Whilst it’s the FCA that requires the undertaking of a report by a skilled person, it’s the regulated firm being investigated that commissions it in agreement with the FCA and also and bears the cost of this report. The ‘skilled person’ will normally report directly to the FCA as well as to the firm being investigated.

Normally a skilled person’s report will focus on specific regulatory issues, such as the protection and processing of customer data and the correct policies, procedures and processes required to be implemented in order to comply with the law.

The commissioning of a Section 166 report usually indicates that a firm is in regulatory difficulties and the report will generally establish the extent of any problems and/or the degree of customer detriment or remedial action required.

In such circumstances, the commissioning of the report is just one step in the process and the FCA will expect the firm to address, in short order, any issues identified.

“Smaller firms within financial services aren’t immune to this level of oversight. Thematic reviews are increasingly used to pick wider-market readiness topics such as data protection and privacy and this often includes sampling the best of breed and the worst offenders and also often asking auditors and outsourcers for their inside information,” warns Foss.

The regulators now have MOUs between them and this reflects the way in which Data Protection Authorities (DPAs) are now expected to ‘hold hands’ in the EU with respect to the harmonisation of the application of the GDPR across all 28 Member States.

“This level of collaborative working between the FCA and the Information Commissioner’s Office will result in operational risk principles being applied in a more consistent manner – and specifically to avoid financial services firms using regulatory gaps or differences in approach to their benefit,” concludes Foss.