Intuitive Support Services Ltd is not regulated by the FCA. However, we directly support firms who are, and who rely on our service.
The responsibility for any outsourced business activities, and compliance with the FCA rules, remain with you, as the regulated financial advice firm. That’s why it’s important that we are able to provide you with reassurance, in terms of how we’ll handle your client data.
GDPR
Under the GDPR rules, data controllers (financial advice firms) have a responsibility to ensure that they are only working with firms that can demonstrate compliance with GDPR. When you outsource, the firm that you outsource to is effectively your data processor. Before engaging with a third party, you should carry out due diligence on that firm to ensure that they can comply with the requirements.
Where Does Intuitive Hold Data?
We access and use data owned by regulated financial advice firms, with their permission, during the period of engagement.
As intermediaries, financial advice firms are classed as ‘data controllers’ and when we use their data, we have a duty of care in terms of how we handle that data, to ensure that security and confidentiality is maintained. We are effectively the “data processors”.
The regulated financial advice firm may grant us permission to access their data through various different mediums. For example:
• Back-office system
• Cloud-based filing
• Third-party investment platform
• Product provider online services
• Within an email account at their domain
• Within their own server or hosted desktop
The regulated financial advice firm retains ownership of the data, and control in terms of access rights to all third-party mediums. The advice firm dictates to us where their data sits, and remains responsible for the assessment of whether these different platforms are secure and compliant with current data protection. If data goes outside of the EEA, the financial advice firm is responsible for informing the data subject, or for seeking consent, wherever it may be appropriate to do so.
Within the course of business, data may be received into an Intuitive email account, or downloaded onto the Intuitive server, both of which sit within a secure hosted platform. Data for each advice firm is entirely segregated, and staff access rights are restricted based on security groups and permissions within the firm. Access is password controlled, and all data remains within the UK.
Should a financial advice firm disengage from our service, all data held by Intuitive that is owned by the financial advice firm will be deleted from our server within 2 weeks. (We will ask the financial advice firm if they require copies before we delete the data).
Who Does Intuitive Share Data With?
In terms of client data owned by the advice firm, we do not share this data with anyone (unless instructed to do so by the advice firm in providing an administrative service). In terms of data held about you, the financial advice firm, again, we do not share this data with anyone.
Our Due Diligence document confirms what software we might use when providing our service, and you are welcome to request a copy.
Secure Transmission of Data
We use Mimecast Secure Messaging Service when sending confidential data from our Intuitive email accounts, which is a secure channel for sending and receiving sensitive information via email.
Please note however, financial advice firms are responsible for providing a method for the secure transmission of their data, whether that is by email encryption, or through a secure communication portal. When using an email account at a financial advice firm’s domain, the financial advice firm owns the email account that we use on their behalf, and they remain responsible for the purchase and maintenance of encryption software.
We strongly recommend that you have appropriate technology in place, enabling the secure transmission of your data, in line with the expectations of current data protection legislation. If you do not have appropriate technology in place, we can discuss implementing a procedure for you whereby we password protect PDF documents attached to your emails. Please feel free to ask for further details.
System Access
We control access to our systems using Multi Factor Authentication (MFA) requiring all users to provide two or more verification factors to gain access. Within our systems, access is further restricted based on security groups and permissions. Staff can only access data which is essential in carrying out their own role.
Internal Policies
We work to extremely strict guidelines when handling client data, and we adhere to the following internal policies:
• Data Protection and Security Policy
• Computer Systems and Internet Policy
• Company Standards and Rules Policy
• Telephone Usage Policy
Our Data Protection and Security Policy covers various areas, including:
• Authentication of Caller
• Authentication of Emails
• Email Encryption and Protection
• Secure Desk Policy
• User ID and Password Policy
• Destruction of Confidential Waste
• Personal Computers, Laptops & Mobile Phones
• Printer, Photocopier and Fax Security
Staff are required to confirm their understanding of, and adherence to, the firm’s policies and procedures annually.
Due Diligence
We have a detailed due diligence document, which provides further information. Please feel free to request a copy.
Staff Training
Every member of staff undertakes annual training and testing on:
• Anti-Money Laundering & Financial Crime
• Data Protection
• Cyber Security
• Vulnerable Clients
• Health & Safety
Operational Procedures
We have documented procedures and best practice guidelines in place for our staff. When supporting you, we will also adhere to your company procedures, whilst taking account of our own best practice guidelines. For example, if you do not have a method in place to capture a clear and documented audit trail, we’ll still ensure that an audit trail is maintained.
Business Continuity
We have a robust business continuity plan in place, which is reviewed and updated regularly.
Data Protection Registration
Intuitive Support Services Limited is registered with the Information Commissioner’s Office for data protection.
Non-Disclosure
As you would expect, confidentiality forms part of our Service Agreement, and our Contract of Employment. However, if you would also like us to sign your non-disclosure agreement, we’ll be happy to do so.
Cyber Essentials Plus
The Intuitive Team are Cyber Essentials PLUS Certified.
Privacy Policy
HERE