Summary: What do you expect your top regulatory challenge to be in 2018? We recently posed this question to hundreds of legal, risk and compliance professionals working for UK-based banks, insurers and asset management firms – and the results are in. This year’s top three regulatory issues for the sector that are keeping you up are GDPR, the uncertainty caused by Brexit and Individual Accountability/SMCR.
BLP’s financial regulation group recently hosted its eighth annual Emerging Themes seminar which was attended by over 120 people. As in previous years, the seminar marked the launch of a substantial report, containing insights from the group on a wide range of developments in financial services law, regulation and compliance.
We asked all those registering for the event to respond to our survey question, “What do you expect your top regulatory challenge to be in 2018?”. Results are set out in the pie chart below. Respondents from across the sector, including banks, insurers and asset managers, named the top their top three concerns as:
- GDPR (32%)
- The uncertainty caused by Brexit (26%)
- Individual accountability and the Senior Managers & Certification Regime (19%).
The most fundamental reform to data protection law across the EU for 20 years looks set to herald an era of sharper regulatory enforcement and bolstering of individuals’ data rights. Data protection authorities will have considerably more substantial sanctions at their disposal – 4% of annual global turnover or €20m is at an unprecedented scale -and a broader pallet of obligations and rights to police.
In some respects financial institutions are better placed to face and adapt to a further layer of regulatory complexity and governance, being more likely to have a sophisticated and mature developed compliance framework and an acceptance of regulatory compliance as a fundamental cost of doing business. At the same time, many banks and other regulated businesses are only now emerging from the latest round of regulatory changes, not least MiFID II, and so any existing compliance resources are likely to be already stretched. According to estimates by the International Association of Privacy Professionals (IAPP) and EY, Fortune 500 companies expect to spend a combined $7.8bn to comply with the GDPR, equating to an average of around $16m each.
With the May 25 deadline for compliance approaching, there remains a regrettable lack of clarity around how practically to interpret many of the GDPR’s requirements. How will the long arm provisions apply in practice for non-EU entities? What will be sufficient in the way of internal records to meet the Article 30 obligation? Do the full processing clauses in Article 28 have to be bolted into every processing relationship, or can something more proportionate be acceptable? How far do firms need to go when it comes to communicating the necessary “transparency” of processing (with current draft guidance suggesting every non-EEA recipient country should be listed)?
Some organisations have been engaged on preparing for the GDPR for two years; others are starting to address it only now. The common experience appears to be that, at whatever stage an organisation may be at, there is still scope to be surprised at the breadth and depth of the impact of the GDPR on operations, external relationships and internal practices.
The uncertainty caused by Brexit
Unsurprisingly, this continues to be one of the greatest concerns for our clients that currently rely on either cross-border services or branch passports to provide financial services into other EEA states. The main difficulty is the disconnect between the Government’s perception of what is required and the reality of running a financial institution that operates on a cross-border basis.
Sam Woods, CEO of the PRA, has aptly described the proposed transitional agreement between the EU and the UK as a “wasting asset”, which loses value the longer it takes to agree. For financial institutions, this is particularly true. Until the fact of a transitional agreement preserving the status quo with regard to cross-border trade in financial services between the UK and EU becomes a certainty, firms cannot plan on the basis of it. With slightly over a year to go before the UK leaves the EU, on the current timetable, most firms are now deciding that they have no choice but to start implementing their contingency plans for a “hard” Brexit, given that regulatory authorisation applications in most jurisdictions take at least a year to process. The fact that this may well all turn out to be an unnecessary use of time and money (if a transitional agreement is ultimately agreed before the secession date) does not help firms feel any more cheerful about this dreary and time-consuming exercise.
Incoming firms (i.e. EEA financial institutions providing services into the UK using their passporting rights) received some welcome clarity just before Christmas with the announcements from the Treasury and the regulators that, unless EEA branches are undertaking significant volumes of retail business, they will be allowed to continue their UK operations on a third country branch basis, rather than being required to subsidiarise (which would be much more capital intensive, and in practice would cause many EEA branches in the UK to close). The principal remaining uncertainties for incoming firms are (1) exactly what the regulators will require from them in terms of “pre-application documentation” (which some of our clients are being asked for) in order to secure their place in the authorisation queue, and (2) whether the regulators will actually manage to process all of the branch authorisation applications in time. The PRA in particular currently seems confident on this point, but we predict that the last three months of the UK’s membership of the EU will be a tense time for firms whose pending third country branch authorisation applications are still outstanding. The back of the queue will be an uncomfortable place to be.
For outgoing firms, there seemed to be less uncertainty after the referendum: it was clear, at least, that by setting up a hub in a remaining EEA jurisdiction, they would be able to continue to service their EEA clients on a cross-border basis. However, there is now greater uncertainty for these firms as a result of the widespread commentary - including from the European Supervisory Authorities themselves - about the need for harmonisation of the requirements for authorisation across the remaining member states in order to avoid “regulatory arbitrage” by regulators seeking to entice UK financial institutions within their borders. UK firms looking to preserve their ability to carry out cross-border trade with EEA jurisdictions post-Brexit are finding that it is relatively easy to work out what, as of today, they need to do to set up authorised subsidiaries in other EEA jurisdictions, but it is simply impossible to work out what the answer to these questions might be in, say, three years’ time.
The only silver lining we can see is the prospect (raised at this week’s seminar by our keynote speaker, the Deputy CEO of the PRA, Lyndon Nelson) that, following Brexit, the UK regulators will be forced to reintroduce the competitiveness of UK financial markets as a factor to be taken into account when making regulatory policy. In our view, however, this potential silver lining is not particularly shiny. Any form of deregulatory agenda in the UK is likely to be very difficult to pursue in practice, given the likelihood that any final UK-EU trade agreement will be heavily based upon an expectation of regulatory equivalence.
Individual accountability and the Senior Managers & Certification Regime
Almost two years after the commencement of the Senior Managers and Certification Regime (SMCR) for banks and PRA-designated investment firms, we are beginning to see an uptick in FCA enforcement investigations under SMCR, as individual accountability remains a key focus area for the FCA.
Originally, the SMCR was due to be extended to all regulated financial services firms later this year. However, the FCA published consultation papers just before Christmas which make it clear that it expects that the new rules will apply to insurers from late 2018 and all other authorised firms from the second half of 2019.
The FCA is proposing a staggered, two-phase introduction of the new regime:
- Initial commencement date – this is when the changes for Senior Managers will come into force, together with the application of the new Conduct Rules to Certification Staff (who will need to be identified and then trained before the Commencement Date).
- 12 months from the initial commencement date – this is when the Conduct Rules for all other staff, such as HR and Compliance, will come into force. There is a parallel requirement to provide training to Conduct Rules Staff and a requirement for firms to certify Certification Staff as fit and proper for the first time.
Accordingly, insurers need to start preparing for the new regime immediately. In the case of other firms, our advice would be to start work on your implementation project later this year. Our experience helping the banks to implement the regime shows that certain aspects take far longer than you might expect – for example, getting people to agree who will formally assume which ‘prescribed responsibilities’ and getting everyone to agree to what should be included in their Statement of Responsibilities and, for ‘enhanced firms’, their Management Responsibilities Map.
The Certification Regime will also have a major knock-on effect on many of your firm’s HR policies and processes. In particular, firms will need to identify which members of staff will need to be certified and provide them with training on the Conduct Rules that is tailored to their specific functions (bearing in mind that many Certification Staff are not Approved Persons under the current regime). Firms also need to start devising a process for carrying out ‘fit and proper’ assessments and getting all the certification paperwork in place. This is likely to require some material changes to appraisal processes, staff referencing policies and employment contracts.
With all of this in mind, our top tip is to assemble a suitable project team (comprising Compliance, Legal, HR and the Business) and get it thinking about these issues as soon as you can.
Financial Regulation 2018: A practical look at the year ahead
Download a copy of 2018’s report for more on these topics & over 20 practical articles on other topics including MiFID II, Fintech, AML, Competition and legal privilege and much more.