers

In terms of security risks, the measures taken as detailed above, we believe are quite adequate in preventing, reporting and predicting any security breaches or risk of fraud or money-laundering.

All IT equipment is suitably protected with the latest antivirus software which is updated on a daily basis, or whenever an update becomes available. The equipment is also physically protected with the use of locks.

Customer authentication is carried by physically and meticulously confirming client ID’s with their identity particulars. Confirmation of address and post code, date of birth, transactional history and contact details are all used to further verify clients. Any suspicious transactions or individuals are duly reported using the in-built reporting utilities available to employees which is designed around FCA reporting guidelines.

2019-10-28T20:57:54+00:00