The FCA Business Plan 2017–18

Flash Report Hero Image

The FCA Business Plan 2017–18

The UK Financial Conduct Authority (FCA) has issued its annual business plan for fiscal year 2017–18, which sets outs its cross-sector and individual sector priorities for the next 12 months. The cross-sector priorities identified are: culture and governance, financial crime and anti-money laundering (AML), promoting competition and innovation, technological change and resilience, treatment of existing customers, and consumer vulnerability and access.

The main individual sector priorities focus on the need to continue with the implementation of the Markets in Financial Instruments Directive (MiFID II); improving competition in all areas of financial services; supporting the implementation of ring-fencing in retail banking; and assessing the developing market for automated advice models (robo-advice) in the retail investment market.

This paper looks at some of the key issues arising from the FCA’s cross-sector priorities as well as the FCA’s risk outlook.

Risk Outlook

A fundamental part of the plan is the risk outlook, which identifies key trends and emerging risks that help form the regulators’ priorities for the coming year. Technological change, cybercrime and resilience are noted as major risks; however, many of the largest risks detailed in the FCA’s risk outlook are external: international events, demographic changes, the course of the UK economy, and the impact of the UK’s decision to leave the European Union (EU), commonly known as Brexit.


The FCA highlights the lack of clarity around Brexit that will potentially lead to a period of prolonged uncertainty for markets, firms and consumers. In the risk outlook, the FCA advises firms to assess the impact that a changed relationship with Europe and any changes to the regulatory regime will have on their business models. The FCA says that it is “working closely with HM Treasury and the Bank of England to ensure a smooth transfer of EU rules and legislation into the domestic framework, and ensure that the regulatory framework continues to operate without interruption following the UK’s withdrawal from the EU.”

The agency emphasises that existing financial regulation, much of which derives from EU legislation, will remain in place until the UK government and parliament make any changes, and that the FCA is continuing with implementing the EU legislation that will come into force before the UK leaves the EU. These include the Markets in Financial Instruments Directive II and Regulation (MiFID II/MiFIR); the Fourth Anti-Money Laundering Directive (4AMLD) and its amendments, commonly known as the Fifth Anti-Money Laundering Directive (5AMLD); EU Benchmarks Regulation; and the EU Payment Services Directive II (PSD II).

Andrew Bailey, chief executive officer of the FCA, has emphasised the importance that Brexit negotiations do not lead to the relaxation of existing rules and regulations.

The FCA has identified five principles that will guide its advice to the UK government on Brexit:

  • Cross-border market access – open markets are an important enabler of healthy competition, supporting FCA objectives
  • Consistent global standards – these are vital across regions and jurisdictions in order to minimise the risks of regulatory arbitrage
  • Cooperation between regulatory authorities – a robust framework that provides for continued cooperation will be fundamental regardless of the outcomes of the negotiations
  • Influence over standards – the UK authorities should have influence over the standards that apply in the UK
  • Opportunity to recruit and maintain a skilled workforce – a diverse workforce with varied experience and the requisite expertise supports UK markets and firms that are well run and remain competitive.

Brexit is one of many change drivers affecting financial services – other drivers include, among others, the disruptive technologies and competitive business models that FCA refers to in its business plan as well as continuing geo-political uncertainty.

There remains considerable uncertainty over what political agreement will be reached (if any) relating to the UK’s exit from the EU, whether a credible phased implementation to prevent significant market disruption can be put in place, and to what extent if any UK-based firms will be able to continue to do business in the remaining 27 member states without a passport or having sufficient certainty on equivalence of regulatory requirements.

Firms should be creating risk-based scenario planning, in line with the Bank of England’s request for detailed plans by mid-July 2017, and building agility into their informed decision making so that they understand the risks to their current business strategy and the potential steps they need to take to manage or mitigate them. An obvious area of work is identifying the extent to which activity needs to be transferred before the UK leaves the EU. Analysis should include: identifyingthe timeline for obtaining any necessary regulatory approval and related regulatory licences/permissions;the implications on the group’s capital, governance and management of regulatory/compliance risk; and as well as the implications on its operations, technology and people.

Technology and Innovation

A major section of the FCA’s risk outlook is devoted to the impact of technology and innovation, with technological change and resilience also being called out as a cross-sector priority for the regulator.

It is clear from the business plan that the FCA recognises not just how the fast pace of technological change is bringing significant opportunity to transform many aspects of the financial services sector but that this is also bringing significant risk, particularly around cybersecurity and resilience. Our 2016 study on technology risk revealed that second line risk functions are struggling to keep abreast of these technology developments and to provide sufficient value to the organisation. Second-line technology risk practitioners need to get ahead of technological advancements such as cloud, blockchain and payment infrastructures so that they can support the business more proactively to make risk-informed decisions rather than having to react constantly to the business.

Digitalisation and Automation of Financial Markets

One of the key trends identified is digitalisation and automation of financial markets. The FCA warns that although digitalisation and automation can increase cost efficiencies for markets, firms and consumers and improve the delivery of products and services to consumers and counterparties, when it is accompanied by insufficient investment in legacy systems and poorly planned and executed IT change management plans, markets are more susceptible to disruptions, price shocks and heightened risk of successful cyberattacks.

The continued march of financial technology (fintech) companies is highlighted by the FCA both for the benefits to consumers and for the pressure it is placing on traditional financial business models and activities, such as introducing alternative lending facilities and robo-advice, which existing firms may acquire or partner with third-party firms in order to benefit from these new technologies.

The FCA raises the continuing trend for using third-party providers to support cost-cutting efforts and to adopt more up-to-date services and systems. However, the FCA warns that outsourcing processes and the use of new platforms can make it harder for firms to exercise effective oversight and governance and for regulators to monitor the market. .

Distributed ledger technology (DLT) is briefly mentioned, which could be used in the future to enhance some financial services. The FCA suggests DLT could be used to automate simple processes such as recording client data for know-your-customer (KYC) and anti-money laundering purposes, as well as full automation of trading, clearing and settlement across asset classes, particularly across syndicated loans, FX and OTCs, where back-office activities are often largely manual.

Smart Data and Data Analytics

The FCA notes the significant advances firms have made with capturing and processing big data to fuel data analytics programmes. The use of application programming interface (API) and decisions like the Competition and Market Authority’s (CMA) Open Banking proposal, together with Payment Services Directive 2 (PSD2) implementation, will promote opening up access to clients’ account data. The regulator warns that firms need to ensure that they are using data appropriately and managing it effectively, especially for firms that have multiple business lines and when access to the data needs to be restricted within an organisation and protected from cyberthreats.

The FCA warns that the increased use of data and algorithms could lead to poor consumer outcomes or threaten market integrity if firms do not fully understand underlying algorithms. This greater reliance on technology poses increased operational risk for financial services firms, warns the FCA, as well as risks to market integrity. The operational risks of widespread automation – for example, loss of service and technical problems around delivery – could lead to wholesale firms being unable to transact, value portfolios or settle trades, with significant consumer harm as a result.

Existing firms that face legacy system and IT resilience issues will need to overcome these challenges to remain competitive if challenger and fintech firms take advantage of advances in artificial intelligence (AI) and growing data volumes, warns the FCA. Additionally, where firms exercise poor governance and have weak IT strategies in place, the adoption of new technologies such as cloud storage, new payment technologies, and automation that uses blockchain (e.g. back-office activities) could lead to security or structural weaknesses and increased outages.

Cybercrime and Money Laundering

Cybercrime remains a hot topic as attacks continue to increase in volume, scale and complexity. The FCA notes that the growing use of technology, particularly electronic and digital services, in firms’ business models and market infrastructure (including outsourced functions) increases cybersecurity risks and opportunities for money laundering. The high level of scrutiny on firms’ cyber-resilience and financial crime controls will remain. The FCA particularly calls out the need for firms to ensure that systems and technologies are resilient to cyberattack, and that firms are not exposed to attack during periods of IT change.

The Pace of Technological Change

The FCA shows its concern for the pace of technological change and innovation that may challenge the ability of regulators to respond adequately to the changing environment.

The regulator specifically calls out fintech services with complex value chains that could pose a risk to consumer protection and market integrity.

The issues associated with the oversight and control of increasingly complex chains of third-party relationships are reflected in the FCA’s priorities, while the technological resilience of incumbent firms will continue to be an area of focus due to the risk of disruption to financial markets. Additionally, the FCA notes that fintech firms: “may not fully understand the scope of regulation and its impact on their business model . . . [that] could lead to cases of non-compliance with our rules, which could pose risks to consumer protection and market integrity.”

FCA Cross-Sector Priorities

The FCA cross-sector priorities in this year’s business plan focus on six key areas: firms’ culture and governance – with particular emphasis on the Senior Manager’s and Certification Regime (SM&CR); financial crime and anti-money laundering (AML); promoting competition and innovation; technological change and resilience; treatment of existing customers; and consumer vulnerability and access.

Culture and Governance

Culture and governance continue to be a priority, primarily through the SM&CR (with a second phase timetabled in 2018). Although supervisory focus will be on how integrated the regime is on current in-scope firms, all firms should also be considering how their culture may drive inappropriate outcomes and how their strategy, practices and oversight are aligned to appropriate conduct and longer term interests of all stakeholders. Firms that resolve why it is that individuals and teams do inappropriate things when they think no one is looking will be effective in promoting strong compliance conduct at the top, middle and bottom of the organisation.

The FCA states firmly that organisations should own and manage their cultures at all levels and are responsible for identifying and managing the risks created by the drivers within their organisations. The FCA expects firms to have effective governance arrangements in place to identify, manage and mitigate risks. Senior managers and boards of directors are singled out by the FCA for the crucial role they play in delivering effective governance.

The FCA expects boards of directors to take responsibility for their firm’s culture and its key drivers and, ensure that culture remains high on the agenda and that an appropriate culture is embedded throughout the firm at all levels. Senior managers need to ensure that their firm’s business processes, people and drivers of culture support and reinforce the culture they want to embed. The FCA expects firms to proactively identify and address issues when things go wrong and to demonstrate that they learn from these events.

As a result, the FCA’s focus for the coming year is on senior management accountability and remuneration and the steps firms and their senior managers take to address any risks caused by bad behaviours within the organisation. The SM&CR is designed to strengthen individual accountability; the FCA says that it expects firms and their senior managers to “apply the spirit, as well as the letter, of the regime.”

In 2017/18, the FCA will focus on how the SM&CR is integrated into the running of deposit takers and PRA-designated firms and will continue to develop its policy on designing and implementing an accountability regime for all firms under the Financial Services and Markets Act 2000 (FSMA), including further developing the regime for insurers. The FCA will consult on the accountability regime.

The FCA has already updated its Remuneration Code for dual-regulated firms (those regulated by both the FCA and the PRA) to encourage more effective risk management and better align individual decision making with good standards of conduct. The regulator will continue to review the regulatory framework that governs remuneration, including helping firms understand and implement remuneration requirements.

Firms looking for pointers on how the FCA will assess culture may be disappointed, since the FCA only reiterates that it “will continue to use a range of supervisory tools and methods to work with firms on issues relating to the drivers of culture.”

Financial Crime and AML

The continued increase of financial crime and money laundering events ensures that they remain top priorities for the FCA. In its business plan, the authority reiterates its drive to take action to prevent money laundering. “Where firms have poor AML controls, we will use our enforcement powers to impose business restrictions to limit the level of risk, provide deterrence messages to industry or both,” says the FCA. “We will generally use our civil powers, but if failings are particularly serious or repeated we may use our criminal powers to prosecute firms or individuals.”

The FCA discloses that the Financial Action Task Force (FATF) will carry out a mutual evaluation review of the UK from late 2017, adding that it will continue to review and refine its AML supervisory approach to demonstrate to FATF that arrangements are effective.

This will include assisting the Treasury with transposing the Fourth EU Anti-Money Laundering Directive (4AMLD) into UK law by June 2017, and negotiating the EU proposals to make revisions to 4AMLD to strengthen the fight against terrorism.

Under the UK’s AML Action Plan, the FCA will have formal powers toward the end of 2017 for reviewing the quality of AML supervision carried out by professional bodies such as the Solicitors Regulation Authority and the Institute of Chartered Accountants in England and Wales. The FCA will become a “supervisor of supervisors” with the establishment of the Office for Professional Body AML Supervision (OPBAS) within the FCA.

Even though the level of scrutiny of firms’ AML controls remains high, the FCA also warns against de-risking, where AML processes may exclude people “unfairly or unreasonably” from using financial services. The regulator has commissioned research into how new technology can make AML processes more efficient and less onerous for firms and customers, reduce financial exclusion, and encourage easier switching between financial services. The FCA plans to publish a report on its findings during the next 12 months.

AML technological advances are encouraging as they can result in improved efficiencies within financial crime system and control programmes and lower the long-term cost of compliance. However, there is a possibility that when costs are decreased, or if technology is not appropriately implemented, a firm’s risk exposure may actually rise. Firms have already been warned about the danger of lowering their investment in compliance in order to manage rising costs and increase profits. It is expected that the ongoing monitoring of high-risk clients will remain foremost on the regulatory agenda for many years to come. Smart investment now into intelligent systems will help lower costs and improve performance in managing financial crime risk over the longer term.

Promoting Competition and Innovation

A research paper is underway that examines how regtech can make regulatory compliance, including AML processes, more efficient and less onerous for firms and customers. The FCA is also continuing with Project Innovate – its initiative to regulate in a way that fosters the benefits of innovation, which includes a regulatory sandbox for firms to test the commercial and regulatory viability of their innovative products before launch.

The regulator plans to begin a new initiative looking at how near-real-time compliance monitoring and surveillance technologies can potentially reduce the regulatory burden.

The world of artificial intelligence and analytics, around which much of regtech revolves, is changing fast with the advent of new deployment models. A shift from apps to bots is creating the opportunity to string together a range of new capabilities to increase the level of automation within processes that were traditionally the preserve of human operators. Combining human capabilities with autonomous agents can provide a massive uplift in productivity accompanied by greater certainty that regulatory obligations are being fulfilled. Despite this perceived power of technology, individual technologies must not be seen as magic bullets. There is still a need to address people and process related issues in parallel. Technology deployed within existing processes must work alongside human operators.

Technological Change and Resilience

As has already been discussed above, technological change and resilience is a big focus area for the FCA, especially due to a number of high-profile attacks such as the Tesco Bank hack, which pervades almost all its priorities for the coming year.7 The FCA is most concerned with ensuring that firms recognise that technological change is accompanied by robust processes, adequate resourcing and effective governance, while building in systems and controls to ensure ongoing resilience against cyberattacks and system failures. Specifically the FCA is seeking to identify vulnerabilities in the design and management of systems and infrastructure, which applies both to new technologies and the weaknesses of legacy IT estates, on which many firms continue to rely. The drive to cut costs due to continued pressures on margins may lead to increased outsourcing and offshoring with resultant risks over the oversight and control of key functions and an increasingly complex chain of third-party relationships, warns the FCA.

In order to keep pace with developments, the FCA is building expertise in resilience and technology, developing and evolving its regulatory tools, and increasing engagement with individual firms and the industry. The FCA has created a dedicated team of cyber specialists to oversee the way that firms manage cyber risk and plans to introduce its practical cyber resilience toolkit to more firms during the 2017–18 business plan period. The FCA will perform technology and cyber capability assessment on 100 percent of firms considered “high impact” if disruption were to occur in the financial services sector.

Treatment of Existing Customers

Ensuring that financial services firms treat existing and closed book customers fairly rms is a continuing priority for the FCA this year. Following a thematic review of the insurance industry in March 2016, the FCA published guidance setting out its expectations that firms should proactively identify poor outcomes for back book consumers and take steps to address them. The FCA is concerned that tougher economic conditions may lead to firms seeking to “manage” back book customers into more expensive/default products.

The regulator is focused on ensuring that switching accounts is made more simple in banking as well as in the pensions sector. The FCA is committed to working on a strategic review of retail banking business models. Ideally, the authority would like to see a greater choice of products, easier comparison between products and services, and ease of switching.

Many firms have significant amounts of back-book that are expensive to service and administer. The commercial pressure to save costs means that firms must have robust controls in place to ensure that the rights and reasonable expectations of affected customers, especially vulnerable customers, are not undermined. This means firms may need to extend their current product governance arrangements to deal with back book decisions as well as their continuing oversight of new or proposed products.

As part of the extension of responsibilities and in order to manage self-interest or conflict of interest, firms should develop criteria to be used in determining whether a back book decision is really in the interest of the customer and to determine appropriate steps to take in responding to the needs of vulnerable customers.

Content Contributed by:

Bernadine Reese
Managing Director
[email protected]
Peter Richardson
Managing Director
+ [email protected]
Matthew Taylor
Managing Director
[email protected] 
Tom Lemon
Managing Director
[email protected]
Stuart Campbell
+ [email protected]