Financial Services Email Compliance: The Checklist

In financial services, email compliance is essential for protecting sensitive data and reducing risk.

But as data regulations evolve, maintaining compliance can feel like navigating a moving target.

This guide breaks down how to stay ahead and keep your email communications compliant.

Financial Services Email Compliance at a Glance

Here's a brief overview of the key regulations.

Prevent

Source: FCA – SM&CR

Use measures to stop a breach before it happens.

• Make sure the Senior Manager responsible for an area takes reasonable steps to prevent or stop breaches.
• Monitor compliance to avoid risks for leadership.

Encrypt

Source: ICO – GDPR

Encrypt emails that contain personal data.

• Create a policy that covers email encryption.
• Train staff to know when encryption is required.
• Encrypt emails that include sensitive personal data.

Audit

Source: FCA – COBS

Keep auditable copies of outbound emails.

• Store copies of relevant electronic communications, including those:
• Sent from company equipment.
• Made with equipment approved by the firm.

Authenticate

Source: ESMA – MiFID II

Authenticate recipients to prevent unauthorised access.

• Put in place secure methods to:
• Protect and verify information transfers.
• Lower risks of data corruption and unauthorised access.
• Prevent information leaks and maintain confidentiality.

Revoke

Source: ICO – GDPR

Revoke access to misfired emails.

• Take quick action if a data breach occurs:
• Try to recall the email right away.
• Ask the recipient to delete the email if recall fails.
• Turn off email address Autofill to reduce misfires.

Reply

Source: FCA – Consumer Duty

Give customers a secure way to communicate with you.

• Ensure consumers:
• Receive clear, easy-to-understand messages.
• Access services that fit their needs and offer fair value.
• Get the support they need, when they need it.

1. Prevent

Financial services organisations should take active steps to stop a breach before it occurs.

Under the FCA’s Senior Managers and Certification Regime (SM&CR), responsibility for compliance sits at the top.

Senior Managers must take reasonable steps to prevent or stop regulatory breaches.

• Use strong processes and controls to detect threats early.
• Check compliance often to limit risks.
• Keep leaders accountable through ongoing oversight.

2. Encrypt

Financial organisations should encrypt emails containing personal data to guard against digital threats like message interception.

Email encryption scrambles an email so only the right recipient can read it.

"One of the biggest misconceptions about secure email is that it’s difficult to set up.

In reality, the right solution can fit smoothly into existing workflows."

— Paul Holland, Founder, Beyond Encryption

What Regulation Does Encryption Fulfil?

Under GDPR, personal data should be:

'Processed in a manner that ensures proper security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using suitable technical or organisational measures.'

— UK Information Commissioner's Office

Article 32 lists encryption as an appropriate way to protect personal data.

Financial service providers, intermediaries, and retailers often handle large amounts of personal data and must protect it well.

The FCA states that these firms ‘must make sure they lawfully process and transfer client data in line with GDPR.’

This is also vital during anti-money laundering (AML) and know-your-customer (KYC) processes.

These checks confirm a customer’s identity for high-value transactions.

They often store a lot of personal data in one document, raising identity risks such as fraud.

The Consequences of Non-Compliance

UK GDPR can impose a fine of £17.5 million or 4% of annual global turnover, whichever is higher.

The EU GDPR sets a maximum of €20 million (about £18 million) or 4% of annual global turnover, whichever is higher.

How to Encrypt Emails

According to the ICO (Information Commissioner's Office), you should have a policy on when to use encrypted email.

For example, you should require encryption any time an email contains personal data.

'You should have a policy governing encrypted email, with rules that help staff decide when they should or shouldn’t use it.'

— UK Information Commissioner's Office

The ICO also says you should choose encryption software that meets current standards.

For instance, Microsoft Outlook offers basic encryption in transit, but it has known limitations.

Businesses should use an encryption service designed for the protection of customer information.

Important considerations include:

• Key Size: A larger key size means stronger security, as it’s harder to crack.
• Software Integration and Ease of Use: Pick software that fits well with your current tech and is user-friendly.
• Scalability and Resilience: Choose software that can grow with your business and handle new security threats.
• Extra Features: Look for tools like recipient authentication and rights management, so only the right people can open or act on your emails.

Learn more about email encryption.

3. Audit

Financial services organisations should keep auditable records of any outbound emails, especially if they contain sensitive data.

Auditing outbound emails shows you follow the rules and supports openness and accountability.

It also helps detect and prevent fraud or other illegal acts.

Regular checks can spot suspicious patterns or insider threats that might suggest data breaches, insider trading, or market abuse.

What Regulation Does Email Auditing Fulfil?

MiFID II, enforced by the FCA, says financial firms must record and store communications.

This includes emails, phone calls, and social media messages.

The MiFID II rules and the FCA’s Conduct of Business Sourcebook say firms must:

'Record and keep all telephone calls and electronic communications that may result in a transaction, even if it does not happen.

These records should be stored in a durable format and must be easy for authorities to access for at least five years.'

— The Financial Conduct Authority

These records must include an audit trail that is easy to retrieve.

Data must be stored safely, and transfer methods should be protected.

The Consequences of Non-Compliance

Failure to follow MiFID II can lead to significant fines.

Repeated or serious issues could result in your firm’s licence being suspended or revoked.

How to Audit Emails

An auditing tool can link to your email system to create detailed audit logs.

These logs should track each time an email is opened, forwarded, or downloaded, along with who accessed it and when.

This helps confirm that only authorised staff can see sensitive data and can stop leaks.

Auditing features are also offered by secure email solutions designed for use by financial services. 

4. Authenticate

Financial services organisations should confirm the identity of the person receiving sensitive emails so only the correct recipient can view them.

Recipient authentication checks someone’s identity using factors like passwords, phone confirmations, or biometrics.

• Something you know (e.g., a password)
• Something you have (e.g., a phone)
• Something you are (e.g., a fingerprint)

This helps block unauthorised users from seeing data if an email reaches the wrong inbox.

It also supports encryption by cutting down on human error.

What Regulation Does Authentication Fulfil?

The European Securities and Markets Authority (ESMA) and MiFID II require checks on identity, authorisation, and data transfer to protect investors and keep markets fair.

Under MiFID II, firms must:

'Have proper security tools to ensure the security and authentication of information transfer, reduce data corruption risks and unauthorised access, and stop information leaks while keeping data confidential.'

— The Financial Conduct Authority

Email authentication meets MiFID II’s requirements by securing messages between a firm and its clients.

MiFID II also highlights identity checks for suitability assessments when giving investment advice or managing portfolios.

The Consequences of Non-Compliance

Firms that do not follow MiFID II can be fined heavily.

If violations are serious or repeated, a firm’s licence may be suspended or revoked.

How to Authenticate Emails

Typical email clients rarely include built-in recipient authentication.

This often requires a specialist secure email service.

Multi-factor authentication asks recipients to confirm their identity before they open attachments or see content.

They might get a code by text, answer a security question, or use a fingerprint scan.

This strengthens email security and helps keep data away from the wrong people.

Learn more about email authentication.

5. Revoke

Financial services organisations should have a way to revoke emails if they are sent to the wrong person.

An email revoke feature lets you remove a recipient’s ability to view the message or attachments.

Ideally, it should function even after an email has been opened.

This is key for messages with sensitive data that are not meant for the wrong person.

A revoke option can reduce damage if an email goes astray.

What Regulation Does Email Revoke Fulfil?

Financial firms handle large amounts of data, so the ability to revoke an email helps you stay compliant with GDPR.

GDPR requires you to keep control over personal data.

That includes removing data if it’s no longer needed or if there is an error.

The ICO says that if you recall an email before someone sees it, you may not need to report it as a data breach.

This shows how important it is to correct data-handling mistakes quickly.

It aligns with GDPR’s principles of data responsibility and integrity.

The Consequences of Non-Compliance

UK GDPR fines can reach up to £17.5 million or 4% of annual global turnover, whichever is higher.

The EU GDPR can fine up to €20 million (about £18 million) or 4%.

How to Revoke Emails

The ICO advises organisations to:

'Act quickly.

Try to recall the email as soon as possible.

If you can’t recall it, ask the recipient to delete it. In the future, think about turning off Autofill for work emails.

The 72 hours after a data breach are critical.'

— UK Information Commissioner's Office

Some email services, including Microsoft Outlook, have a recall feature.

But their efficacy depends heavily on the recipient’s email platform.

A dedicated secure email service provides a more reliable way to revoke messages.

It also gives you more control over sent emails.

Key considerations for a revoke capability:

• Timeliness – Revoke an email as soon as you notice an error.
• Control – Senders should manage revocations from their sent items, and admins should have a console to oversee them.
• Notification – Senders receive alerts when an email is opened so they can judge any impact.
• Integration – The system should work well with your current email platform.

This cuts the risk of misdirected emails and improves your data security and compliance.

6. Reply

Financial services organisations should let customers reply securely with any private information, creating a two-way secure channel.

Many firms focus on blocking inbound and outbound data threats.

But protecting personal data sent by clients is also crucial.

A secure reply feature lets clients respond using the same security level your firm uses for outbound emails.

"Building a secure, two-way communication channel is key for financial services.

It not only protects data but also shows customers you value their privacy."

— Carole Howard, Head of Networks, Beyond Encryption

What Regulation Does Secure Reply Fulfil?

Secure reply supports GDPR and the Consumer Duty from the FCA.

Consumer Duty aims to help firms achieve good outcomes for their customers and covers how they communicate.

FCA-regulated firms must:

'Help their customers understand by making sure communications meet their needs, are likely to be understood, and allow them to make good decisions.'

— The Financial Conduct Authority

Firms also need to protect clients from foreseeable harm and safeguard their data.

An FCA consultation paper notes, “Firms should maintain a reasonable level of support during service disruptions, like IT outages or cyber attacks.”

The Consequences of Non-Compliance

Firms that fail to meet consumer protection rules may face large fines and might have to compensate customers for damage.

How to Set Up Secure Reply

You can’t control what email client or device your customers use, but you can offer them a secure way to respond.

Many secure email solutions not only let you send safe outbound emails but also allow your clients to reply in the same protected thread.

When choosing a secure email service, consider how it affects both your firm and your clients.

Key points include:

• User Experience – Keep the process simple. Give clear instructions and helpful support.
• Compatibility – Make sure the secure reply feature works on different devices and email systems.

This approach helps your organisation build trust and meet strict security standards for sensitive data.

How to Remain Compliant: Additional Actions

Here are other steps to help you meet data security rules:

Assign a compliance officer – Having a compliance officer helps you stay on track by checking processes, creating strategies, and suggesting tools.

Create an internal security policy – A policy for everyone in the company helps protect your data and shows your commitment to security.

Educate employees – Compliance tools are only as strong as their users. Train all staff on regulations, security basics, and how to handle risks.

Are You Protected?

Is your firm meeting industry standards?

Non-compliance can lead to penalties, so financial organisations should update email security often to follow new rules and deal with new threats.

⬇️ Download the guidance in PDF format

FAQs

What Is the Main Reason for Using Secure Email Encryption in Financial Services?

Regulations require proper data protection.

Encryption keeps data safe as it travels, stopping outsiders from reading private details.

How Often Do Rules Like GDPR or MiFID II Change, and How Can I Keep Up?

They change sometimes to address new security problems.

Sign up for official regulatory updates, read relevant blogs, and attend compliance events to stay informed.

What Should I Do If I Send Sensitive Data to the Wrong Person?

Try to recall or revoke the email right away.

If it poses a data breach risk, follow your internal policy and think about reporting it.

How Can I Make Sure My Team Sticks to Email Compliance?

Offer regular training, provide clear rules, and automate compliance steps with easy-to-use tools.

This reduces human error.

References

A Guide to Data Security, Information Commissioner’s Office, 2024

FCA Warns Firms to Be Responsible When Handling Client Data, Financial Conduct Authority, 2020

Encryption, Information Commissioner’s Office, 2024

Article 16 Organisational Requirements, ESMA, 2024

Conduct of Business Sourcebook, Financial Conduct Authority, 2024

Consumer Duty Implementation: Good Practice and Areas for Improvement, Financial Conduct Authority, 2024

PRIN 2.1 The Principles, Financial Conduct Authority, 2023

Reviewed by

Sabrina McClune , 19.06.24

Sam Kendall, 16.01.25