MIFID II – Are you ready?

The wide-reaching reform of the MiFID II will go live across Europe on 3 January 2018. The reforms are ambitious, aimed at strengthening investor protection and increasing transparency. Firms will be required to produce and report more data, disclose more to clients and provide a higher level of protection, in particular to professional clients.

The FCA has indicated that there is no intention to take enforcement action against firms for not meeting all requirements on day one, provided that firms have made a "real or genuine" attempt to be ready for the reforms. This is welcome news for firms who are focussing on finalising and implementing new internal processes.

There is one exception to this regulatory forbearance – namely, the implementation of the new rules on transaction reporting and trade transparency. We expect to see increased supervision in this area from the outset.

One of the more controversial reforms is the "unbundling" of payments for research provided to portfolio managers and investment advisers. Research must now either be paid for directly out of the manager's or adviser's P&L, or a separate research payment account must be set up. Market view as to the preferred approach will likely settle over the course of 2018 – but expect to see fragmentation over the source of research as the quality and purpose of research is scrutinised.

Move towards the Brexit

Britain's exit from the EU will continue to draw significant attention on the local and international stage. Triggering Article 50 was the catalyst for several rounds of negotiations between the UK and EU, with more to come in 2018. A key milestone next year will be the decision that "sufficient progress" has been made in the negotiations: only then can talks on the nature of any future relationship between the UK and EU begin.

The European Union (Withdrawal) Bill (which will end the Court of Justice of the European Union's (CJEU) supremacy and prepare for transition) was published in July 2017 and will continue its progression through Parliament. Despite several false starts, the intent is still that the Bill will receive Royal Assent in 2018 ahead of the UK's exit in 2019.

European financial authorities (including the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) have published various papers setting out principles on their post-Brexit supervisory approach, including relocations. So far we have seen particular focus on delegation and the use of "letter-box" entities, ie legal entities which give access to the single market while retaining substantive activity in London. While there is a risk that these papers (particularly on the Alternative Investment Fund Managers Directive 2) show a potential statement of intent for hardening rules on delegation in future legislation, this must be balanced against the risk that the EU cannot penalise the UK without it impacting relations with other third countries.

In the absence of clear decisions, we expect firms' contingency planning will continue apace based on the worst case scenario: that on the day Britain exits there are no transitional arrangements in place for business to continue as normal. While this will no doubt fragment the financial services industry, it remains to be seen whether there will be a mass exodus from London.

Distributors of insurance products in the EU have not escaped the suite of reforms scheduled to come into effect in 2018, with the Insurance Distribution Directive (IDD) due to take effect from 23 February 2018.

The IDD rules are just the minimum level of regulation that each EU member state must implement, but the changes from the existing European regime are significant. Key changes affecting distributors include:

  • some distributors will be subject to financial-services regulations for the first time – for those firms, it will be back to basics, starting with registration with the relevant regulator. This will also mean a significant increase in the number of regulated firms – from less than half (48%) to almost all (98%) distributors of insurance products in the EU;
  • new rules on governance, systems and controls, and knowledge requirements;
  • a requirement to issue a document known as the insurance-product information-document (IPID) when non-life insurance products are sold. The rules surrounding IPIDs are prescriptive, and we expect to see many distributors embarking on a sizeable project to ensure compliance. Providers of insurance-based investment products will also be required to provide customers with key information documents in line with other types of retail investment products;
  • additional disclosures which must be made during the sales process. To add to the complexity, some disclosures (including relating to conflicts of interests and cross-selling) will apply to all insurance products, while others will apply only to those that are investment based (such as risks associated with investment and certain information on costs and related charges).

The big question in the short term, however, is whether the calls from some vocal distributors to defer the commencement of the IDD will delay the commencement of the new regime.

GDPR: Data protection launches into the 21st Century

Data in our digital economy has evolved significantly since 1995 when the existing EU Data Protection Directive was established. Reform was long overdue. The EU's tool of choice to bring data protection into the 21st century is the EU General Data Protection Regulation (GDPR). The GDPR came into force on 25 May 2016 and will apply with direct effect to all EEA countries from 25 May 2018; it will replace the Data Protection Act 1998 in the UK. GDPR standards are expected to continue to apply to the UK post Brexit through a combination of the new Data Protection Bill and the so-called "Great Repeal Bill".

The GDPR aims to harmonise data protection, privacy and security procedures and enforcement across the EU, enforce existing good practice and introduce stricter requirements around the handling of personal data and cyber security. Significantly increased penalties and sanctions for non-compliance, with maximum fines of up to €20 million (£17 million) or 4% of annual worldwide turnover (whichever is greater) for certain breaches dwarfs the maximum penalty of £500,000 under the current regime.

The GDPR has a far wider reach than the existing EU Directive – it will apply to all organisations established in the EU and will extend to organisations located outside the EU that offer goods and services to data subjects residing in the EU or monitor their behaviour. There will be a steep learning curve for non-EU based organisations, many of whom are unfamiliar with the standards of an EU data protection regime.

This broadened scope, coupled with increased penalties under the GDPR, have been a major catalyst forcing organisations to focus on data protection and cyber security risk management, a trend which will continue to force data protection into the corporate governance spotlight in 2018. Expect to see a continuation of the trend we have seen over the last year towards a greater focus from senior management on these issues.

While the GDPR in large part gives statutory recognition to what is already regarded as best practice, the reforms are nonetheless significant, and require firms to completely rethink their operational approach to data protection, privacy and cyber-security compliance. The commencement of the GDPR in the UK next year will be a challenge for firms who must also consider their data protection obligations under other financial services instruments, such as MiFID II (which requires firms to store recordings of pertinent telephone conversations and electronic communications for five years, with competent authorities able to request that a firm keeps records for up to seven years). Firms will need to consider those obligations in light of the key principles of proportionality, necessity and data retention limitation set out in the GDPR.

Are you doing enough to tackle phishing cyber sharks?

Efforts to be "cyber resilient" will be a priority for firms in 2018. Writing in the FCA's 2017-18 Business Plan, FCA Chairman John Griffith-Jones emphasised the importance of this issue:

"Of the increasing risk areas that we have identified, one in particular stands out – cyber resilience. Cyber-attacks are increasing in number, scale and sophistication…it needs to be, and stay, high on all of our agendas."

Whether you believe that the FinTech "revolution" is just beginning, or that FinTech is further evidence of banks continuing to build technology solutions into their business models, digitalisation of the financial sector is happening. But it's not all bad news: innovations which have led to increased automation and exponential growth in the volume of digital data also provide many advantages to banks, their customers and counterparties.

The implications of these technological enhancements for the stability and integrity of markets and protection of their customers are significant. Where technological enhancements are not supported by investment in a firm's IT infrastructure or education of staff, the firm leaves itself exposed to cyber-attack. Increased regulatory scrutiny of data protection (particularly following several high profile, damaging cyber attacks) has seen a shift in the way firms view cyber issues, from another problem for IT to deal with to a major risk to business continuity, with financial and reputational issues for which all staff are responsible and which require immediate responses.

Cyber-attacks are becoming more complex and sophisticated, with organised criminals using market-wide attacks to target the financial sector. While firms are expected to ensure their compliance framework is sufficiently robust to combat the issue, the FCA has seen a significant increase in cyber-attacks reported by firms in the past three years.

The global reach of organised cyber-criminals requires all regulators, including those in the UK, to share responsibility for tackling this issue. As a result, general trends are emerging from regulators worldwide which we expect to see continue in 2018, including:

  • shorter time periods for reporting a cyber breach to a regulator (under the PSD2, firms will be required to report within four hours);
  • an expectation that firms be better able, as a matter of contract, to require information from third party providers about cyber breaches which may affect the firm; and
  • the development of more detailed cyber-incident plans, with legal teams in particular taking steps to plan in advance for their role responding to a cyber-incident.

Lenders beware: consumer credit in focus

2018 will see continued interest from the FCA in consumer credit issues with the announcement of proposed changes to the FCA's responsible lending rules and guidance, and we expect a sharp increase in enforcement activity.

In April this year the FCA released its credit card market study consultation on "Persistent debt and earlier intervention remedies", setting proposals for new rules and guidance to address persistent credit card debt (defined as between 18 – 36 months), including by incentivising firms to encourage customers to repay their debt more quickly to avoid getting into persistent debt in the first place. The FCA has also proposed an early intervention rule which will require firms to use the data available to them to identify customers at risk of financial difficulties and take appropriate steps to address this risk. Where customers are not able to repay their debt in a reasonable period, firms will be required to offer forbearance. The FCA is expected to respond to industry feedback on the proposals and publish a revised policy statement but will also review the proposals in the light of changes resulting from Brexit negotiations.

The coming year will also see the FCA's response to industry feedback on its consultation regarding assessing creditworthiness in consumer credit. The consultation, released in July 2017, proposed changes to responsible lending rules and guidance aimed at addressing the risks posed to consumers from poor culture and practice in assessing affordability. The FCA wants to clarify what it expects from firms conducting these assessments, including by introducing a new definition of "affordability risk" against which firms would have to assess whether the credit is likely to be affordable for the borrower. The role of Income and Expenditure assessments will also be clarified, with no requirement to undertake such assessments where it is obvious that credit is affordable. The FCA is clearly keen to ensure that creditworthiness assessments strike an appropriate balance between, on the one hand, denying credit to those who cannot afford to repay and are likely to suffer financial distress and, on the other, avoiding excessive requirements which may lead some firms to limit lending unnecessarily or add unnecessary costs.

Payday lending and high-cost short-term credit will remain a focus this year, with the FCA expected to issue a consultation paper in Spring 2018 on "high cost" credit products/markets, namely the rent-to-own, home-collected credit and catalogue credit sectors. The FCA's findings in relation to its review of payday lending, published in July this year, evidenced the effectiveness of the new payday loan price cap, and found firms were much less likely to lend to customers who cannot afford to repay and debt charities seeing far fewer clients with debt problems linked to high-cost short-term credit.

In parallel with these reforms, the FCA's enforcement activity in the consumer credit space is increasing, with a particular focus on responsible lending and the fair treatment of consumers, especially those in financial difficulties or who are vulnerable. Earlier this year, BrightHouse, a rent-to-own retailer which provides household goods to customers on hire purchase agreements, agreed with the FCA to pay nearly £15 million in redress to customers in respect of lending which was not affordable. We expect this focus will continue in 2018, with increased enforcement activity also likely in relation to firms' forbearance and collections processes.

FCA to compete in the competing game

Since the FCA's inception on 1 April 2013, it has had the statutory operational objective to promote effective competition in the interests of consumers. The FCA's competition powers have evolved, most notably in April 2015 when it obtained concurrent competition powers with the Competition and Markets Authority under the Enterprise Act 2002 and the Competition Act 1998.

In addition to the FCA's statutory powers, and the regulatory tools at its disposal (such as the ability to commence market studies), the FCA has also heavily invested in growing its Strategy and Competition division to give it the ability to deploy its competition arsenal. As a consequence, the FCA is under mounting public pressure to be seen to be taking action to tackle anti-competitive behaviour. The FCA has commenced a number of competition enforcement cases, one opened in 2016 and the other in April 2017. Competition investigations tend to take several years to conclude – although the transfer of the latter case to the European Commission brought an early end to the FCA's inquiries earlier this year.

The FCA's Business Plan 2017-18 makes clear that promoting competition and innovation is one of its cross-sector priorities for the year ahead. FCA will look to draw bright lines as to what it considers inappropriate and the severe consequences of such anti-competitive activities, seeking to regulate authorised firms in a way that is not only conscious of competition, but encourages it.

Authorised firms are on notice to prepare accordingly. This means ensuring staff are trained appropriately. Training is expected to be more than a tick box exercise, and to be tailored to business units, distinguishing between what is appropriate behaviour, particularly in risk areas, such as obtaining market colour.