CCII Prep
Sign inStart free
Home / R01 · R01: Financial Services, Regulation & Ethics / Record Keeping & Reporting

CII Diploma·R01 · R01: Financial Services, Regulation & Ethics·UnitR01 · Unit 07Access: Premium

Record Keeping & Reporting

Prepare for Record Keeping & Reporting with CII Diploma practice questions covering 1 topics. Part of R01: Financial Services, Regulation & Ethics — build your knowledge and track your progress with CII Prep.

Questions
39
Topics
1
Access
Premium

What’s in it.

1 topic
  • Topic 01

    Record Keeping & Reporting

    39 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. A firm retains suitability reports for 5 years and then deletes them to save storage costs. A client complains 7 years after advice was given about a pension product that they say is unsuitable. What is the firm's regulatory and legal position?

    • The firm may have complied with the 5-year COBS minimum, but FCA guidance indicates pension advice records should be kept much longer; the deletion creates evidential and practical difficulties in defending the complaint
      Correct answer
    • The firm is fully protected because it complied with the 5-year minimum retention period and no further obligation exists
    • The 5-year minimum is irrelevant — firms must retain all records indefinitely as long as clients may still complain
    • The firm must pay the claim automatically because it cannot produce evidence of the suitability assessment
    Explanation

    COBS 9.4.7 sets 5 years as the minimum retention period for suitability reports. However, FCA guidance notes that for pension products, records should be retained much longer — in practice until the client reaches age 100 is the industry standard. Deleting pension advice records after 5 years, while technically meeting the minimum, creates serious practical and evidential problems when defending late complaints. The FOS can hear pension mis-selling complaints many years later (within 6 years of the event, or 3 years from when the client should have known). This is a judgment question about best practice vs minimum compliance.

  2. What rights do individuals have under UK GDPR in relation to solely automated decision-making that produces significant effects?

    • The right to contest automated decisions applies only to decisions made by public authorities, not private firms
    • Individuals have the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects; they can request human intervention, express their view, and contest the decision
      Correct answer
    • Individuals have the right to opt out of automated processing before it occurs but not to contest decisions after the fact
    • Individuals have the right to be informed of automated decisions but no right to challenge them
    Explanation

    UK GDPR Article 22 provides that data subjects have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. Exceptions apply where the decision is necessary for contract, authorised by law, or based on explicit consent — but even where exceptions apply, safeguards must include the right to request human intervention, to express their point of view, and to contest the decision. In financial services, automated credit scoring or suitability scoring could engage this right.

  3. A firm suffers a data breach exposing client bank account numbers and sort codes to an unauthorised third party. Should the firm notify the ICO, and should it also notify affected clients?

    • ICO notification only; individual notification is not required unless clients have already suffered financial loss
    • Individual client notification only; the ICO is notified automatically via the firm's regulatory reporting system
    • Yes, both notifications are likely required: the ICO within 72 hours (as the breach creates a risk of financial fraud); and affected clients without undue delay because of the high risk of financial harm
      Correct answer
    • ICO notification within 72 hours; individual notification is only required if the data was sold on the dark web
    Explanation

    Bank account numbers and sort codes in the hands of an unauthorised third party create a genuine risk of financial fraud (e.g. fraudulent direct debit instructions, account takeover). This meets the threshold for ICO notification under Article 33 (likely to result in a risk to rights and freedoms). The high risk of financial harm also meets the higher threshold for individual notification under Article 34. Both notifications should be made: the ICO within 72 hours of awareness, and affected clients without undue delay.