Content Hub

Financial Services Email Compliance: The Checklist

Written by Sabrina McClune | 13 05 22

In financial services, email compliance plays a crucial role in your company’s daily efforts to protect sensitive information.

Yet, with changing regulations surrounding data and communications, maintaining email data compliance can be a challenge. In this post, we've made it easy to understand what you need to do to remain compliant.

Financial Services Email Compliance At A Glance

Here is a brief overview of the key regulations.

Source Summary Guidance
Prevent
FCA - SM&CR
Put prevention methods in place to stop a breach "If a firm breaches one of our requirements, the Senior Manager responsible for that area could be held accountable if they didn’t take reasonable steps to prevent or stop the breach."

Encrypt
ICO - GDPR

Encrypt emails containing personal data "Have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be sent encrypted."
Audit
FCA - COBS
Keep auditable copies of outbound emails "Keep a copy of relevant electronic communications, made with, sent from or received on equipment: (1) provided by the firm to an employee or contractor; or (2) the use of which by an employee or contractor has been sanctioned or permitted by the firm."
Authenticate
ESMA - MIFID II
Authenticate recipients to prevent unauthorised access “Have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”
Revoke
ICO - GDPR
Have the capability to revoke misfired emails "[in the event of a data breach] act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails. The 72 hours following a personal data breach are particularly critical."
Reply
FCA - Consumer Duty
Provide customers with a secure way to communicate with you "Ensure consumers receive communications they can understand, products and services meet their needs and offer fair value, and the support they need."

⬇️ Download this table

1. Encrypt

Financial organisations should encrypt emails containing personal data to protect against message interception and other forms of digital threats.  

Email encryption is the process of encoding email messages to protect the contents from being read by anyone other than the intended recipients.

It involves transforming readable data into an unreadable format using a cryptographic algorithm, ensuring only authorised recipients possessing the correct decryption key can read it.

What Regulation Does Encryption Fulfil?

Under GDPR, personal data should be:

'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.'

Article 32 lists encryption as a suitable way to protect personal data.

When considering financial services organisations, it's important to note that providers, intermediaries, and retailers regulated by the Financial Conduct Authority (FCA) handle a significant amount of personal data. This information requires robust protection to ensure its security.

The FCA has stated that these companies 'must make sure they lawfully process and transfer client data in line with the GDPR guidance.’

This is especially important during anti-money laundering (AML) and know-your-customer (KYC) processes.

While these are vital for establishing a standard of identification for high-value transactions on behalf of both businesses and their customers, they also contain vast amounts of data in one document that could put an individual's identity at risk.

Consequences of non-compliance: UK GDPR can have a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a slightly higher maximum limit at €20 million (£18 million) or 4% of annual global turnover.

How To Encrypt Emails

In terms of how to implement email encryption, the Information Commissioner's Office (ICO) recommends that:

'You should have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be sent encrypted.'

The ICO guidelines also note that the encryption software used is crucial and that organisations ‘should ensure that any solution you implement meets current standards.’

Most email providers have a basic level of encryption built in. For example, Microsoft Outlook provides basic encryption methods that enable users to protect their emails in transit, with some limited functionality.

Businesses should consider implementing an enterprise encryption solution by evaluating the following critical security aspects:

  • Key Size: Choose a solution that offers a larger key size for enhanced security. Larger keys are more resistant to brute force attacks, providing more robust protection for your data.
  • Software Integration and Usability: Ensure the encryption software integrates seamlessly with your existing technology stack and is user-friendly. An intuitive interface reduces training time and increases adoption rates among employees.
  • Scalability and Business Resilience: Select software that can scale with your business growth and adapt to evolving security challenges. It should support increasing volumes of data and user numbers without compromising performance.
  • Additional Capabilities: Look for features that extend beyond basic encryption, such as recipient authentication and rights management. These capabilities ensure that only authorised recipients can access and perform actions on your encrypted emails.

By carefully considering these factors, you can choose an encryption solution that not only secures email communications but also aligns with your operational needs and security policies.

Learn more about email encryption.

2. Authenticate

Financial services organisations should authenticate emails containing sensitive information to ensure that only the intended recipient can access transmitted data.

Recipient authentication verifies an individual's identity using multi-factor authentication, ensuring they are who they claim to be. This process typically involves:

  • Something you know (a password),
  • Something you have (a phone),
  • Something you are (biometrics).

This security measure is critical as it prevents unauthorised access to information, even if an email reaches the wrong recipient, by requiring authentication before the content can be accessed.

Authentication complements encryption by adding a layer of security against human error.

What Regulation Does Authentication Fulfil?

The European Securities and Markets Authority (ESMA) and MiFID II regulations enforce strict requirements on identity verification, authorisation, and data transmission to ensure compliance, investor protection, and market integrity.

Under MiFID II, financial organisations are required to:

'Have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.'

Email authentication plays a crucial role in meeting MiFID II's organisational requirements, ensuring the integrity of communications between a firm and its clients.

In particular, MiFID II emphasises stringent identity verification processes as part of the suitability assessments used to determine investment advice and portfolio management activities.

Authentication can help to ensure that services are appropriate for the client's financial situation and investment objectives, safeguarding both the client and the integrity of the financial market.

Consequences of non-compliance: Failure to comply with MiFID II could result in significant fines. Serious or repeated breaches of MiFID II regulations can lead to the revocation or suspension of a firm's licence.

How To Authenticate Emails

Recipient authentication is not typically built into standard email clients and is a security feature included within secure email services.

Authentication can be applied as an extra step within the email-sending process, preventing a recipient from viewing messages and attachments until they have verified their identity.

Multi-factor authentication is considered the best method to carry this out, as it provides multiple levels of identity checking before allowing the recipient access. These checks commonly include:

  • SMS – input a code sent to your phone.
  • Q&A's – answer a question only you will know the answer to.
  • Biometrics - facial or fingerprint scans.

Implementing such robust authentication methods significantly enhances the security of email communications, ensuring that sensitive information remains confidential and accessible only to verified recipients.

Learn more about email authentication.

3. Audit

Financial organisations should keep auditable copies of outbound emails to ensure they have comprehensive records of communications.

Auditing outbound emails is essential for documenting an organisation's compliance with communication standards and protocols, thereby enhancing transparency and accountability.

Moreover, it plays a crucial role in detecting and preventing fraud and other misconduct.

Regular monitoring of emails helps identify suspicious activities or irregular patterns that could suggest insider trading, data breaches, or market manipulation.

What Regulation Does Email Auditing Fulfil?

When it comes to auditing, financial institutions operate under strict regulatory frameworks outlined in MiFID II and enforced by the FCA that mandate the recording and retention of communications.

The rules outlined within MiFID II and the FCA’s Conduct of Business Sourcebook (COBS) require firms to:

'Record and retain all telephone conversations and electronic communications that are intended to result in transactions, even if the transaction does not ultimately take place. These records must be stored in a durable medium and made easily accessible to competent authorities for at least five years.'

This includes maintaining records of all orders and transactions carried out within communications channels such as voice and video calls, instant messaging, social media, SMS, and email.

Communications records must include an audit trail that is clear, easily accessible, and retrievable. Companies must store data securely and authenticate methods of information transfer.

Consequences of non-compliance: Failure to comply with MiFID II could result in significant fines. Serious or repeated breaches of MiFID II regulations can lead to the revocation or suspension of a firm's licence.

How To Audit Emails

Utilising an auditing solution for email communications is imperative for regulatory compliance.

Organisations need an auditing solution that integrates seamlessly with their email infrastructure and can generate comprehensive audit logs.

These logs should track various actions related to emails and their attachments, such as when emails are accessed, who accessed them, and the specific actions taken, including whether emails or their attachments were opened, forwarded, or downloaded.

Such detailed tracking helps organisations verify that only authorised personnel access sensitive information, safeguarding against potential data breaches.

4. Revoke

Financial organisations should have the capability to revoke misfired emails if they are sent to the wrong recipient.

Email revoke allows the sender to remove a recipient’s access to an email, preventing them from viewing the message and any attachments.

This revocation should be able to be executed even after the email has been opened, which is crucial in cases where emails contain sensitive information that should not be disclosed to unintended recipients.

For instance, the ability to quickly revoke access helps mitigate damage in cases where sensitive information is sent to the wrong recipient, ensuring immediate corrective action can be taken to maintain confidentiality.

What Regulation Does Email Revoke Fulfil

For financial organisations, particularly those handling significant volumes of sensitive data, the ability to revoke access to an email directly supports compliance with GDPR requirements and provides an additional layer of security and control over data transmissions.

The principles set forth by the GDPR emphasise the need for control over personal data, including the ability to erase data when it is no longer necessary or if it is handled improperly.

Under ICO guidance, if an email or attachment is recalled successfully before being accessed by an unauthorised party, the incident may not need to be reported as a data breach.

This stresses the importance of having mechanisms in place to quickly correct errors in data handling, which supports the broader GDPR principles of accountability and integrity in data processing.

Consequences of non-compliance: UK GDPR can have a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a slightly higher maximum limit at €20 million (£18 million) or 4% of annual global turnover.

How To Revoke Emails

The ICO recommends that, in the event of a data breach, organisations should:

'Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails. The 72 hours following a personal data breach are particularly critical.'

The ability to recall emails is a feature offered by many email providers, including Microsoft Outlook.

However, these capabilities are often limited and rely on several factors being met, including compatibility with the recipient's email client.

For more reliable and robust revocation, investing in a dedicated secure email solution will provide your organisation with more granular control over outbound messages and attachments.

The key features to look for in an email revocation system include:

  • Timeliness - The ability to quickly revoke access to an email once a mistake is identified.
  • Control - Senders should have the ability to manage and revoke emails from their sent items and administrators should be able to invoke a revocation through a management console.
  • Notification - Notifications to senders when an email has been accessed, providing an opportunity to assess the potential impact.
  • Integration - The system should integrate smoothly with existing email platforms to ensure ease of use.

Adopting such a comprehensive email revocation system not only minimises the risks associated with misdirected emails but also reinforces your organisation's commitment to data security and regulatory compliance.

5. Reply

Financial organisations should provide customers with a safe way to interact with them when sending sensitive information, facilitating two-way secure communication.

When it comes to email security and compliance, the focus is often placed on protecting against inbound and outbound threats to a business' data.

However, it is equally important to ensure that personal information being sent into your business from clients and partners is protected.

This can be achieved through a secure reply function, which enables clients to respond to emails safely using the same technology that your business utilises for outbound communications.

What Regulation Does Secure Reply Fulfil?

A secure reply mechanism directly supports compliance with several key regulations, including GDPR and the Consumer Duty, recently implemented by the Financial Conduct Authority (FCA).

The Consumer Duty emphasises the importance of firms acting to deliver good outcomes for their customers, which specifically includes principles around communication. FCA-regulated firms are now required to:

'Support their customers’ understanding by ensuring that their communications meet the information needs of customers, are likely to be understood by customers intended to receive the communication, and equip them to make decisions that are effective, timely and properly informed.'

They are also required to protect their clients from foreseeable harm and protect the information that customers entrust to them.

An FCA consultation paper states that 'Firms should maintain a reasonable level of support during service disruptions, such as temporary works, IT outages, or cyber-attacks.'

Consequences of non-compliance: Companies may face fines and penalties if found in violation of consumer protection laws. These fines can be substantial, depending on the severity and nature of the breach.

Businesses might also be required to compensate consumers who suffered harm due to their failure to adhere to consumer duty. This could include refunding money, providing additional services without charge, or compensating for damages or distress caused.

How To Set Up Secure Reply

While there are some aspects of client communications that you can’t control, such as the email client or device they use, you can enhance their experience by providing them with the capability to reply securely.

Many secure email solutions not only allow you to send secure outbound messages and attachments but also enable your clients to directly reply to these emails in a secure thread, affording them the same protections that you use, including email encryption.

When analysing a secure email solution for suitability, it is vital to consider not only how it will impact your organisation, but your clients too. Some key points to cover when implementing secure reply functionality are:

  • User Experience - The process should be straightforward and user-friendly to encourage adoption and minimise confusion. This includes clear instructions and possibly customer support to aid with initial setup or troubleshooting.
  • Compatibility - Ensure that the secure reply feature is compatible with a range of devices and email clients. This flexibility can prevent potential barriers to communication and ensure a seamless experience for all users.

By effectively implementing secure reply features, your organisation not only enhances client trust and satisfaction but also upholds stringent security standards essential for protecting sensitive communications.

How To Remain Compliant: Additional Actions

Several other steps should be carried out within your organisation to adhere to data security regulations:

Assign a compliance officer - Having an individual in charge of ensuring your organisation adheres to regulations is the best way to guarantee compliance. They can assess your current scope, assist with implementing a compliance strategy and advise on software and processes.

Create an internal security policy - Having a company-wide policy that everyone adheres to will help protect assets and demonstrate a strong commitment to security and compliance.

Educate employees - Compliance solutions are only as strong as the people using them. Teach staff of all levels the fundamentals of regulation and security and how to counteract threats.

Are You Protected?

Is your firm compliant with industry regulations?

As non-compliance can lead to severe penalties, it is crucial for financial organisations to review and enhance their email security regularly to align with evolving regulations and safeguard against emerging threats.

Download our comprehensive compliance checklist to review your practices and ensure alignment with current regulations.

References:

A guide to data security, Information Commissioner's Office, 2024

FCA warns firms to be responsible when handling client data, Financial Conduct Authority, 2020

Encryption, Information Commissioner's Office, 2024

Article 16 Organisational requirements, ESMA, 2024

Conduct of Business Source Book, Financial Conduct Authority, 2024

Consumer Duty implementation: good practice and areas for improvement, Financial Conduct Authority, 2024

PRIN 2.1 The Principles, Financial Conduct Authority, 2023

Reviewed By:

Sabrina McClune, 19.06.24

Sam Kendall, 19.06.24