ICT Systems

The request was partially successful.

Dear The Financial Conduct Authority,
What applications are you running for: Finance, HR, Payroll, Procurement, CRM, Business Intelligence (BI)
For each of the above applications:
Who is the vendor(s) ?
What Version(s) are you running ?
When was the last major software upgrade ?
When is the next planned upgrade?
Who provides 2nd and 3rd line Support and Maintenance (S&M) for these applications?
What is the approximate value of the current annual S&M contract? (a range is fine)
When is the S&M renewal date?
Do you plan to extend S&M at the next renewal?
Who is responsible for these business areas?
Is there a longer term strategy to replace the applications / software mentioned?
Are you running any Oracle or SAP databases, if so what versions are you running?
Are you planning any database upgrades in the next 12-18 months?
Who provides 2nd and 3rd line S&M for these database ?
What is the approximate value of these contracts ? (a range is fine)
When is the S&M renewal date?
Do you plan to extend S&M at the next renewal?
Who is responsible for looking after the contract for the Oracle and/or SAP application estate?
Who is responsible for looking after the licenses for the Oracle and/or SAP DB estate?
Yours faithfully,
Mike

The Financial Conduct Authority

Thank you for e-mailing the Financial Conduct Authority's Information Access Team. This is an automatic acknowledgement to tell you we have received your email safely. Please do not reply to this email. We will be in touch in due course.

This communication and any attachments may contain personal information. For more information about how and why we use personal information and who to contact with any queries about this, please see our privacy notices: FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR Privacy Notice (https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is confidential and may be subject to legal privilege. It is for intended recipients only. If you are not the intended recipient you must not copy, distribute, publish, rely on or otherwise use it without our consent. Some of our communications may contain confidential information which it could be a criminal offence for you to disclose or use without authority. If you have received this email in error please notify [email address] immediately and delete the email from your computer. Further information on the classification and handling of FCA information can be found on the FCA website (http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator Limited, the FCA on behalf of the Payment Systems Regulator Limited / the Payment Systems Regulator Limited) reserves the right to monitor all email communications for compliance with legal, regulatory and professional standards.

This email is not intended to nor should it be taken to create any legal relations or contractual relationships. This email has originated from the Financial Conduct Authority (FCA), or the Payment Systems Regulator Limited.

The Financial Conduct Authority (FCA) is registered as a limited company in England and Wales No. 1920623. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company in England and Wales No. 8970864. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment Systems Regulator Limited)

Freedom of Information, The Financial Conduct Authority

3 Attachments

Our ref: FOI6973

 

Dear Mr Cattermole

 

Freedom of Information: Right to know request

 

We refer to your request under the Freedom of Information Act 2000 (“the
Act”) for the following information:

 

What applications are you running for: Finance, HR, Payroll, Procurement,
CRM, Business Intelligence (BI) For each of the above applications:

Who is the vendor(s) ?

What Version(s) are you running ?

When was the last major software upgrade ?

When is the next planned upgrade?

Who provides 2nd and 3rd line Support and Maintenance (S&M) for these
applications?

What is the approximate value of the current annual S&M contract? (a range
is fine) When is the S&M renewal date?

Do you plan to extend S&M at the next renewal?

Who is responsible for these business areas?

Is there a longer term strategy to replace the applications / software
mentioned?

Are you running any Oracle or SAP databases, if so what versions are you
running?

Are you planning any database upgrades in the next 12-18 months?

Who provides 2nd and 3rd line S&M for these database ?

What is the approximate value of these contracts ? (a range is fine) When
is the S&M renewal date?

Do you plan to extend S&M at the next renewal?

Who is responsible for looking after the contract for the Oracle and/or
SAP application estate?

Who is responsible for looking after the licenses for the Oracle and/or
SAP DB estate?

 

Your request is currently being considered and, in doing so, we are of the
view that the following qualified exemptions under the Act may apply:

 

o Section 31 (law enforcement)
o Section 43 (commercial interests)

 

This is because we consider that disclosure would, or would be likely to,
prejudice the prevention or detection of crime by the FCA.

 

In addition, we consider that disclosure would, or would be likely to,
prejudice the commercial interests of any person (including the public
authority holding it).

 

As this is the case, the FCA is required to weigh the public interest in
maintaining the exemption against the public interest in disclosing any
information.

 

By virtue of section 10(3), where public authorities have to consider the
balance of the public interest in relation to a request, they do not have
to comply with the request until such time as is reasonable in the
circumstances.  The FCA has not yet reached a decision on the balance of
the public interest.  Due to the need to consider, in all the
circumstances of the case, where the balance of the public interest lies
in relation to the information that you have requested, the FCA will not
be able to respond to your request in full within 20 working days.  In
these circumstances, we hope to be in a position to respond to you by 19
February 2020, although should we be in a position to contact you sooner
we will do so.

 

Yours sincerely

 

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[1]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[2]www.fca.org.uk

 

Follow us:

 

[3]Description: https://g.twimg.com/Twitter_logo_blue.pn...
image003

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
2. http://www.fca.org.uk/
3. https://twitter.com/TheFCA
4. https://www.linkedin.com/company/financi...

Freedom of Information, The Financial Conduct Authority

3 Attachments

Our ref:         FOI6973

 

Dear Mr Cattermole

 

We write further to our email of 22 January 2020 about your request under
the Freedom of Information Act 2000 (“the Act”) for the information about
the application we are running for Finance, HR, Payroll, Procurement, CRM,
Business Intelligence (BI).

 

The FCA is still not in a position to reply to your right to know request,
as a decision has yet to be reached on the balance of public interest in
respect of the information you seek.  It is therefore necessary to extend
the date for responding to you.  We hope to respond to you by 18 March
2019, though should we be in a position to contact you sooner we will do
so.

 

In the meantime, thank you for your understanding and patience.

 

Yours sincerely,

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[1]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[2]www.fca.org.uk

 

Follow us:

 

[3]Description: https://g.twimg.com/Twitter_logo_blue.pn...
image003

 

 

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
2. http://www.fca.org.uk/
3. https://twitter.com/TheFCA
4. https://www.linkedin.com/company/financi...

Freedom of Information, The Financial Conduct Authority

3 Attachments

Our ref:         FOI6973

 

Dear Mr Cattermole

 

We write further to our email of 19 February 2020 about your request under
the Freedom of Information Act 2000 (“the Act”) for the information about
the application we are running for Finance, HR, Payroll, Procurement, CRM,
Business Intelligence (BI).

 

The FCA is still not in a position to reply to your right to know request,
as a decision has yet to be reached on the balance of public interest in
respect of the information you seek.  It is therefore necessary to extend
the date for responding to you.  We hope to respond to you by 25 March
2019, though should we be in a position to contact you sooner we will do
so.

 

In the meantime, thank you for your understanding and patience.

 

Yours sincerely,

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[1]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[2]www.fca.org.uk

 

Follow us:

 

[3]Description: https://g.twimg.com/Twitter_logo_blue.pn...
image003

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
2. http://www.fca.org.uk/
3. https://twitter.com/TheFCA
4. https://www.linkedin.com/company/financi...

Freedom of Information, The Financial Conduct Authority

3 Attachments

Our ref:         FOI6973

 

Dear Mr Cattermole

 

Freedom of Information: Right to know request

 

Thank you for your request dated 20 December 2019 received under the
Freedom of Information Act 2000 (“the Act”). You asked for information
about our Finance, HR, Payroll, Procurement, CRM, and Business
Intelligence (BI) systems.

 

We previously wrote to you to advise that we needed additional time to
consider your request, as we considered that section 31 (law enforcement)
and section 43 (commercial interests) might apply to some of the
information and a decision had not yet been reached on the balance of
public interest in respect of that information. We have now completed that
exercise and can confirm that the section 31 exemption does apply, but
section 43 does not.

 

Your request has now been considered and we have answered each point in
turn:

 

 1. What applications are you running for each of the following
applications: Finance, HR, Payroll, Procurement, CRM, Business
Intelligence (BI)?

 

We are unable to disclose what applications we are running as disclosure
would, or would be likely to, prejudice the prevention or detection of
crime. Therefore, we consider that section 31 (law enforcement) of the Act
applies for the reasons set out in Annex A below.

 

 2. Who is the vendor(s)?

 

Oracle and CGI are the vendors for our Payroll application and Oracle is
the vendor for all the other systems.

 

 3. What Version(s) are you running?

 

We are unable to disclose what versions we are running as disclosure
would, or would be likely to, prejudice the prevention or detection of
crime.  Therefore, we consider that section 31 (law enforcement) of the
Act applies for the reasons set out in Annex A below.

 

 

 4. When was the last major software upgrade?

 

We are unable to disclose when the last major software update occurred, as
disclosure would, or would be likely to, prejudice the prevention or
detection of crime. Therefore, we consider that section 31 (law
enforcement) of the Act applies for the reasons set out in Annex A below.

 

 5. When is the next planned upgrade?

 

We are unable to disclose when the next software update is planned, as
disclosure would, or would be likely to, prejudice the prevention or
detection of crime. Therefore, we consider that section 31 (law
enforcement) of the Act applies for the reasons set out in Annex A below.

 

 6. Who provides 2nd and 3rd line Support and Maintenance (S&M) for these
applications?

 

•       SopraSteria and Support Revolution provide 2nd and 3rd line
Support and Maintenance for Oracle. However, we are unable to disclose
which applications they are supporting as disclosure would, or would be
likely to, prejudice the prevention or detection of crime. Therefore, we
consider that section 31 (law enforcement) of the Act applies for the
reasons set out in Annex A below.

 

•          CGI provide 2nd and 3rd line Support and Maintenance for
payroll.

 

 7. What is the approximate value of the current annual S&M contract? (a
range is fine) When is the S&M renewal date?

 

•          SopraSteria - £0.75-1.5m and is due for renewal in September
2023.

•          Support Revolution - £2-3m and is due for renewal April 2021.

•          CGI - £0.1-0.5m and is due for renewal November 2022.

 

 8. Do you plan to extend S&M at the next renewal?

 

It is yet to be confirmed whether we will extend the S&M contract at the
next renewal.

 

 9. Who is responsible for these business areas?

 

The Enterprise wide Resource Planning Product Group within Infrastructure
and Operations Department.

 

10. Is there a longer-term strategy to replace the applications / software
mentioned?

 

Yes.

 

11. Are you running any Oracle or SAP databases, if so what versions are
you running?

 

Yes, but we are unable to disclose which versions we are running as
disclosure would, or would be likely to, prejudice the prevention or
detection of crime. Therefore, we consider that section 31 (law
enforcement) of the Act applies for the reasons set out in Annex A below.

 

 

12. Are you planning any database upgrades in the next 12-18 months?

 

No.

 

13. Who provides 2nd and 3rd line S&M for these databases?

 

Support Revolution, Steria and CGI.

 

14. What is the approximate value of these contracts (a range is fine)?
When is the S&M renewal date?

 

·      SopraSteria - the approximate value of this contract is £0.75 -
£1.5m and is due for renewal in September 2023.

 

•   Support Revolution – the approximate value of this contract is £2m
-£3m and due for renewal in April 2021.

 

•  CGI – the approximate value of these contracts is £0.1M and £0.5m and
is due for renewal in November 2022.

 

15. Do you plan to extend S&M at the next renewal?

 

It is still to be decided if we plan to extend S&M at the next renewal.

 

16. Who is responsible for looking after the contract for the Oracle
and/or SAP application estate?

 

The Enterprise wide Resource Planning Product Group within Infrastructure
and Operations.

 

17. Who is responsible for looking after the licenses for the Oracle
and/or SAP DB estate?

 

The Enterprise wide Resource Planning Product Group within Infrastructure
and Operations.

 

If you are unhappy with this response, you have the right to request an
internal review.  If you wish to exercise this right you should contact
the Information Disclosure Team within 40 working days of the date of this
response.

 

If you are not content with the outcome of the internal review, you also
have a right of appeal to the Information Commissioner at Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
5AF.  Telephone: 01625 545 700.  Website: [1]www.ico.org.uk

 

 

Yours sincerely

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[2]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[3]www.fca.org.uk

 

Follow us:

 

[4]Description: https://g.twimg.com/Twitter_logo_blue.pn...
image003

 

Annex A

 

·                  Section 31 (Law enforcement)

 

The qualified exemption in section 31(1)(a) of the Act applies because
disclosure of the information requested would, or would be likely to,
prejudice the prevention or detection of crime.

 

As explained in our letter, this exemption applies to points 1, 3, 4, 5,
6, and 11 of your request in that such information, if disclosed would, or
would be likely to, prejudice the prevention or detection of crime as
disclosure would enable criminals to draw conclusions about our cyber
security capability and in turn, may encourage them to launch
cyber-attacks on our systems.

 

This exemption is qualified and we have balanced the public interest for
and against disclosure as required by the Act.

 

For disclosure

 

o There is a strong public interest in favour of transparency and in the
public being reassured that we are taking the necessary precautions to
ensure that our information systems, some of which hold information on
the firms and individuals that we regulate, are secure and safe from
cyber-attacks.

 

o Disclosure of the information would demonstrate how the FCA responds
to the ever-increasing threat of its systems being compromised.

 

Against disclosure

 

o In addition to the arguments set out above, there is a strong public
interest in the FCA being able to keep their systems safe and secure
from cyber-attacks to ensure our role as financial regulator is not
compromised?

 

On this occasion, we have concluded that the balance of the public
interest is in favour of maintaining the exemption under section 31 of the
Act, for the reasons set out above.

 

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
1. http://www.ico.org.uk/
3. http://www.fca.org.uk/
4. https://twitter.com/TheFCA
5. https://www.linkedin.com/company/financi...