Jack Wheeler-Bailey

Dear The Financial Conduct Authority,

Could I please ask the following questions relating to your software systems:
Finance system:
• Who is your current provider?
• When does the contract expire, and do you have extension options?
• What is the value of the contract?
• What modules do you use e.g. general ledger?
• What is your budget?
• When did the contract start?
Procurement system:
• Who is your current provider?
• When does the contract expire, and do you have extension options?
• What is the value of the contract?
• What is your budget?
• When did the contract start?
Invoicing:
• What is your current invoice process?
• Do you have an electronic invoicing system in place?
• If so, when does this expire and is there extension options?
• Who is the current provider?
• What is the value of the contract?
• What is your annual paper usage?

Yours faithfully,

Jack Wheeler-Bailey

The Financial Conduct Authority

Thank you for e-mailing the Financial Conduct Authority's Information Access Team. This is an automatic acknowledgement to tell you we have received your email safely. Please do not reply to this email. We will be in touch in due course.

This communication and any attachments may contain personal information. For more information about how and why we use personal information and who to contact with any queries about this, please see our privacy notices: FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR Privacy Notice (https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is confidential and may be subject to legal privilege. It is for intended recipients only. If you are not the intended recipient you must not copy, distribute, publish, rely on or otherwise use it without our consent. Some of our communications may contain confidential information which it could be a criminal offence for you to disclose or use without authority. If you have received this email in error please notify [email address] immediately and delete the email from your computer. Further information on the classification and handling of FCA information can be found on the FCA website (http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator Limited, the FCA on behalf of the Payment Systems Regulator Limited / the Payment Systems Regulator Limited) reserves the right to monitor all email communications for compliance with legal, regulatory and professional standards.

This email is not intended to nor should it be taken to create any legal relations or contractual relationships. This email has originated from the Financial Conduct Authority (FCA), or the Payment Systems Regulator Limited.

The Financial Conduct Authority (FCA) is registered as a limited company in England and Wales No. 1920623. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company in England and Wales No. 8970864. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment Systems Regulator Limited)

Freedom of Information, The Financial Conduct Authority

1 Atodiad

Our ref:        FOI6677

 

Dear Mr Wheeler-Bailey

 

Freedom of Information: Right to know request

 

We refer to your request under the Freedom of Information Act 2000 (“the
Act”) for information concerning our Finance, Procurement and Invoicing
systems. Please see Annex A for full details of your request.

 

Your request is currently being considered and, in doing so, we are of the
view that the following qualified exemption/s under the Act may apply:

 

o section 31 (law enforcement);
o section 43 (commercial interests).

 

This is because we consider that disclosure would, or would be likely to,
prejudice the exercise by the FCA of its functions under FSMA.

 

In addition, we consider that disclosure would, or would be likely to,
prejudice the commercial interests of any person (including the public
authority holding it).

 

As this is the case, the FCA is required to weigh the public interest in
maintaining the exemption/s against the public interest in disclosing any
information.

 

By virtue of section 10(3), where public authorities have to consider the
balance of the public interest in relation to a request, they do not have
to comply with the request until such time as is reasonable in the
circumstances.  The FCA has not yet reached a decision on the balance of
the public interest.  Due to the need to consider, in all the
circumstances of the case, where the balance of the public interest lies
in relation to the information that you have requested, the FCA will not
be able to respond to your request in full within 20 working days.  In
these circumstances, we hope to be in a position to respond to you by 2
October 2019, although should we be in a position to contact you sooner we
will do so.

 

Yours sincerely

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[1]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[2]www.fca.org.uk

 

Annex A

 

Request received on 6 August 2019:

 

“Could I please ask the following questions relating to your software
systems:

 

Finance system:

•Who is your current provider?

•When does the contract expire, and do you have extension options?

•What is the value of the contract?

•What modules do you use e.g. general ledger?

•What is your budget?

•When did the contract start?

 

Procurement system:

•Who is your current provider?

•When does the contract expire, and do you have extension options?

•What is the value of the contract?

•What is your budget?

•When did the contract start?

 

Invoicing:

•What is your current invoice process?

•Do you have an electronic invoicing system in place?

•If so, when does this expire and is there extension options?

•Who is the current provider?

•What is the value of the contract?

•What is your annual paper usage?”

 

 

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
2. http://www.fca.org.uk/

Freedom of Information, The Financial Conduct Authority

3 Atodiad

Our ref:         FOI6677

 

Dear Mr Wheeler-Bailey

 

Freedom of Information: Right to know request

 

Thank you for your request, which we received on 6 August 2019, under the
Freedom of Information Act 2000 (the Act) for information on our finance,
procurement and invoicing systems. Please see Annex A for full details of
your request.

 

On 4 September 2019, we advised you that we required more time to balance
the “public interest” arguments for and against disclosure in relation to
the information you are seeking. We have now completed that work and our
response is below.

 

Your request has now been considered and we can confirm that we hold the
information requested.  The information we can provide to you is set out
below.

 

Finance system: Answer
•Who is your current Oracle E business suite
provider?
•When does the We have a perpetual licence in place
contract expire, and
do you have
extension options?
•What is the value We pay a third party to support this system and can
of the contract? confirm the value of the contract to be between £1m
to £2.5m [exact value exempt under s43 – commercial
interests]
•What modules do you Exempt under s31 – law enforcement
use e.g. general
ledger?
•What is your As contract value
budget?
•When did the We have bought perpetual Oracle Financial licences at
contract start? various dates, the first contract started on
24/04/2004
Procurement system: Answer
•Who is your current BIP Solutions Ltd
provider?
•When does the 31/01/2021, extension option is for two possible
contract expire, and extensions of 12 months
do you have
extension options?
•What is the value £10-£25k [exact value exempt under s43 – commercial
of the contract? interests]
•What is your As contract value
budget?
•When did the 01/02/2019
contract start?
Invoicing: Answer
•What is your Our invoice system is described on the FCA website -
current invoice [1]https://www.fca.org.uk/firms/fees 
process?
•Do you have an Yes, please see description on the FCA website
electronic invoicing [2]https://www.fca.org.uk/firms/fees/online...
system in place?
•If so, when does We have perpetual licenses which do not expire
this expire and is
there extension
options?
•Who is the current Oracle E business suite
provider?
•What is the value We pay a third party to support this system and can
of the contract? confirm the value of the contract to be between £1m
to £2.5m [exact value exempt under s43 – commercial
interests]
•What is your annual Over 90% of our customers (firms) are now
paper usage? “paperless”. Our expected usage of paper for issuing
paper invoices for the year 2019/20 is c18,000 sheets
of A4, plus c6,500 C5 envelopes.

 

As explained in the tables above, we are unable to disclose the modules
used for our finance system as disclosure would, or would be likely to,
prejudice the prevention or detection of crime. Therefore, we consider
that section 31 (law enforcement) of the Act applies.

 

Further, we consider that disclosure of the exact contact value of the
procurement, finance and invoicing systems could prejudice the commercial
interests of the FCA and our suppliers were it to be made public, and
therefore the exemption at section 43 (commercial interests) of the Act
applies. Nonetheless, with a view to providing you with as much
information as we can, we have provided the value of the contract as a
range.

 

A detailed explanation as to why both these exemptions apply can be found
in Annex B.

 

If you are unhappy with the decision made in relation to your request, you
have the right to request an internal review. If you wish to exercise this
right you should contact us within 40 working days of the date of this
response.

 

If you are not content with the outcome of the internal review, you also
have a right of appeal to the Information Commissioner at Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
5AF. Telephone: 01625 545 700. Website: [3]www.ico.org.uk

 

Yours sincerely

 

Information Disclosure Team / Cyber and Information Resilience Department
/ Operations

[4]Description: cid:image001.png@01D2A7C9.64DDD390

12 Endeavour Square

London

E20 1JN

 

[5]www.fca.org.uk

 

Follow us:

 

[6]Description: https://g.twimg.com/Twitter_logo_blue.pn...
image003

 

 

Annex A

 

Request received on 8 August 2019

 

Could I please ask the following questions relating to your software
systems:

 

Finance system:

A.   Who is your current provider?

B.   When does the contract expire, and do you have extension options?

C.   What is the value of the contract?

D.   What modules do you use e.g. general ledger?

E.    What is your budget?

F.    When did the contract start?

 

Procurement system:

A.   Who is your current provider?

B.   When does the contract expire, and do you have extension options?

C.   What is the value of the contract?

D.   What is your budget?

E.    When did the contract start?

 

Invoicing:

A.   What is your current invoice process?

B.   Do you have an electronic invoicing system in place?

C.   If so, when does this expire and is there extension options?

D.   Who is the current provider?

E.    What is the value of the contract?

F.    What is your annual paper usage?

 

Annex B

 

o Section 31 (Law enforcement)

 

The qualified exemption in section 31(1)(a) of the Act applies because
disclosure of the information requested would, or would be likely to,
prejudice the prevention or detection of crime.

 

As explained in our letter, this exemption applies to the modules used for
our finance and invoicing systems, as if disclosed would, or would be
likely to, prejudice the prevention or detection of crime as disclosure
would enable criminals to draw conclusions about our cyber security
capability and in turn, may encourage them to launch cyber attacks on our
systems.

 

This exemption is qualified and we have balanced the public interest for
and against disclosure as required by the Act.

 

For disclosure

 

·              There is a strong public interest in favour of transparency
and in the public being reassured that we are taking the necessary
precautions to ensure that our information systems, some of which hold
information on the firms and individuals that we regulate, are secure and
safe from cyber attacks.

 

Against disclosure

 

·              There is a strong public interest in the FCA being able to
keep their systems safe and secure from cyber-attacks to ensure our role
as financial regulator is not compromised.  As disclosure of this
information would be valuable to a malicious actor in the targeting of
cyber-attacks against the FCA, specifically it would allow them to use
specific vulnerabilities against our systems.

 

On this occasion, we have concluded that the balance of the public
interest is in favour of maintaining the exemption under section 31 of the
Act, for the reasons set out above.

 

o Section 43 (Commercial interests)

 

Section 43(2) of the Act provides that information is exempt if its
disclosure would, or would be likely to prejudice the commercial interests
of any person (including the public authority holding it).

 

The exemption in Section 43 is qualified and we have balanced the public
interest for and against disclosure as required by the Act.

 

For disclosure

 

•        There is a strong public interest in the public being able to see
and potentially scrutinise how much the FCA is spending on services.

 

Against disclosure

 

•        Disclosure is likely to undermine the FCA’s commercial interests
as to disclose the information requested could adversely impact our
position in future negotiations with suppliers or procurement exercises
with similar specifications.

 

•        The commercial interests of the suppliers involved is likely to
be harmed by such a disclosure as this may affect the suppliers’ ability
to negotiate with other potential future customers.  Further, disclosure
could potentially provide an unfair advantage to competitors of these
suppliers when bidding for work with both the FCA and other commercial
entities.

 

On this occasion we have concluded that, for the reasons set out above,
the balance of the public interest is in favour of not disclosing
information set out above.

 

 

This communication and any attachments may contain personal information.
For more information about how and why we use personal information and who
to contact with any queries about this, please see our privacy notices:
FCA Privacy Notice (https://www.fca.org.uk/data-protection) and PSR
Privacy Notice
(https://www.psr.org.uk/cookies-privacy-a...).

This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
have received this email in error please notify [email address]
immediately and delete the email from your computer. Further information
on the classification and handling of FCA information can be found on the
FCA website
(http://www.fca.org.uk/site-info/legal/fc...).

The FCA (or, if this email originates from the Payment Systems Regulator
Limited, the FCA on behalf of the Payment Systems Regulator Limited / the
Payment Systems Regulator Limited) reserves the right to monitor all email
communications for compliance with legal, regulatory and professional
standards.

This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator
Limited.

The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

The Payment Systems Regulator Limited is registered as a limited company
in England and Wales No. 8970864. Registered office: 12 Endeavour Square,
Stratford, London, E20 1JN, United Kingdom

Switchboard 020 7066 1000

Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (the Payment
Systems Regulator Limited)

References

Visible links
1. https://www.fca.org.uk/firms/fees
2. https://www.fca.org.uk/firms/fees/online...
3. http://www.ico.org.uk/
5. http://www.fca.org.uk/
6. https://twitter.com/TheFCA
7. https://www.linkedin.com/company/financi...