Financial Reporting Council ...

 What is the Financial Reporting Council?

The Financial Reporting Council (FRC) is the UK’s independent regulator of corporate governance, financial reporting, audit and the actuarial profession. In 2019, amid criticisms over the body’s performance, the government decided to replace the FRC with a new Audit, Reporting and Governance Authority (ARGA). But the government reversed this decision in January 2026, despite introducing the necessary legislation in the King’s Speech in 2024.

What does the FRC do?

The FRC was originally established in 1990 with the principal aim of promoting best practice in financial reporting.¹  Over time, its remit has expanded, and its stated purpose is now to serve the public interest by setting high standards of corporate governance, reporting, auditing and actuarial work, and by holding to account those responsible for delivering them.²  In practice, its main work is in overseeing the audit, accounting and actuarial professions, and corporate governance.

The FRC sets the eligibility criteria, and technical and ethical standards, for those approved to carry out the statutory audit of an organisation’s annual accounts in the UK.³  It also maintains, or requires others to maintain, various registers including of those approved to audit public interest or local bodies.⁴

It also issues accounting standards and clarifies conflicting interpretations of those standards. It oversees self-regulation conducted by various professional accounting bodies and monitors compliance with accounting and legal requirements, for example when companies issue directors’ reports.⁵  Its accounting standards are also applicable in Ireland.⁶

The FRC’s role is similar for the actuarial profession – setting standards, overseeing professional bodies and providing an independent investigation and discipline scheme for matters potentially affecting the public interest.⁷

Finally, it oversees corporate governance by setting and monitoring the UK Corporate Governance Code (which applies to companies listed in the UK and Ireland) and the Stewardship Code (which applies to institutional investors in the UK).⁸

What enforcement powers does the FRC have?

The FRC relies on a combination of statutory powers and non-statutory agreements with various other organisations – especially professional bodies – to achieves its aims. In some areas, particularly oversight of the actuarial profession and local authority audit, its concrete powers have been described as “limited or even non-existent”.⁹

It has powers to investigate misconduct by statutory auditors or audit firms and can impose sanctions ranging from a public statement that a breach has been committed to financial penalties and prohibitions from working.¹⁰  It can also take action against members of the professional accounting bodies – individuals or firms – as well as individual actuaries who are members of the Institute and Faculty of Actuaries (IFoA). But the FRC currently has no powers to investigate, take enforcement action or impose sanctions on individuals, including directors, who are not members of these bodies, and its jurisdiction over actuaries relies on agreement with the IFoA.¹¹

How is the FRC structured?

The FRC is a company limited by guarantee¹² , but is also classified as an executive non-departmental public body of the Department of Business and Trade¹³ , and since 2019 its board members have been appointed by the business secretary.¹⁴  It is funded through obligatory contributions from professional bodies and voluntary contributions from private companies, pension schemes and insurance companies.¹⁵

What is the future of the FRC?

Following high-profile auditing and accounting scandals including the collapse of Carillion, the FRC was heavily criticised by the business select committee, which said that its “weak response” contributed to a “crisis of trust in audit”.¹⁶

An independent review by Sir John Kingman in 2018 found it to be “an institution constructed in a different era – a rather ramshackle house, cobbled together with all sorts of extensions over time” and highlighted its lack of a strong statutory foundation and limited powers.¹⁷  The review recommended creation of a new regulator with a clearer sense of purpose and stronger powers.

This recommendation was adopted by the then Conservative government in March 2019,¹⁸  but despite introducing the required primary legislation in the King’s Speech in 2024, the Labour government decided in 2026 not to proceed with establishing the ARGA. In part, this reflected reforms already implemented by the FRC in the intervening period.¹⁹  These reforms have included clarifying its purpose, changing its senior team, increasing its headcount and developing closer relationships with stakeholders who can help it to achieve its objectives.²⁰

However, the FRC still lacks certain powers that can only be strengthened through legislation. For example, it can only take enforcement action against company directors who are members of the accountancy profession and it cannot regulate most non-listed companies, or promote competition in the statutory audit market. In addition, 40% of its income is still derived from voluntary contributions.

The government says it “will still look to put the Financial Reporting Council on a proper statutory footing, as soon as parliamentary time allows.”²¹  But it is not yet clear when this will be.

More - 
https://www.instituteforgovernment.org.uk/explainer/financial-reporting-council

Is Data Still ‘Personal’ If The Recipient Cannot Identify The Data Subject?

 

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

The case will now return to the FTT to apply the Court of Appeal’s interpretation of the law to the facts of the DSG cyberattack. 

More - 
https://actnowtraining.blog/2026/03/02/is-data-still-personal-if-the-recipient-cannot-identify-the-data-subject/