Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

Regulated firms are required to have in place systems and controls to ensure that they comply with applicable laws and regulated requirements. The nature of these controls and compliance programmes varies depending on the size of the firm and the regulated activities performed.

Compliance requirements are set out in a combination of legislation, including directly applicable EU legislation, and in FCA and PRA rules and guidance. There are also a number of ways best practice may be conveyed to firms, including through ongoing supervision and as a result of thematic reviews undertaken by the FCA.


How important are gatekeepers in the regulatory structure?

In recent years there has been a heightened focus on improving individual accountability for individuals working in financial services.

Senior individuals at FSMA firms performing certain key functions have to be pre-approved by the PRA and FCA, whether pursuant to the senior managers regime or the approved persons regime, depending on the firm type (however, as discussed in question 4, the senior manager regime will be extended to all authorised firms from December 2019). These functions broadly cover roles where individuals have managerial responsibility for a firm’s affairs. Examples of individuals that need to be pre-approved include individuals performing executive director roles, the head of internal audit functions and compliance oversight. Financial institutions are expected to perform due diligence on prospective senior managers in advance of appointing these individuals. These approved individuals are subject to FCA or PRA conduct rules.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

In addition to the high-level requirements imposed on senior managers or approved persons by the FCA or PRA, directors of financial institutions incorporated as companies in England are subject to high-level general and fiduciary duties set out in the Companies Act 2006. In particular, they are required to promote the success of the company, exercise independent judgement and exercise reasonable care, skill and diligence.

When are directors typically held individually accountable for the activities of financial services firms?

Senior managers have a duty of responsibility under the senior managers regime. The FCA and the PRA can take action against senior managers if:

  • they are responsible for the management of any activities in their firm in relation to which their firm contravenes a relevant requirement; and
  • they do not take the steps that a person in their position could reasonably be expected to take to avoid the contravention occurring (or continuing).

The burden of proof lies with the regulator to establish that a contravention has occurred and that the senior manager did not take the steps that an individual in his or her position could reasonably be expected to take to avoid the contravention occurring. The FCA and the PRA have produced separate but largely consistent guidance outlining how a senior manager should behave to comply with their duties of responsibility.

The duty of responsibility for senior managers is supported by conduct rules, which prescribe a base level of good conduct for staff. The FCA’s conduct rules in respect of individuals at firms subject to the senior managers regime are set out in the Code of Conduct source-book, and the PRA’s rules are set out in the Conduct Rules Part of the PRA Rulebook. The duty of responsibility will apply to all senior managers at all authorised firms when the senior managers regime is extended later this year. At present, approved persons are similarly subject to conduct rules set out in the FCA’s Statements of Principle and Code of Practice for Approved Persons. The regulators can take disciplinary action against individuals for non-compliance with the conduct rules.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Section 138D of the FSMA establishes a statutory right for certain private persons who suffer loss as a result of contravention by an authorised firm of an FCA or PRA rule to bring an action for damages, subject to the defences for breach of statutory duty (such as contributory negligence). There is a presumption that breach of an FCA rule is actionable unless the rule states to the contrary, whereas a PRA rule must expressly provide that it is actionable.

Customers may also be able to bring claims against investment firms in contract or tort where there has been a breach of a regulatory rule or requirement, and courts may look to the scope of regulatory rules to inform the scope of common law duties owed by investment firms to clients.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services firms are subject to high-level requirements to treat their customers fairly and to act in the best interests of clients, and a high standard of care applies to financial services firms when dealing with retail customers. Categorisation as a retail client offers the most protection to customers and imposes the most requirements on financial institutions dealing with such clients in terms of communication, disclosure and transparency.

Retail clients also benefit from the additional protections offered by the Financial Ombudsman Service, a UK ombudsman that considers and settles disputes between consumers and financial services businesses, and the Financial Services Compensation Scheme, a UK compensation scheme for customers of insolvent UK financial services firms.

In addition, from January 2019 the UK has introduced a ring-fencing regime around retail deposits held by UK financial institutions. The aim of this is to separate certain core banking services critical to individuals and small and medium-sized enterprises from wholesale and investment banking services, in order to insulate retail customers and smaller businesses from the possible failure of the investment banking entity.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Yes. Both EU legislation (MiFID II) and the various UK regulatory regimes recognise that investors have different levels of knowledge, skill and expertise and that the regulatory requirements should reflect this.

For banks and investment firms, firms are required to categorise clients into retail clients, professional clients and eligible counterparties. Different regulatory protections apply for each of these categories, with those falling within the retail category - the less experienced, knowledgeable and sophisticated investors - afforded a higher level of protection than investors in the other categories.

In addition, the PSRs allow payment institutions to disapply some of the conduct and information requirements set out in the regulations when dealing with certain corporate clients.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

At present, rules that affect the financial services industry in the UK encompass EU legislation, formal guidance issued by certain EU bodies such as European Supervisory Authorities, UK legislation and FCA and PRA rules and guidance.

The process for adopting rules and regulations, including whether a consultation is required and the manner of that consultation, depends on the nature of the rule being adopted. Generally, though, consultations are undertaken in respect of rules that will significantly affect the financial services industry.

The way and the extent to which EU legislation will apply to or be implemented in the UK in the future will differ depending on whether the UK and the EU can conclude a withdrawal agreement before the UK leaves the EU as currently planned for 29 March 2019. If no withdrawal agreement is agreed, provisions in the European Union (Withdrawal) Act 2018 will retain most existing EU law as a new body of UK law and the UK would then decide whether to reflect post-exit changes to EU law in UK law. If a withdrawal agreement is agreed, it is likely that there would be a transition period during which EU law would continue to apply as though the UK remained a member of the EU. It is possible that the financial services industry will be affected by the terms of any longer-term free trade arrangement entered into between the UK and the EU, although such arrangements do not typically contain detailed provisions on financial regulation.