Security and compliance

In the UK, OakNorth Bank is authorised by the Prudential Regulation Authority (PRA) and regulated by both the Financial Conduct Authority and the PRA. As a regulated financial institution, we take security and compliance extremely seriously and both have been built into the DNA of the organisation from day one.


We take a top-down approach to security and compliance. Our security and compliance programs are sponsored and closely monitored by our executive leadership and we have put several governance mechanisms in place to make sure every member of the team understands their responsibility.


Our Information Security Management Systems are certified against the requirements of the ISO 27001 standard. As part of the certification, OakNorth’s control environment is assessed by a third-party independent auditor on an annual basis.

To provide increased assurance on our internal control environment and to make the due-diligence for our partners less burdensome, we are working towards completing the following compliance programs: ISAE 3402, SOC 1, 2 & 3, ISO 27017, ISO 27018, ISO 22301 and CSA STAR.

We understand that our partners need to fulfil their own audit and regulatory requirements. To help them with this risk management process, we provide them with insights into some of our key security and compliance procedures. Our partners can also approach their account manager if they need any help performing such assessments.

Data privacy

Our platform offers a strong baseline of controls that safeguards the security of all personal information stored and processed on it.

Our partners are responsible for complying with applicable compliance laws and regulations with regards to protecting customer data in their respective markets and are likely to have their own internal mechanisms to implement such measures. Our platform offers security features, legal agreements, and other functionality to support client compliance. For example, we give our partners ownership and control over their content by allowing them to manage where their borrower-related information will be stored, how will it be secured in transit or at rest, and who can access it.