We explain how and why we use personal data to carry out our supervision functions.
We define supervision as the continuing oversight of firms (including sole traders) and of individuals controlling firms to reduce actual and potential harm to consumers and markets.
Part of our duties as a regulator includes the supervision of around 41,000 firms serving retail and wholesale consumers. To make the best use of our resources and deliver the greatest public value, we take a proportionate approach to supervising firms.
We supervise using the different approaches described below.
- Forward looking, pre-emptive. All firms are members of a portfolio that share a common business model. We analyse each portfolio and agree a strategy to take action on firms posing the greatest harm. We communicate our expectations, priorities and examples of good or poor practice. For a small number of firms with the greatest potential impact on consumers and markets, we have dedicated supervision teams. These teams have a view of the whole firm across all the sectors it operates in. They assess the potential harm that the firm may cause, and agree a strategy to reduce or prevent this.
- Dealing with issues that are emerging or have happened as quickly and efficiently as possible to prevent the harm growing. We get information from sources including the general public, regulated firms, whistleblowers and other bodies or firms.
- Diagnostic work that focuses on risks and issues affecting multiple firms or a sector as a whole.
We intervene early where we see poor behaviour, taking action to prevent harm to consumers and markets, and getting redress where appropriate.
Our supervisory work often involves an element of research. Read more about how we use personal data as part of our research work.
The personal data we use
In order to properly undertake our supervisory work we are often required to collect a wide range of information on the firms (including sole traders), individuals and markets that we regulate. Occasionally, this can also include unregulated individuals. To support our analysis we often request data relating to the customers of the above (data collected as part of an application for a financial product, or when a customer gets into financial difficulty) and information on sole traders. This is to help us make informed judgements on how those we regulate are operating in practice and whether their customers are experiencing harm. The type of personal data that we typically receive as part of our supervisory work includes:
- name
- employment history
- contact details
- criminal records
- personal views and opinions
- allegations of criminal offences
- date of birth
- National Insurance number
- financial information such as salary, transaction statements
- credit checks
- visual images of participants captured on video recordings of Supervisory meetings/calls
- speech and other verbal communication characteristics of participants on audio recordings of Supervisory meetings/calls
We work hard to minimise the personal data that we collect for this purpose. In certain limited circumstances we may also receive the following special categories of personal data:
- political views
- information about a person’s sex life and sexual orientation
- information concerning a person’s health
- trade union membership
- race or ethnicity
- information about a person’s religion or religious beliefs
The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.
How this personal data is collected
We collect personal data in a variety of ways in order to undertake our FCA functions including Supervisory duties. Personal data may be collected through written notes, audio recordings and video recordings of phone calls using Microsoft Teams technology. In order to get a holistic and accurate view of the firms and markets we regulate, understand consumer behaviour and properly identify issues, trends and risks, we collect information from third parties as well as from individuals directly. Examples of the third parties we receive information from include:
- media sources
- firms
- whistleblowers
- other regulators
- technology platforms (ie Microsoft Teams Technology)
- data gathered from publicly available websites, including through the use of automated tools (eg web scraping for key terms relating to the FCA)
- social media analytics tools which gather information from more than 20,000 data sources (such as X/Twitter, Facebook, blogs, forums and mainstream media) to analyse real-time consumer opinions
- members of the public/consumers
- law enforcement agencies
- other government organisations
Why we use this personal data
We use this personal data to ensure that we are able to fulfil our statutory functions under FSMA and other relevant legislation and, in particular, to help us to ensure that the markets work well, for example by:
- exploring and analysing identified risks within regulated firms through firm-specific and cross-firm work
- ensuring regulated firms behave appropriately, particularly when detriments arise
- effectively monitoring firms entering any regulated sectors, including reviewing and assessing individuals working in and impacting those sectors
- developing and sharing intelligence about regulated firms and sectors
- working with trade bodies, segment advisers and other third parties to help determine and communicate trends, forward views and gauge risks in the market
- effectively analysing and monitoring progress of diversity and inclusion within regulated firms
- better understanding and responding to stakeholder and public perceptions of the FCA, as well as getting a better view of emerging issues which may impact on consumer harm or our other objectives
Where we make voluntary or compulsory information requests to firms we may collect personal data (such as firm employee’s contact details) for follow-up contact with firms.
We may use video, audio and transcription technologies with individuals from firms, for record keeping, audit trail purposes, training and process efficiencies. This aids our analysis and may support our decision making.
We also collect technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical metadata. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.
The lawful basis for us using this personal data
We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that we use any special categories of data as part of our supervision work, we do so under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing. Our supervisory work is essential to enable us to monitor firms and the markets and properly undertake our statutory functions as a regulator of financial conduct and the related markets.
When this personal data is transferred outside the UK and the EU
Given the international nature of our supervision work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies. We will only transfer personal data outside the UK if permitted by the UK GDPR and DPA 2018. We have robust processes to ensure that the requirements of the UK GDPR and DPA 2018 for international transfers are in place to protect any personal data included in such transfers. For example, transfer may be to an authority in the EEA and other countries specified under the UK adequacy regulations. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to overseas regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements. View the full text of these administrative arrangements.
Learn about your rights
Under the UK GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.