concentric logo

FCA and PRA (UK) Compliance with Concentric AI

September 15, 2023
Cyrus Tehrani
5 min read

The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are two major regulatory bodies in the UK that oversee financial institutions and their operations. While both have regulations and guidelines related to privacy and data protection, their primarily focus is on financial regulations.

Financial Conduct Authority (FCA)

The FCA is responsible for regulating financial firms that provide services to consumers and maintains the integrity of the financial markets in the UK. While the FCA does not directly enforce data protection laws, it expects firms to have systems and controls in place to protect customer data — in line with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The FCA has issued guidance on how firms should handle personal data and has taken enforcement actions against firms that have failed to protect customer data adequately.

Prudential Regulation Authority (PRA)

The PRA is part of the Bank of England and is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers, and major investment firms.

Like the FCA, the PRA expects firms to have robust systems and controls in place to protect customer data.The PRA’s focus is more on a firm’s financial resilience and stability but also considers operational risks — including those related to data breaches and IT failures.

Both the FCA and PRA work in conjunction with the Information Commissioner’s Office (ICO) — the main regulatory body for data protection in the UK. The ICO enforces the GDPR and the Data Protection Act 2018 and has the power to issue fines for breaches.

What are the differences between FCA, PRA and GDPR?

Because the FCA and PRA are closely tied to the GDPR, it’s important to make distinctions between the three regulatory bodies regarding their purpose, scope and enforcement.

When it comes to data protection, however, both regulatory bodies fall under the GDPR.


FCA: The primary focus of the FCA is to regulate financial services firms and financial markets in the UK. It aims to protect consumers, enhance market integrity, and promote competition in the interests of consumers.

PRA: The PRA’s primary role is the prudential regulation and supervision of banks, building societies, credit unions, insurers, and major investment firms. It focuses on the financial resilience and stability of these institutions.

GDPR: The General Data Protection Regulation (GDPR) is all about the protection of personal data and the rights of individuals. Its main goal is to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international businesses.


FCA: The FCA’s regulations apply specifically to financial services firms operating in the UK.

PRA: The PRA’s regulations apply specifically to the financial institutions it supervises, ensuring they have adequate capital and safeguards in place to prevent risks to the broader financial system.

GDPR: GDPR has a broader scope and applies to all organizations operating within the EU and those outside the EU that offer goods or services to individuals in the EU.


FCA: The FCA has the authority to take enforcement actions against firms that fail to comply with its regulations, which can include fines, sanctions, or revoking licenses.

PRA: The PRA can take enforcement actions against institutions that fail to meet its prudential standards, which can include fines, sanctions, or other measures to ensure financial stability.

GDPR: The GDPR is enforced by national data protection authorities in each EU member state, and has the power to impose significant fines on organizations that breach the regulation.

Concentric’s Role in FCA and PRA Compliance

Concentric AI offers a robust solution to help firms doing business in the UK with GDPR compliance. Since GDPR is much more broad in scope, you’ll find everything you need to know here.

But let’s explore the 4 key challenges UK companies face when managing FCA and PRA compliance.

  • Comprehensive data discovery and categorization
  • Autonomous risk monitoring
  • Meeting regulatory mandates
  • Efficient response to data request

Comprehensive Data Discovery and Categorization

The Challenge: Enterprises manage millions of documents daily, many of which contain personally identifiable information (PII) and other sensitive data that’s challenging to locate and safeguard.

Concentric AI’s Solution: Concentric AI’s Semantic Intelligence solution leverages advanced machine learning to autonomously scan and categorize data — from financial details to PII/PHI/PCI and business confidential information — no matter where it’s stored. This ensures that firms are aware of where their sensitive data resides, helping them comply with FCA and PRA’s expectations and GDPR’s rules.

Autonomous Risk Monitoring

The Chalienge: Continuous risk monitoring of data is a daunting task for IT and security teams, especially with the dynamic nature of data sharing and access in a cloud-based workplace that is increasingly remote or hybrid.

Concentric AI’s Solution: Concentric AI offers the capability to autonomously discover how PII/customer data is used, with whom it’s shared, and who accessed it. This helps in quickly and accurately identifying risks like inappropriate permissions, risky sharing, and unauthorized access, aligning with the FCA and PRA’s emphasis on robust systems and controls.

Meeting Regulatory Mandates

The Challenge: Regulatory mandates like breach notifications, right-to-know, and right-to-be-forgotten requests are becoming standard across all industries, increasing the degree of difficulty for data protection.

Concentric AI’s Solution: Concentric AI helps companies in meeting regulatory and security mandates, demonstrating control to auditors, and implementing zero-trust access practices. Our autonomous remediation rectifies access issues, reducing the likelihood of data loss or governance violations and adhere to FCA and PRA’s guidelines.

Efficient Response to Data Requests

The Challenge: Responding to data access audits and data subject access requests (DSAR) is crucial for regulatory compliance.

Concentric AI’s Solution: Concentric AI helps discover PII data, understand how its  used, and continuously assesses it for risk. Our solution also helps firms in responding to data access audits and DSARs. Even better, Concentric AI proactively detects and remedies risks from sharing and access violations, ensuring adherence to various privacy regulations, including those set by FCA and PRA.

Want to see firsthand, with your own data, how you can quickly and easily deploy Concentric’s solution and identify sensitive data so you can comply with FCA or PRA and also respond to DSAR requests? Book a demo today, and you’ll get all the compliance information you need — all without rules, regex, or end-user involvement.


Libero nibh at ultrices torquent litora dictum porta info [email protected]

Getting started is easy

Start connecting your payment with Switch App.