Last week, our colleague Ellesheva Kissin reported that an anonymous internal whistleblower at the FCA had been outed by the chairman of the regulator.
According to the Financial Times, which broke the story, Ashley Alder had forwarded communication from the whistleblower, who had been asking for help, instead of redacting their name and information.
It's basic confidentiality 101 that when someone emails you in confidence, that you are expected to protect that trust and confidence.
And the FCA has this enshrined in its own whistleblowing policy - namely that no revelations would be made without the individual's permission.
One has to assume this was an accident - the alternative would be worrying indeed.
I remember all too well accidentally 'replying to all' with a rude message that I'd only intended for my friend to read and have a chuckle over. I have never back-pedalled so fast in all my born life.
But I was young, and my prefrontal cortex hadn't even finished developing. I certainly wasn't the chairman of the UK's financial services regulator.
According to the FT, although the whistleblower had been dismissed for alleged misconduct in 2021, they had raised concerns to Alder over what the FT called "opaque hiring practices". These had prompted an internal review.
Past performance
Sadly this is not the only concern over data security.
In 2023, the Information Commissioner’s Office ruled that the FCA had breached its data protection obligations.
Back in 2020, as FT Adviser reported, the FCA had been taken to the complaints commissioner over a data breach that saw the names, addresses and telephone numbers of complainants published on the website.
The FCA admitted the breach in February 2020, referred itself to the Information Commissioner’s Office over the incident. The commissioner said the breach was regrettable, but did not uphold the individual's complaint against the regulator, stating there was no evidence to suggest the data had been "misused".
But these three incidents - the ones known to us - do not help to instil confidence in the whistleblowing or complaints process.
How can an adviser or financial services professional have trust that their complaints will be treated in confidence, when former members of staff at the FCA cannot even be 100 per cent convinced of their anonymity?
If I had made three similar errors I'd be hauled over the coals, and rightly so.
Imagine if we, as journalists, were to disclose the name of every adviser who had ever raised an issue with us, or provided the personal details of consumers who come to us looking for help?
It's not enough to tell people to trust you and to encourage people to whistleblow - more has to be done to make the process not only secure but seen to be secure.