Compliance Breach Policy & Procedure
1. Policy Statement
The company are committed to our obligations under the regulatory system and maintain a robust and structured program for compliance adherence and monitoring. We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any compliance breaches, this policy states our intent and objectives for dealing with such a breach.
Although we understand that not all risks can be completed mitigated, we operate a robust and structured system of controls, measures and processes to help protect our business and customers from the risks associated with compliance breaches.
2. Purpose
The purpose of this policy is to provide an overview of the Company’s approach to any form of compliance breach within the organisation, to set out and explain who is responsible for reporting, communicating and investigating any such breach and to explain our definition of a breach.
The aim of this policy is to prevent compliance breaches within the organisation and to provide guidance on protocols for any breaches which may occur. Staff are kept informed of any changes to this policy and its associated procedures and any reviews and/or updates are disseminated by the Compliance Officer.
3. Scope
The policy applies to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
4. What Is a Breach?
The Company’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.
Compliance in this document means any area of business that is subject to rules, laws or guidelines set out by a third-party which are to be followed and which, when breached, could cause emotional, reputational or financial damage to a third party.
For the purposes of this document, a breach is classed as a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.
Such incident examples include (but are not limited to): –
- Not ensuring TCF principles are followed during verbal/written tasks
- Failing to carry out the set DPA checks during incoming/outgoing calls
- Disclosure of system/confidential data to unauthorised personnel or third parties
- Hacking or attempted hacking by staff, third-parties or outsiders
- Suspected breach of the firewalls or malicious attack
- Unattended terminals left logged in
- Confidential storage areas left unlocked whilst unattended
- Attempts to obtain information by deception (e.g. fake phone calls or e-mails)
- Disclosure of Restricted or confidential information (e.g. passwords, key-codes) to unauthorised personnel
- Discovery of malicious or unauthorised software, such as a computer virus
- Suspected or actual Data Protection Act breaches
- Suspected or actual Data Security breaches
- Loss of portable/remote computing equipment (e.g. Laptop; Blackberry)
- Actual or attempted unauthorised entry to a secure area
- Actual or attempted tailgating
- Unauthorised or unattended visitors
- Confidential documents (hard-copy or electronic) left in public view or view of windows/outside access
5. Breach Monitoring & Reporting
The company has a [Compliance Officer/Senior Manager] who is responsible for the review and investigation of any compliance breach, regardless of the severity or containment. All breaches must be reported to this person with immediate effect, whereby the Compliance Breach Procedures and Compliance Breach Incident Form will be used and followed.
All breaches will be investigated in full and a report given to the Senior Management and Directors once containment has been achieved. Risk assessment procedures will then be utilised to review and amend any areas highlighted by a gap analysis and logged in the Change Management and Document Control records.
6. Objectives
- To maintain a robust set of compliance procedures which aim to mitigate against any risk and provide a compliant environment for trading and business activities
- To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow
- To ensure that any compliance breaches are reported to the correct regulatory bodies within the timeframes as set out in their code of practice or handbooks
- To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
- To use the Compliance Breach Incident Form for all breaches, regardless of severity so that any patterns in causes can be identified and corrected
- To comply with regulating bodies and laws on compliance breach methods, procedures and controls
- To protect consumers, clients and staff – including their data, information and identity
6.1 Compliance Breach Rules
The Company has a regulatory and ethical responsibility to ensure that we develop, implement and maintain adequate and effective policies and procedures to ensure that the firm, it’s business activities, staff and manager are all compliant with their obligations under the regulatory and legal system.
SUP 15.3.11 of the FCA Handbook requires a firm to notify the regulator (and any other relevant party, e.g. the customer, ICO, 3rd parties etc) of any breaches of rules and other requirements in or under the Consumer Credit Act 1974 or breaches of the FCA Handbook rules. The Company has robust and documented compliance breach procedures for any instance of compliance failings, which are disseminated to staff as part of their induction and ongoing compliance training.
SUP 15.3.11 states that a firm must notify the FCA of:
- A significant breach of a rule (which includes a Principle, a Statement of Principle or a COCON rule)
- A significant breach of any requirement imposed by the CCA or by regulations or an order made under the CCA
- A breach of any requirement imposed by the Act or by regulations or an order made under the Act by the Treasury
- The bringing of a prosecution for, or a conviction of, any offence under the Act or the CCA
- A breach of a directly applicable provision in the MiFID Regulation
- A breach of a directly applicable provision in the EU CRR or any directly applicable regulations made under CRD or the EU CRR
- A breach of any requirement in regulation 4C(3) (or any successor provision) of the Financial Services and Markets Act 2000 Regulations 2007
Notifications made by the company of any compliance breach under SUP 15.3.11, the ICO regulations or our own internal breach protocols include: –
- Information about any circumstances relevant to the breach or offence
- Identification of the rule, requirement or offence
- Information about any steps that the firm or authorised person has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence
7. Procedures
7.1 Identification of an Incident
As soon as a breach has been identified, it should be reported to both a line manager and the reporting officer (Compliance Officer/Senior Management) immediately so that breach procedures can be initiated and followed without delay.
Reporting incidents is essential to the compliant functioning of the Company and is not about apportioning blame. These procedures are for the protection of the Company, its staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.
As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measure should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting.
7.2 Breach Recording & Notification
7.2.1 Step 1
The Company has a Breach Incident Form (Appendix A) which is located at the end of this procedure document and is to be completed after every instance of an incident, regardless of severity or outcome. Completed forms are to be logged in the Breach Incident Folder (electronic or hard copy) and to be logged on a Risk Assessment Record so that any subsequent breach can be cross-referenced.
The completing of the Breach Incident Form (Appendix A) is only to be actioned after containment has been achieved and is only to be completed and signed off by the Compliance Officer or a member of the Senior Management Team.
7.2.2 Step 2
A full investigation is to be conducted and recorded on the incident form, the outcome of which is to be communicated to all staff involved in the breach in addition to upper management. A copy of the completed incident form is to be filed for audit and record purposes.
7.2.3 Step 3
Where the breach relates to a Data Protection issue, the Information Commissioners Office (ICO) are to be notified in accordance with their protocols and their ‘Security Breach Notification Form’ is to be completed and submitted. In addition, any client/customers whose data or personal information has been compromised should be notified as soon as possible and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.
7.2.4 Step 4
Under section SUP 15.3 of the FCA Handbook, a firm must notify the FCA with immediate effect if it becomes aware that the following has occurred: –
- a) the firm has failed to satisfy one or more of the threshold condition (COND)
b) any matter which could have a significant impact of the firm’s reputation
c) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and/or which could result in detriment to the customer
d) any matter in respect of the firm which could result in serious financial consequences to the UK financial system and/or to other firms
The [Compliance Officer] is responsible for liaising with the designated FCA representatives on any matter which falls into one or more of the above categories and for following the rules and requirements as defined by the FCA Handbook.
8. Risk Assessment
8.1 Human Error
Where the compliance breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with the employee is to be held.
A review of the procedure/s associated with the breach is to be conducted and a full risk assessment completed in accordance with The Company’s existing Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate any future occurrence of the same root cause.
Resultant employee outcomes of such an investigation can include, but are not limited to: –
- Re-training in specific/all compliance areas
- Re-assessment of compliance knowledge and understanding
- Suspension from compliance related tasks
- Formal warning (in-line with The Company’s disciplinary procedures)
8.2 System Error
Where the compliance breach is the result of a system error/failure, the IT team are to work in conjunction with the Compliance Officer to assess the risk and investigation the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Compliance Breach Incident Form (Appendix A). is to be conducted and a formal interview with the employee is to be held.
Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause.
Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:
- Attempting to recover any lost equipment or personal information
- Shutting down an IT system
- Removing an employee from their tasks
- The use of back-ups to restore lost, damaged or stolen information
- Making a building secure
- If the incident involves any entry codes or passwords, then these codes must be changed immediately, and members of staff informed
8.3 Assessment of Risk and Investigation
The Compliance Officer should ascertain what information was involved in the compliance breach and what subsequent steps are required to remedy the situation and mitigate and further breaches. The lead investigator should look at: –
- The type of information involved
- It’s sensitivity or personal content
- What protections are in place (e.g. encryption)?
- What happened to the information/Where is it now?
- Whether there are any wider consequences/implications to the incident
The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.
9. Breach Notifications
[Applicable where the breach involves personal data regulated under DPA18/GDPR]
The Company understands that we have obligations and a duty to report data breaches in certain instances. All staff are aware of these circumstances and we have strict internal reporting lines to ensure that data breaches falling within the notification criteria are identified and reported without undue delay.
9.1 Supervisory Authority Notification
The Supervisory Authority is to be notified of any breach where it is likely to result in a risk to the rights and freedoms of individuals. These are situations which if the breach were ignored, it would lead to significant detrimental effects on the individual.
Where applicable, the Supervisory Authority is notified of the breach no later than 72 hours after us becoming aware of it and are kept notified throughout any breach investigation, being provided with a full report, including outcomes and mitigating actions as soon as possible and always within any specified timeframes.
If for any reason it is not possible to notify the Supervisory Authority of the breach within 72 hours, the notification will be made as soon as is feasible, accompanied by reasons for any delay. Where a breach is assessed by the DPO and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons, we reserve the right not to inform the Supervisory Authority in accordance with Article 33 of the GDPR.
The notification to the Supervisory Authority will contain: –
- A description of the nature of the personal data breach
- The categories and approximate number of data subjects affected
- The categories and approximate number of personal data records concerned
- The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)
Breach incident procedures and an investigation are always carried out, regardless of our notification obligations and outcomes and reports are retained to be made available to the Supervisory Authority if requested.
Where the Company acts in the capacity of a processor, we will ensure that controller is notified of the breach without undue delay. In instances where we act in the capacity of a controller using an external processor, we have a written agreement in place to state that the processor is obligated to notify us without undue delay after becoming aware of a personal data breach.
9.2 Data Subject Notification
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to the data subject without undue delay, in a written format and in a clear and legible format.
The notification to the Data Subject shall include: –
- The nature of the personal data breach
- The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)
We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational protection measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.
If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.
Please refer to our GDPR Data Breach Policies, Procedures and Incident form for the specific process of investigating ang recorded a personal information breach.
10. Record Keeping
All records and notes taking during the identification, assessment and investigation of the compliance breach are to be logged and signed by the compliance officer and retained for a period of 6 years from the date of the incident. Incident forms are to be reviewed monthly to assess for patterns or breach reoccurrences and actions taken to prevent further incidents from occurring.
11. Responsibilities
The Company will ensure that all staff are provided with the time, resources and support to learn, understand and implement all procedures within this document, as well as their responsibilities and the breach incident reporting lines.
The Compliance Officer and Senior Management are responsible for regular compliance audits and gap analysis monitoring and their subsequent reviews and action follow ups. There is a continuous audit trail of all compliance reviews and procedural amendments and feedback to ensure continuity through each process and task.