Skip to main content

Information Control and the “Need-to-Know” principle

In the first installment of our Wholesale Conduct thematic blogs, this blog focusses on the challenges regarding information control and how Deloitte can help you.

The control of non-public information (“NPI”) has been and will continue to be an area of focus for the Financial Conduct Authority (“FCA”). The management of NPI at a firm forms the basis for regulators in assessing a firm’s overall conduct framework and its management of market abuse risk. Whilst many firms have worked hard to improve their controls around NPI, the FCA continues to signal areas for improvement1. Enforcement actions on individuals who have access to sensitive information and who have subsequently abused that access, further signal the personal consequences to individuals and reputational damage to firms for the mismanagement of NPI.


What is Compliance’s role in relation to Information Control and the need-to-know principle?
 

For a compliance function the policies and procedures requiring the establishment of information barriers and associated controls in relation to conflicts of interest and market abuse invariably require the definition of inside information (or material non-public information ("MNPI")) and the need to define NPI more generally. Compliance policies on this topic will typically draw a distinction between MNPI (in respect of which there are specific control requirements) and other NPI which does not amount to MNPI. It is critical that information is properly classified on first receipt. The policy is likely to go on to articulate the concept of “need to know” which should be regarded as the fundamental principle applicable to the handling, use and dissemination of all NPI by anyone in the organisation regardless of position or department. Access to NPI across the organisation should be managed accordingly.

What is the need-to-know principle?
 

"Need-to-know" is in common use but it requires a more detailed articulation to ensure consistency of understanding and to avoid self-serving interpretations. The principle applies to the management of all NPI and extends to the sharing of NPI both within the organisation and externally.

In summary, the need-to-know principle requires, absent permission/consent to the contrary, that all NPI must:

  • Be used and shared only for its intended purpose of origin or creation.
  • Be shared only with individuals who have a legitimate requirement to access it in connection with the intended purpose.
  • Be used and shared respecting obligations of confidentiality and duly considering potential conflicts of interest.

In an investment bank, the need-to-know principle is applied in the context of handling sensitive financial information, proprietary trading strategies, client data, and other confidential matters. Key questions for firms are:

  1. Who owns the controls around information and the “need to know” principle at your firm?
  2. Is the ownership clear to the rest of the organisation?
  3. Which function or person should be taking a lead on it? 


Why is the control of information important?
 

It is essential to restrict access to NPI within the bank to only those individuals who require it to perform their job responsibilities effectively. This principle helps maintain the integrity of the bank's operations, ensures client confidentiality, and protects sensitive data from unauthorised access or potential misuse.

In practice, investment banks should implement the need-to-know principle through a combination of access controls, user permissions, data segregation, and strict information-sharing protocols. Regular training and awareness programs are also conducted to educate employees about the importance of confidentiality and data security. By adhering to this principle, investment banks can maintain trust with their clients, comply with regulatory requirements, and mitigate potential risks associated with sensitive information.

It is important to recognise that while the control of information within a financial institution is multi-disciplinary, as illustrated by the diagram below showing many functions with related responsibilities, adherence to the need-to-know principle should be universal.  

Key questions for firms are:

  1. To what extent do these functions co-ordinate to ensure they are following consistent rather than independent and potentially contradictory approaches in relation to information control?
  2. Which individual or function is responsible for ensuring that the controls are applied consistently and effectively?


What are the common challenges?
 

The control of information is complex task. The intricate web of data, including sensitive client information, proprietary trading strategies, market-moving transactions, and risk assessments, demands clarity in information ownership and control. 

From our experience having worked with firms of varying size and complexity and through recent communications by the regulator, the most common challenges faced by firms concern the following:

  • Poor governance and ownership: Given the multi-faceted nature of information control, it can be difficult to ensure clarity of ownership and the consistent application of fundamental principles such as need-to-know across relevant areas of the firm, from top management to print rooms. In this context, firms should consider the responsibilities under the Senior Managers and Certification Regime (SMCR) and whether there are any gaps.
  • Failure to identify NPI: Firms lack the controls and processes to effectively and consistently identify and correctly classify NPI within their business. For example, firms have been found to either not identify instances where MNPI has been received, or misidentify the timing of the receipt of MNPI leading to the non-creation or erroneous creation of insider lists leading to regulatory action.
  • Ineffective electronic controls: Electronic access to NPI is not regularly monitored and challenged for appropriateness and frequency. For example, access to shared drives, folders and chat rooms.   
  • Insufficient control of MNPI: The management of MNPI is not sufficiently controlled. The need-to-know principle dictates that it is inappropriate to share with too many people “just in case.” We are all aware of concerns that insider lists are too long because the information has been shared broadly or the lists do not accurately reflect who has accessed MNPI at any given time because they include people with system access or groups which are designated as “permanent insiders.” For example, you should not share NPI with broad email groups, or grant access to whole teams/departments as a means of assigning a task to one person or a sub-set.  
  • Drive to cross-sell overriding internal protocols: Business lines looking to improve cross-selling opportunities with clients, without following procedures of obtaining client knowledge and consent. The use of NPI for a purpose other than that originally intended arguably requires a broader permission from a client to allow the NPI to be shared for the purpose of cross-selling. Terms of business where they exist may provide a permission but these need to be checked and employees must beware of overriding terms e.g. where a confidentiality agreement is in place.   
  • Lack of training and awareness: Firms lack scenario-based training to make the principle relevant to the scale and complexity of the business and or functions the individuals operate in.


How can Deloitte help?
 

Successfully addressing these challenges requires a comprehensive approach that combines informative policies and procedures, technological solutions, employee education, and effective governance practices.

We can help firms design effective information controls, from classification of information, to devising ownership parameters to implementing robust security measures and data governance policies, all of which will help to protect NPI and foster a culture of responsibility and accountability within the organisation. Underpinning the success of those information controls, we can devise and deliver tailored training to employees at your firm.  

The need-to-know principle need not act as a hindrance to internal collaboration and cross selling opportunities. If applied correctly, it can optimise a firm’s business and improve its reputation in the safe management of client confidential data.  

If you would like to discuss the regulators’ expectations/your requirements further, please contact any author of this blog.

_____________________________________________________________________________

References:

1 Recent examples of FCA publications include, FCA Market Watch 60 and 71 on inside information and insider lists, Market Watch 75 on market soundings and the FCA’s letter to Corporate Finance Firms summarising poor information controls observed at CFF firms.