A compliance round-up from the team at Protiviti
End of Year (November/December) Edition
2019: From Conduct and Governance to Technology and Operational Resilience there was plenty going on
There were many obvious predictions at the beginning of 2019: the slowdown in new European regulation, the cost of Brexit implementation, the increased focus of enforcement especially around financial crime, data privacy and cybersecurity, and the further shift towards individual accountability.
What did happen? As expected, there was no great wave of regulatory reform and regulators took practical approaches for new requirements, such as extending the deadline for implementing Strong Customer Authentication. The emphasis on culture and consumer protection continued, most obviously through focusing on product pricing and transparency, with new The Banking: Conduct of Business Sourcebook (BCOBS) rules from the Financial Conduct Authority (FCA) on disclosure of charges and the interim report by the FCA on its market study into general insurance.
The Senior Managers and Certification Regime (SMCR), designed to hold leaders accountable for their decisions and to drive cultural changes at board level, was extended to include a broad range of firms regulated by the FCA such as asset managers, IFAs, insurance brokers and those who arrange credit – and the FCA has committed to include benchmark administrators in a further extension of SMCR due for implementation by late 2020. The team at Protiviti expect to see individuals increasingly held to account by supervisors as SMCR becomes embedded. This could be as a result of failings across the Handbook or from a specific conduct event.
Operational Resilience has developed as a priority area of risk. The Treasury Committee report on IT failures in financial services urged regulators to start holding firms increasingly to account for IT failures and outages and to address the issue of concentration risk with outsourced service providers. We mention below the flurry of activity in December relating to operational resilience and outsourcing using the cloud. The team at Protiviti also expect to see this as a key regulatory 2020 workstream as firms move to ensure that their systems are fit for purpose. The Protiviti team consider that Operational Resilience will sit alongside Financial Resilience as key part of the regulatory framework.
Brexit slowed down the regulators’ policy work. Resources were diverted to update policy for a no-deal Brexit. However, the regulator’s enforcement work did not slow down with the cost of enforcement fines up from the previous year. The FCA also now reports on whistleblowing with the FCA showing an increasing trend of holding firms to account for potential misbehavior.
Protiviti also observed an increase in the regulators’ interest in Environmental, Social and Governance (ESG) issues. 2020 will surely provide clarity on how they will expect firms to change their organisation and interactions with customers to accommodate these issues.
Leaders of organisations in virtually every industry, size of organisation, and geographic location are reminded all too frequently that they operate in what appears to many to be an increasingly risky global landscape. We expect the regulatory focus for 2020 to be framed by global economic and political themes. This is underlined by the results from our annual Executive Perspectives on Top Risks 2020 survey. Reflecting the views of executives across industries, talent and culture risks alongside technology and innovation risks dominate the top 10.
We wish you a happy holiday season and increased certainty for the new year!
Bernadine Reese, Managing Director, Risk & Compliance
Conduct & Governance
SMCR extended to 47,000 financial services firms
The Senior Managers and Certification Regime (SMCR) was finally extended to include solo regulated firms by the Financial Conduct Authority (FCA). The SMCR encourages greater individual accountability and sets a new standard of personal conduct in financial services by:
- ensuring senior managers are accountable for conduct in their areas of responsibility
- ensuring a minimum standard of behaviour for everybody working in the sector through Conduct Rules
- enhancing professionalism in the industry by requiring firms to certify that their staff are fit and proper
Source - FCA
FCA: CP19/31: Extending the Senior Managers Regime to benchmark administrators
FCA intends to extend SMR for benchmark administrators next year on 7 December 2020. This CP proposes that all benchmark administrators are automatically classified as “Core” firms under the regime which means that they will have to apply up to four SMFs and allocate two prescribed responsibilities to the relevant senior managers. the conduct rules will apply, but FCA is proposing to tailor the conduct rules for certain commodity benchmark administrators. FCA is not proposing to apply the certification regime to benchmark administrators. Responses to the consultation are required by 28 February 2020.
Source - FCA
ESMA consults on position limits in commodity derivatives
The European Securities and Market Authority (ESMA) has launched a Consultation Paper on position limits and position management in commodity derivatives. This Consultation Paper is in the context of the review it is obliged to perform under MiFID II, together with the European Commission (EC), on the impact of position limits on liquidity, market abuse and orderly pricing and settlement conditions in commodity derivative markets and is seeking stakeholders’ views on some proposed amendments to the legal framework. Stakeholders can provide feedback by 8 January 2020.
Source - ESMA
FRC: Providing assurance on client assets to the FCA
The revised standard on client assets reinforces the importance of ethical requirements, particularly those relating to independence, for auditors. It stresses that CASS auditors must accept or continue a Client Asset Engagement only when they:
- have reason to believe that all relevant ethical requirements, including independence, will be satisfied;
- are satisfied that those who are to perform the engagement, including the CASS engagement leader, have had appropriate training and will have the appropriate competence and capabilities; and
- are satisfied the basis upon which the engagement is to be performed has been agreed between the CASS auditor and the firm, including the CASS auditor’s reporting responsibilities to the the FCA and also the reporting (as set out in paragraph 135) of the most significant matters requiring attention, in the auditor’s professional judgment, to those charged with governance.
Source - FRC
National Crime Agency (“NCA”) 2019 report reveals increase of over 50% in consent SARs
According to NCA's Suspicious Activity Annual Report 2019, the number of SARs has continued to increase, wherein 3% increase was seen in the number of SARs received between April 2018 and March 2019. The amount of money denied to criminals also significantly increased; over £131m was restrained following refused Defence Against Money Laundering SARs (a 153% increase). The reason for the increase in the amount of restrained funds is believed to be the introduction of Account Freezing Orders and the extension of the moratorium period by the Criminal Finances Act 2017.
Reports from lawyers and accountants remain low, but the Financial Intelligence Unit (FIU) is seeing increased reporting from challenger banks and Fintech companies.
Source - Regulations Tomorrow
UK’s exit from the EU delayed
The FCA has extended the date by which firms and funds should notify it for entry into the temporary permissions regime (TPR) to 30 January 2020. Fund managers will have until 15 January 2020 to inform the FCA if they want to make changes to their existing notification. However, firms should continue to comply with existing regulatory requirements, including those relating to MiFID transaction reporting and EMIR trade reporting requirements.
Source - FCA
Statement on MiFID II inducements and research
The US SEC has extended it's staff ‘no action letter’, which addresses the potential conflict between US regulation and MiFID II, until 3 July 2023. The existing relief was due to expire on 3 July 2020.
During the remainder of the current period and the extended period of the no-action relief, broker- dealers subject to the US regime may receive payments for unbundled research from firms subject to MiFID II or equivalent rules of EU member states without being considered an investment adviser under US law. This will also apply to UK firms in the event of EU withdrawal before or during the extended period.
Source - FCA
FCA statement on UK EMIR validation rules
The FCA has published an updated statement on the reporting of derivatives under the UK EMIR regime in a no-deal scenario. The statement explains that in the event that the UK withdraws from the EU without an agreed deal on 31 January 2020, UK reporting counterparties and trade repositories (TRs) should use the UK EMIR validation rules when submitting derivative transactions entered into from 11:00pm on 31 January 2020 onwards.
The FCA will be responsible for the registration and ongoing supervision of TRs operating in the UK post-Brexit. Counterparties operating in the UK will be required to report details of their derivative trades to an FCA-registered TR. The FCA will also require UK TRs to provide UK authorities access to data reported to them by UK counterparties. The FCA has decided not to grant transitional relief in relation to these requirements.
Source - FCA
Technology and Operational Resilience
FSB report on third-party dependencies in cloud services
The Financial Stability Board (FSB) published a report on the financial stability implications of third-party dependencies in cloud services. In the report, the FSB provides an overview of the financial stability benefits and risks of reliance on cloud services. It considers the types of third-party dependencies, the features of cloud services markets and models and potential benefits and risks. It also sets out a stocktake of standards and practices applicable to third -party risk, including general outsourcing guidelines, cloud service specific guidelines, and current and future work in this area.
Source - FSB
PRA: CP30/19: Outsourcing and third party risk management
PRA’s CP sets out proposals for modernising the regulatory framework on outsourcing and third-party risk management. Responses are required by 3 April 2020. The appendix to CP30/19 contains a draft supervisory statement on outsourcing and third party risk management, which sets out the PRA's expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. The PRA's proposals aim to:
- Complement the policy proposals set out in its consultation paper on operational resilience: impact tolerances for important business services (CP29/19), which was published alongside CP30/19.
- Facilitate greater resilience and adoption of the cloud and other new technologies, as set out in the Bank of England (BoE) response to the June 2019 report on the future of finance
- Implement the EBA guidelines on outsourcing arrangements
- Take into account the draft EIOPA guidelines on outsourcing to cloud service providers and the EBA guidelines on ICT and security risk management
Source - BOE
The FCA, PRA and BoE issue consultations on strengthening operational resilience in financial services sector
The FCA, PRA and Bank of England (BoE) published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector. The proposals develop and expand on the ideas set out in the supervisory authorities' July 2018 joint discussion paper. The proposals also include requirements to map and test important business services to identify vulnerabilities in their operational resilience and drive change where it is needed. The consultation papers all close to responses on 3 April 2020.
Source - BOE
The FCA: Speech by Megan Butler: The view from the regulator on operational resilience
The FCA’s Executive Director of Supervision – Investment, Wholesale and Specialist, Megan Butler, gave a speech at the TISA’s Operational Resilience Forum in London about their joint consultation paper published on 5 December 2019 regarding operational resilience. Her speech addressed the outcomes the FCA is seeking from the new requirements and expectations that operational resilience is strengthened, so that firms “are more focused on the continuity of supply of the financial products and services that people, businesses and the wider economy rely on most, even in the event of severe operational disruptions”.
The FCA’s expected outcomes include:
- Creating a shift in mind-set, from firms prioritising their own commercial interests to considering the vulnerabilities of consumers and the financial system as a whole when making decisions.
- Firms looking forward and making decisions today that help prevent harm tomorrow and preventing operational incidents from impacting consumers, financial markets and UK financial system.
- Firms being in a position to continue providing business services that are heavily relied on, even in the event of severe operational disruptions. Firms should have robust contingency plans in place that take into account high impact but low probability events so they are prepared for the worst.
- Firms identifying and documenting any important business services where a disruption of the service could cause intolerable harm to consumers or the financial system as a whole.
- Firms establishing their ‘impact tolerance’, which encompasses an assessment of the maximum level and duration of disruption to an important business service.
- Firms continuously taking steps to identify resilience gaps by testing their ability to withstand a severe event, and to go a step further by taking actions to ensure they remain within their impact tolerances.
Source - FCA
Speech by FCA's Nick Cook on Meeting the pace of technological change
Nick Cook, Director of Innovation reminds regulators via his speech regarding the changing landscape of the financial services sector and how important it is for them to focus on outcomes and adapt to remain fit for purpose.
He highlights that despite being content with what FCA have been able to achieve in terms of helping new ideas get to market more quickly and start-ups getting funding or being acquired, sectors like asset management and retirement savings are experiencing fewer offerings than others. He emphasises that though RegTech market is growing, there is still lot of scope of improvement. Also, FCA would want to see how graph analytics, behavioural science and deep learning can be used to better model relationships, connections and behaviours in financial markets.
Source - FCA
FSB report on BigTech in finance
The Financial Stability Board (FSB) published a report assessing BigTech market developments and the potential implications for financial stability. BigTech firms are large technology companies with extensive customer networks, such as Amazon, Facebook and Google. Some BigTech firms use their platforms to facilitate the provision of financial services. In the report, the FSB analyses the provision of financial services by BigTech firms, its drivers and the implications for financial stability. It considers the nature and scale of these firms' activities in different financial services. It also examines the potential future response of traditional financial institutions and provides a qualitative assessment of the benefits and risks of BigTech activities in finance.
Source - FSB