Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
There is a complex legal framework underpinning corporate risk and compliance management in the UK.
This chapter focuses on core corporate risk and compliance management issues in the context of the UK financial services regime. Separate and distinct regimes apply to sectors outside the financial services market (eg, the pharmaceutical and energy sectors), which are enforced by designated UK and international regulatory agencies. These regimes are outside the scope of this chapter.
The legal framework for the financial services regime in the UK is vast and complex and there are detailed rules relating to specific sectors of the market. Most of the corporate risk and compliance management requirements derive from EU directives and regulations, which have been implemented into English law in the form of legislation and detailed regulatory rules.
There is also a wealth of case law from a variety of judicial and administrative bodies, including the European Court of Justice, the English courts and the UK regulator, the Financial Conduct Authority (FCA).
There has been a constant evolution and expansion of the regulatory landscape, particularly since the financial crisis of 2007-2008. These developments have seen a shift from the traditional approach of outcome-focused and principle-based regulation to an increasingly prescriptive and rules-based approach.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
The most important statute in this area for financial services firms (including firms that are considering if their services might entail regulated business in England) is the Financial Services and Markets Act 2000 (FSMA), in particular sections 19 and 21 FSMA, which set out two restrictive regulatory regimes.
Key delegated legislation under FSMA includes:
- FSMA 2000 (Regulated Activities) Order 2001;
- FSMA 2000 (Financial Promotion) Order 2005;
- EU regulations that have a direct effect on English law (for example the Market Abuse Regulation);
- rules made by the UK regulators (the Prudential Regulation Authority (PRA) and the FCA) under FSMA, which apply to firms that are authorised and regulated in the UK as well as, in some circumstances, European Economic Area firms that are licensed by other European Economic Area regulatory authorities but conduct business in the UK. The FCA rules can be found at www.handbook.fca.org.uk/handbook and PRA rules at www.prarulebook.co.uk. These rules implement many European Commission financial services sectoral Directives (which do not have direct effect in English law and require implementing measures in order to take effect);
- within the FCA and PRA rules, a number of sourcebooks and chapters contain detailed requirements on risk and compliance management. These include the FCA’s Senior Management Systems and Controls Sourcebook and the PRA’s General Organisational Requirements, although many risk-management requirements are also found elsewhere. For example, FCA rules for the management of the risks associated with holding client money and assets are not contained in the FCA Handbook but are set out instead in the Client Assets Sourcebook;
- the Money Laundering Regulations 2007; and
- the Bribery Act 2010 and the Terrorism Act 2000.
Key competition law legislation includes the Competition Act 1998 and the Enterprise Act 2002. These need to be read in conjunction with legislation specific to the financial services sector, notably FSMA.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
Generally speaking, any legal person who conducts activities within the scope of the restrictive regimes in section 19 and 21 FSMA will be targeted by the requirements and, regardless of its legal form or corporate structure, will need to seek authorisation from the PRA or FCA and comply with the relevant regulatory requirements.
For example, a sole trader may need to seek authorisation (typically from the FCA) and put in place systems and controls to organise his or her business effectively - just as a high street bank, which is a listed company, must also do (seeking authorisation from the PRA as it is a bank). Other entities such as limited liability partnerships will also need to seek authorisation if they are conducting activities that fall within the scope of the FCA or PRA.
What is required of each entity will, however, vary depending on the sector, size, scale and nature of the business and regulated activities being carried on.
Notwithstanding the above, it should be noted that certain regulated activities can only be performed by legal persons of a particular corporate form. For example, a sole trader could not seek authorisation to conduct insurance activities.
Competition law targets all types of undertakings operating in the UK (whether or not they are domiciled in the UK), including those outside of the financial services sector. In terms of financial services firms, the FCA has concurrent competition law powers (see question 4), which extend to all financial services undertakings and not just those authorised by the FCA.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
The UK’s approach to financial regulation involves several bodies, each with their own responsibilities and remit.
The PRA is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms. The PRA has powers in relation to failing firms and enforcement powers relating to breaches of the PRA’s regulatory requirements.
The FCA is responsible for the conduct regulation of financial services firms in the UK and the prudential regulation of firms that are not regulated by the PRA. Firms that are regulated by both the FCA and the PRA are known as dual-regulated firms.
The FCA has three operational objectives:
- to protect consumers;
- to protect and enhance the integrity of the UK financial system; and
- to promote effective competition.
The FCA has wide-ranging powers to facilitate these objectives. These include powers relating to rule-making, authorisation of firms, market regulation and passporting. The FCA also has extensive disciplinary and enforcement powers, which include the power to bring civil and criminal, as well as regulatory, proceedings.
The Competition and Markets Authority (CMA) is responsible for investigating and penalising breaches of competition law. The FCA also has concurrent competition law powers in relation to financial services firms, which include unannounced inspections and mandatory information requests. The FCA can also send ‘on notice’ letters to firms, warning them of potentially infringing behaviour in circumstances where a full investigation is not warranted.
The Serious Fraud Office (SFO) is an agency operating within the UK criminal justice system, which investigates and prosecutes serious and complex fraud as well as bribery and corruption cases. The SFO also deals with requests from overseas courts and prosecutors for international assistance.
In recent years, there has been a continuing trend of growing cooperation between UK and overseas regulators and agencies as issues become increasingly multi-jurisdictional in nature.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
No - these are not defined terms across most financial services legislation.
However, there are detailed rules covering these areas that vary between sectors (banking, insurance, asset management, etc). Refer to question 7.
Are risk and compliance management processes set out in laws and regulations?
Yes, although legislation and rules do not generally prescribe a single approach or structure to risk and compliance management. Historically, the requirements have tended to be non-prescriptive, looking to outcomes rather than the form of the arrangements.
However, particularly since the financial crisis, there has been a tendency for new legislation and rules to adopt a more prescriptive approach. This reflects a corresponding trend in EU financial services legislation, for example the Solvency II Directive for insurers and Markets in Financial Instruments Directive (MIFID) II for investment firms.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
Firms that are authorised and regulated in the UK will be subject to high-level standards relating to risk and compliance management under the FCA’s Principles for Businesses (and in addition, may be subject to the PRA’s Fundamental Rules, depending on whether the firm is authorised by the PRA rather than the FCA).
Principle 3 of the FCA’s Principles for Businesses requires a firm to ‘take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’.
PRA Fundamental Rules 5 and 6 also require a firm to ‘have effective risk strategies and risk management systems’ and to ‘organise and control its affairs responsibly and effectively’.
More detailed standards and guidelines are contained in the legislation and rules referred to in question 2, and expand upon Principle 3 and Fundamental Rules 5 and 6. These more detailed requirements vary significantly depending on the financial services sector in which a firm operates and the regulated activities that it carries out. There is no ‘one size fits all’ approach.
Some provisions are also subject to proportionality requirements. What is expected of a large bank will not be the same as a small firm that has a deposit-taking permission for certain limited business it may be carrying out, or a firm that does no more than make occasional introductions of business to another regulated firm.
Depending on the status of the firm, examples of the types of standards and guidelines that may apply are set out below. This list is included by way of illustration only and is not an exhaustive list of requirements:
- the duty to have robust governance arrangements, which include:
- a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
- effective processes to identify, manage, monitor and report the risks the firm is or might be exposed to;
- internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems;
- the duty to have business continuity procedures and a compliance manual;
- the duty to categorise clients and enter into written agreements with clients;
- the duty to report information and data to clients, and to the FCA or PRA;
- the duty to have a separate risk assessment function;
- the requirement for ‘four eyes’ in the running or management of the firm. For example, an investment firm that is a limited company will generally need to have at least two executive directors;
- the requirement to establish a compliance function and to appoint a money laundering reporting officer;
- the duty not to delegate responsibility to a third party. Functions that are outsourced to a third party must be supervised or overseen;
- the duty to establish a remuneration committee;
- the duty to comply with detailed conduct of business obligations when providing services to clients. These include high-level obligations such as the duty to act in the best interests of the client and to treat customers fairly, as well as more detailed rules, for example, the duty to ensure that investment advice and discretionary management services are suitable for the customer concerned;
- the duty to have a conflict of interest policy and keep a register of conflicts and manage any conflict that may entail a material risk of damage to clients’ interests; and
- detailed requirements on holding and handling client money and assets.
Many of the processes that are required are ultimately derived from European Commission sectoral legislation.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Yes. The extent of the firm’s obligations will depend on the regulated status of the firm. For example, firms authorised by the FCA and PRA will be required to comply with FCA and PRA rules relating to risk and compliance management, in addition to the rules that apply more widely to firms operating in the UK. The FCA rules are very broad capturing capital, governance, conduct of business and other compliance, risk and system and control requirements including duties at board level and personal responsibilities for individuals in various controlled functions. The extent to which the requirements apply to firms in part depends on the size of the firm in question. As explained above, the extent of the firm’s obligations will also depend on the specific sector within which the firm operates.
Following a recent review of the compliance function in wholesale banks, the FCA noted that the compliance function is moving towards a pure, independent second line of defence risk function with a higher profile within firms (with compliance representatives increasingly being added to boards and governance committees). The FCA emphasised the importance of ensuring that compliance functions balance their role as an adviser to the front office with their role of providing challenge.
Incoming EEA firms (particularly those establishing a branch in the UK) that are authorised and regulated by other EEA regulatory authorities will be subject to some more limited UK rules, which may require certain risk and compliance arrangements to be put in place. Again, what is required will depend on the type of firm and the type of passport it is using (services or branch). Generally speaking, this type of firm will not be subject to UK prudential requirements.
What are the key risk and compliance management obligations of undertakings?
The key risk and compliance management obligations of FCA authorised firms are outlined in question 7.
In addition, FCA and PRA authorised firms are required to deal with the relevant regulator in an open and cooperative way and to notify the regulator of anything relating to the firm of which the regulator would reasonably expect notice. This duty to self-report is contained in Principle 11 of the FCA’s Principles for Business and Fundamental Rule 7 of the PRA’s Fundamental Rules. The FCA or PRA may bring an enforcement action against a firm that has acted in breach of this duty. For example, in April 2015, the FCA fined Deutsche Bank £226 million in connection with a breach of Principle 11, among other breaches. A significant part of the fine related to Deutsche Bank’s conduct in providing false and misleading information to the FCA.
There are also risk and compliance management obligations that apply more broadly to firms operating within the UK. For example, the anti-money laundering regime (in particular, the Money Laundering Regulations 2007) applies to businesses identified as most vulnerable to the risk of money laundering. This includes financial institutions and businesses within the regulated sector, such as law and accountancy firms. Firms must be able to demonstrate that their client due diligence measures, ongoing monitoring and internal policies and procedures are appropriate in light of the risk of money laundering to their business.
It is also a criminal offence under the Bribery Act 2010 if a commercial organisation fails to prevent bribery (the ‘failure to prevent’ offence). This legislation is not sector-specific and the ‘failure to prevent’ offence applies to all UK corporates and partnerships. It may also apply to companies that are incorporated and operate outside the UK if part of their business is within the jurisdiction. There is a defence if the organisation can show that it had adequate procedures in place to prevent bribery (see question 17).
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
In addition to the regulatory requirements that apply to FCA authorised firms, there is a regime that applies to individuals who perform certain activities within authorised firms (known as ‘approved persons’). These activities are referred to as ‘controlled functions’ and examples include being a director of an authorised firm and overseeing the firm’s systems and controls.
The FCA may only grant an application for approval to perform a controlled function if it considers that the individual is fit and proper to perform the relevant function.
Individuals who perform controlled functions are required to comply with certain standards of conduct set out in the FCA’s rules. In particular, individuals must comply with the FCA’s Statements of Principle and Codes of Practice for Approved Persons (APER), which set out high-level principles of behaviour, as well as specific rules for particular types of controlled function.
The FCA may bring disciplinary action against individuals who fail to meet the standards of conduct expected of them (see question 15).
Increasing individual accountability is a key priority for the FCA. In March 2016, the FCA introduced the ‘Senior Managers and Certification Regime’ (SM&CR), which is designed to assist the FCA in holding senior management to account. Among other things, the regime requires firms to set out detailed statements of responsibility, identifying which individuals within the firm have responsibility for specific issues. There are also detailed rules relating to the conduct of ‘senior managers’ as well as new Conduct Rules that apply to most employees of relevant firms, including those performing unregulated roles. The Conduct Rules reflect the FCA’s core standards expected of employees of authorised firms.
The regime currently applies only to deposit-taking institutions and certain insurance firms. However, in 2018 the regime will be extended to cover almost all FCA authorised firms (and will replace the Approved Persons Regime described above). It is currently intended that the rules will apply to insurers in late 2018 and solo-regulated firms in mid-to-late 2019. The FCA has confirmed that it will publish its rules and approach to the transition in a statement in summer 2018.
As well as the risk and compliance management obligations owed by directors and senior managers of authorised firms, directors also have general duties that are set out in the Companies Act 2006, supplemented by common law. These duties apply to directors of companies outside the financial services sector.
Directors of UK listed companies (including companies outside of the financial services sector) are subject to additional obligations, for example in relation to corporate governance. These are outside the scope of this chapter.
Do undertakings face civil liability for risk and compliance management deficiencies?
Yes. FSMA contains a provision (section 138D FSMA) that allows private persons a right of action for damages in respect of loss suffered as a result of a breach of FSMA.
There are also provisions in FSMA that give a right of action for specific breaches, including misleading information in listing particulars and prospectuses (section 90 FSMA).
The current regulatory environment has seen an increase in civil actions against financial institutions (particularly banks) for the mis-selling of investments and other financial products. As well as claims arising under section 138D FSMA, claims may be based on:
- alleged breaches of contract relating to the bank’s advisory duty;
- alleged breaches of the bank’s tortious duty of care; or
- misrepresentation on the part of the bank.
Misrepresentation claims may arise under the Misrepresentation Act 1967, the bank’s duty not to misstate the position negligently or (less commonly) fraudulent misrepresentation.
The Consumer Rights Act 2015 came into force in October 2015 and allows businesses and consumers in all sectors to bring class actions in respect of breaches of competition law. This could make it easier for claimants to bring US-style class actions (for example, in relation to benchmark manipulations such as foreign exchange and LIBOR).
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Yes. The FCA has wide-ranging enforcement powers against firms for breaches of regulatory rules. Enforcement action for risk and compliance management deficiencies is likely to be based on Principle 3 of the FCA’s Principles for Businesses, which states that the firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
The FCA may impose a variety of disciplinary sanctions on firms for regulatory failures. These include:
- public censure;
- a financial penalty;
- suspensions or restrictions in relation to the firm’s permission to perform regulated activities; and
- variation or cancellation of the firm’s permission.
In deciding whether to impose a public censure or a financial penalty, the FCA will take into account the circumstances of the case, including the nature, seriousness and impact of the breach and the previous disciplinary record of the firm.
The FCA has provided guidance on the approach it will follow to determine the level of a financial penalty. Among other things, the FCA will take into account any financial benefit derived directly from the breach and any adjustments that should be made in light of mitigating and aggravating factors. The FCA also has the power to increase the penalty if it considers that the figure is insufficient to achieve its objective of deterrence.
In recent years, the FCA has imposed substantial financial penalties against banks for benchmark manipulation and anti-money laundering (AML) controls failings. In May 2015, the FCA imposed a financial penalty of £284,432,000 on Barclays Bank for systems and controls failures in connection with foreign exchange manipulation. At the time of writing, this is the largest financial penalty ever imposed by the FCA. In January 2017, the FCA imposed a financial penalty of £163,076,224 on Deutsche Bank AG for failing to maintain an adequate AML control framework (see question 18). At the time of writing, this is the largest financial penalty for AML controls failings ever imposed by the FCA.
Firms in all sectors can also face lengthy investigations by the CMA, when they are suspected of failing to act in accordance with competition law. Financial services firms may also face competition law investigations by the FCA. These investigations can result in large-scale fines.
Do undertakings face criminal liability for risk and compliance management deficiencies?
The UK government is currently consulting on the creation of new offences to make corporations liable for certain criminal activities.
For serious offences that do not impose strict liability, a corporation will only normally be liable for the criminal actions of an employee if the individual is sufficiently senior to be the ‘directing mind and will’ of the company (the identification doctrine). This is a highly fact-specific question, the complexity of which increases with the size of the company and the structure of its management. A company can only be criminally liable if it can be shown that the directing mind, namely, the board or senior management of the organisation, were involved in the commission of the offence. Successful prosecutions of companies on this basis are challenging and consequently rare.
In January 2017, the UK government published a Call for Evidence seeking views on the extension of the failure to prevent offence under the Bribery Act 2010 (see question 9), as well as four alternative options. If a new corporate failure to prevent offence proves to be the best option for reform, the government’s starting position is that the offence should initially apply to the most serious economic crime offences, which may include:
- conspiracy to defraud;
- false accounting; and
- money laundering.
If implemented, the offence will apply to corporations in all sectors.
In January 2017, the UK government also published a Call for Evidence on the alternatives to the identification doctrine for corporate criminal liability. At the time of writing, the Government is analysing the feedback.
Deferred Prosecution Agreements (DPAs) are available to bodies corporate, partnerships and unincorporated associations facing criminal proceedings in the UK. In question 18, we discuss the £500 million DPA that Rolls-Royce recently agreed with the SFO.
There is no specific corporate criminal liability for competition law breaches.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
As explained in question 11, section 138D FSMA provides a right of action for damages for a person who has suffered a loss as a result of a breach of an FCA rule. See also question 15.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Yes. The FCA may take disciplinary action against approved persons who act in a way that is inconsistent with the standards of conduct set out in the FCA rules.
The FCA’s disciplinary powers include financial penalties and issuing a public statement about the misconduct. The FCA may also suspend, restrict or withdraw the individual’s approval and impose a prohibition order preventing the individual from performing controlled functions.
Under the SM&CR, the government has introduced a new statutory ‘duty of responsibility’ for senior managers, which means that they are required to take reasonable steps to prevent a regulatory breach by the firm in their area of responsibility. The FCA and the PRA can take disciplinary action against a senior manager for a breach of this statutory duty.
Directors, managers and other officers can face director disqualification orders for failing to comply with competition law. This applies to individuals in all sectors.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
There are certain criminal offences that could apply to directors and senior managers of financial institutions if the individuals were personally culpable. For example, under section 89 of the Financial Services Act 2012, it is an offence to make false or misleading statements or create false or misleading impressions with the intention of inducing (or being reckless as to whether it may induce) another person to enter into an agreement (eg, an agreement to sell or buy shares in a company).
For conduct occurring post-March 2016, there is a new criminal offence relating to decisions taken by senior managers of banks, building societies and major investment firms (section 36 of the Financial Services (Banking Reform) Act 2013). Senior managers may be criminally liable if they make a decision (or fail to take steps that could prevent a decision being taken) that causes a financial institution to fail. In order for the offence to be made out, the senior manager must have been aware (at the time the decision was taken) of the risk that the decision might cause the financial institution to fail. The individual’s conduct must also fall ‘far below’ what could reasonably be expected of someone in their position. At the time of writing, the FCA has not brought any prosecutions for this offence.
Directors and managers in all sectors can be prosecuted by the CMA for committing a cartel offence, namely, agreeing with one or more other persons to make or implement, or cause to be made or implemented, arrangements whereby at least two undertakings will engage in one or more prohibited cartel activities. For such agreements entered into from 1 April 2014 onwards there is no need to establish that the individual acted ‘dishonestly’.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
Corporate compliance defences exist in relation to certain, specific statutory offences. For example, under the Bribery Act 2010, a corporate will have a defence to the criminal failure to prevent offence if it can show that it had adequate procedures in place, designed to prevent persons committing bribery. There is no definition of ‘adequate procedures’; however, guidance has been published that places an emphasis on taking a risk-based approach while implementing proportionate procedures.
There is also a corporate defence to the financial promotions offence if a firm can show that it took all reasonable precautions and exercised all due diligence to avoid committing the offence (section 25(2) FSMA).
There is no specific corporate compliance defence in relation to FCA enforcement proceedings. However, in determining the level of the financial penalty, the FCA will consider whether there are any mitigating factors, which may include that the firm corrected the deficiencies in its compliance and risk management framework as part of a remediation programme. This could lead to a lower fine being imposed against the firm.
While not strictly a defence, it is also possible for businesses to apply for leniency in relation to certain types of competition law infringement. This may result in avoiding or receiving a reduced fine.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
Deutsche Bank FCA Final Notice
On 31 January 2017, the FCA fined Deutsche Bank £163,076,224 in connection with deficiencies in its AML control framework.
The FCA found, among other things, that between 2012 and 2015 Deutsche Bank:
- performed inadequate customer due diligence;
- had deficient anti-money laundering policies and procedures;
- had an inadequate anti-money laundering IT infrastructure; and
- provided insufficient oversight of trades booked in the UK by overseas traders.
The FCA found that there were ‘serious and systemic weaknesses’ in Deutsche Bank’s AML systems and controls, which ‘created a significant risk that financial crime would be facilitated, occasioned or otherwise occur’.
Deutsche Bank was also fined US$425 million by the New York Department of Financial Services in connection with the mirror trading scheme.
In January 2017, Rolls-Royce entered into a DPA with the SFO, which was approved by the English court. The DPA involved payments by Rolls-Royce of nearly £500 million plus interest and the SFO’s costs (£13 million). It is the largest DPA of its kind in the UK. Rolls-Royce’s conduct involved offences relating to bribery of foreign public officials, commercial bribery and false accounting of payments to intermediaries.
The case highlights the importance of engaging openly and fully with the SFO from an early stage of its investigations. The extent to which Rolls-Royce co-operated with the SFO was, in the SFO’s own words, ‘extraordinary’ and this was a key factor in persuading the judge to approve the DPA. Another key consideration was that Rolls-Royce had taken steps to review and enhance its ethics and compliance procedures such that Rolls-Royce had become a ‘dramatically changed organisation’.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
The answer to this question depends on the status of a governmental body, or state-owned enterprise.
There are exclusions and exemptions from financial services regulation under FSMA for certain state bodies, for example local authorities.
The FCA and PRA are subject to statutory duties (such as the general duties and objectives set out in FSMA) and must act within the scope of their authority and comply with other requirements (such as the duty to consult or implement European Commission law requirements in their rules to ensure that the UK meets its European Commission law obligations).
The fact that a firm is state-owned or partly state-owned does not usually provide an exemption from regulation. For example, the Royal Bank of Scotland plc is currently a partly state-owned UK bank. Its regulatory obligations are essentially the same as other banks of its size and scale carrying on the same regulated activities.
Competition law extends to ‘undertakings’ (the European Union law concept) and ‘enterprises’ (the UK law concept) in all sectors. In broad terms, this includes all entities to which a turnover can be ascribed, whether or not the entity is run for profit.
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
Financial services regulation under section 19 FSMA and section 21 FSMA will not generally be directly relevant to governmental bodies, as explained above.
However, a large body of European Union sectoral legislation and FSMA will limit and, in some cases, remove the discretion of the UK regulators, the FCA and the PRA.
From a competition law perspective, once competition law attaches to a body, the risks are essentially the same.
Update and trends
Update and trends
Updates and trends
On 29 March 2019, the UK is due to leave the European Union (Brexit). The UK government remains in negotiation with the EU for a number of matters including trade and access arrangements between the UK and the EU post-Brexit and a proposed transitional period. Until Brexit takes effect, EU law continues to apply to UK firms. The FCA stated on 24 June 2016 that ‘firms must continue to abide by their obligations under UK law, including those derived from EU law and continue with implementation plans for legislation that is still to come into effect’.
At the time of writing, the UK is seeking a free trade deal that makes unique provision for the financial services market between the UK and the EU. However, it remains to be seen whether this type of agreement will be negotiated and if so, what shape the bespoke financial services provisions will take. While it may be the case that much regulation of EU-origin continues in place for the purposes of continuity and reciprocity, the extent to which domestic rules and regulation will be amended after Brexit is currently unclear.
The EU’s existing data protection framework is being replaced by the General Data Protection Regulation (GDPR) on 25 May 2018. The GDPR enhances a number of the existing standards and aims to harmonise much of the data protection legislation across the EU including the UK. Among other things, scope is widened and it will be more difficult to obtain and rely on the consent of data subjects to the processing of their personal data and some firms will be required to appoint a Data Protection Officer. Firms will need to review their existing processes and controls and ensure they are compliant with the GDPR.
Focus on individual accountability
As explained above, there is an increasing regulatory focus on individual accountability with the Yates Memo in the United States and the SM&CR in the UK. In mid-to-late 2019, the UK regime will be extended to cover all firms authorised under FSMA. It will also apply to branches of non-UK firms with permission to carry out regulated activities in the UK. The regulators’ intention is to drive up standards of individual behaviour in financial services at all levels and to make it significantly easier for the regulators to hold senior managers to account for failures within their firms.