Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

There is a complex legal framework underpinning corporate risk and compliance management in the UK.

This chapter focuses on core corporate risk and compliance management issues in the context of the UK financial services regime. Separate and distinct regimes apply to sectors outside the financial services market (eg, the pharmaceutical and energy sectors), which are enforced by designated UK and international regulatory agencies. These regimes are outside the scope of this chapter.

The legal framework for the financial services regime in the UK is vast and complex and there are detailed rules relating to specific sectors of the market. Most of the corporate risk and compliance management requirements derive from EU directives and regulations, which have been implemented into English law in the form of legislation and detailed regulatory rules.

There is also a wealth of case law from a variety of judicial and administrative bodies, including the European Court of Justice, the English courts and the UK regulator, the Financial Conduct Authority (FCA).

There has been a constant evolution and expansion of the regulatory landscape, particularly since the financial crisis of 2007-2008. These developments have seen a shift from the traditional approach of outcome-focused and principle-based regulation to an increasingly prescriptive and rules-based approach.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The most important statute in this area for financial services firms (including firms that are considering if their services might entail regulated business in England) is the Financial Services and Markets Act 2000 (FSMA), in particular sections 19 and 21 FSMA, which set out two restrictive regulatory regimes.

Key delegated legislation under FSMA includes:

  • FSMA 2000 (Regulated Activities) Order 2001;
  • FSMA 2000 (Financial Promotion) Order 2005;
  • EU regulations that have a direct effect on English law (for example the Market Abuse Regulation);
  • rules made by the UK regulators (the Prudential Regulation Authority (PRA) and the FCA) under FSMA, which apply to firms that are authorised and regulated in the UK as well as, in some circumstances, European Economic Area firms that are licensed by other European Economic Area regulatory authorities but conduct business in the UK. The FCA rules can be found at and PRA rules at These rules implement many European Commission financial services sectoral Directives (which do not have direct effect in English law and require implementing measures in order to take effect);
  • within the FCA and PRA rules, a number of sourcebooks and chapters contain detailed requirements on risk and compliance management. These include the FCA’s Senior Management Systems and Controls Sourcebook and the PRA’s General Organisational Requirements, although many risk-management requirements are also found elsewhere. For example, FCA rules for the management of the risks associated with holding client money and assets are not contained in the FCA Handbook but are set out instead in the Client Assets Sourcebook;
  • the Money Laundering Regulations 2007; and
  • the Bribery Act 2010 and the Terrorism Act 2000.

Key competition law legislation includes the Competition Act 1998 and the Enterprise Act 2002. These need to be read in conjunction with legislation specific to the financial services sector, notably FSMA.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Firms that are authorised and regulated in the UK will be subject to high-level standards relating to risk and compliance management under the FCA’s Principles for Businesses (and in addition, may be subject to the PRA’s Fundamental Rules, depending on whether the firm is authorised by the PRA rather than the FCA).

Principle 3 of the FCA’s Principles for Businesses requires a firm to ‘take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’.

PRA Fundamental Rules 5 and 6 also require a firm to ‘have effective risk strategies and risk management systems’ and to ‘organise and control its affairs responsibly and effectively’.

More detailed standards and guidelines are contained in the legislation and rules referred to in question 2, and expand upon Principle 3 and Fundamental Rules 5 and 6. These more detailed requirements vary significantly depending on the financial services sector in which a firm operates and the regulated activities that it carries out. There is no ‘one size fits all’ approach.

Some provisions are also subject to proportionality requirements. What is expected of a large bank will not be the same as a small firm that has a deposit-taking permission for certain limited business it may be carrying out, or a firm that does no more than make occasional introductions of business to another regulated firm.

Depending on the status of the firm, examples of the types of standards and guidelines that may apply are set out below. This list is included by way of illustration only and is not an exhaustive list of requirements:

  • the duty to have robust governance arrangements, which include:
  • a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
  • effective processes to identify, manage, monitor and report the risks the firm is or might be exposed to;
  • internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems;
  • the duty to have business continuity procedures and a compliance manual;
  • the duty to categorise clients and enter into written agreements with clients;
  • the duty to report information and data to clients, and to the FCA or PRA;
  • the duty to have a separate risk assessment function;
  • the requirement for ‘four eyes’ in the running or management of the firm. For example, an investment firm that is a limited company will generally need to have at least two executive directors;
  • the requirement to establish a compliance function and to appoint a money laundering reporting officer;
  • the duty not to delegate responsibility to a third party. Functions that are outsourced to a third party must be supervised or overseen;
  • the duty to establish a remuneration committee;
  • the duty to comply with detailed conduct of business obligations when providing services to clients. These include high-level obligations such as the duty to act in the best interests of the client and to treat customers fairly, as well as more detailed rules, for example, the duty to ensure that investment advice and discretionary management services are suitable for the customer concerned;
  • the duty to have a conflict of interest policy and keep a register of conflicts and manage any conflict that may entail a material risk of damage to clients’ interests; and
  • detailed requirements on holding and handling client money and assets.

Many of the processes that are required are ultimately derived from European Commission sectoral legislation.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Yes. The extent of the firm’s obligations will depend on the regulated status of the firm. For example, firms authorised by the FCA and PRA will be required to comply with FCA and PRA rules relating to risk and compliance management, in addition to the rules that apply more widely to firms operating in the UK. The FCA rules are very broad capturing capital, governance, conduct of business and other compliance, risk and system and control requirements including duties at board level and personal responsibilities for individuals in various controlled functions. The extent to which the requirements apply to firms in part depends on the size of the firm in question. As explained above, the extent of the firm’s obligations will also depend on the specific sector within which the firm operates.

Following a recent review of the compliance function in wholesale banks, the FCA noted that the compliance function is moving towards a pure, independent second line of defence risk function with a higher profile within firms (with compliance representatives increasingly being added to boards and governance committees). The FCA emphasised the importance of ensuring that compliance functions balance their role as an adviser to the front office with their role of providing challenge.

Incoming EEA firms (particularly those establishing a branch in the UK) that are authorised and regulated by other EEA regulatory authorities will be subject to some more limited UK rules, which may require certain risk and compliance arrangements to be put in place. Again, what is required will depend on the type of firm and the type of passport it is using (services or branch). Generally speaking, this type of firm will not be subject to UK prudential requirements.

What are the key risk and compliance management obligations of undertakings?

The key risk and compliance management obligations of FCA authorised firms are outlined in question 7.

In addition, FCA and PRA authorised firms are required to deal with the relevant regulator in an open and cooperative way and to notify the regulator of anything relating to the firm of which the regulator would reasonably expect notice. This duty to self-report is contained in Principle 11 of the FCA’s Principles for Business and Fundamental Rule 7 of the PRA’s Fundamental Rules. The FCA or PRA may bring an enforcement action against a firm that has acted in breach of this duty. For example, in April 2015, the FCA fined Deutsche Bank £226 million in connection with a breach of Principle 11, among other breaches. A significant part of the fine related to Deutsche Bank’s conduct in providing false and misleading information to the FCA.

There are also risk and compliance management obligations that apply more broadly to firms operating within the UK. For example, the anti-money laundering regime (in particular, the Money Laundering Regulations 2007) applies to businesses identified as most vulnerable to the risk of money laundering. This includes financial institutions and businesses within the regulated sector, such as law and accountancy firms. Firms must be able to demonstrate that their client due diligence measures, ongoing monitoring and internal policies and procedures are appropriate in light of the risk of money laundering to their business.

It is also a criminal offence under the Bribery Act 2010 if a commercial organisation fails to prevent bribery (the ‘failure to prevent’ offence). This legislation is not sector-specific and the ‘failure to prevent’ offence applies to all UK corporates and partnerships. It may also apply to companies that are incorporated and operate outside the UK if part of their business is within the jurisdiction. There is a defence if the organisation can show that it had adequate procedures in place to prevent bribery (see question 17).