Regulatory framework

Regulatory authorities

What national authorities regulate the provision of financial products and services?

The main piece of legislation specifying regulated financial services in the UK is the Financial Services and Markets Act 2000 (as amended) (FSMA) and its subordinate legislation. There is a tripartite system of regulators for financial services firms authorised under the FSMA; the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England Financial Policy Committee (FPC). The scope of each regulator’s authority is set out in the FSMA.

The FPC is the dedicated macro-prudential authority, and monitors the stability and resilience of the financial system as a whole, identifying and taking action to reduce systemic risk. The FPC can direct the FCA and the PRA to take certain action to combat systemic risk, but does not itself have direct regulatory responsibility for UK-authorised firms.

The PRA is responsible for the authorisation and prudential regulation and supervision of firms that manage significant risk on their balance sheet (including banks, insurers and systemically important investment firms), while the FCA is responsible for the authorisation, prudential regulation and supervision of all other FSMA firms (including consumer credit firms), as well as the conduct of business of all firms.

The FCA is also responsible for the regulation of conduct in retail and wholesale financial markets, supervision of the trading infrastructure that supports those markets, and the authorisation and supervision of e-money issuers and payment services firms that fall outside the FSMA regulatory regime. The FCA also oversees the Payment Systems Regulator, which is an operationally independent subsidiary of the FCA that is the economic regulator for payment systems.

The PRA and FCA are obliged to ensure that their functions are exercised in a coordinated manner; for example, they must obtain advice or information from each other relating to the exercise of their functions under the FSMA on matters of common regulatory interest. A memorandum of understanding supports the relationship between the two regulators.

What activities does each national financial services authority regulate?

The FSMA provides that no person can perform a regulated activity without being authorised or exempt. A regulated activity is a specific activity that relates to a specified type of investments. The FSMA (Regulated Activities) Order 2001, a piece of subordinate legislation under the FSMA, specifies the following activities that, when performed in relation to specified products or investments (see question 3), are regulated activities in the UK:

  • deposit taking;
  • issuing electronic money by credit institutions, credit unions and municipal banks;
  • insurance-related activities (including effecting a contract of insurance and assisting in the administrator or performance of contracts of insurance);
  • investment activities, including arranging deals in investments, advising on investments, dealing in investments, safeguarding and administering investments, managing investments, operating a trading facility and establishing or winding up a collective investment scheme;
  • mortgage and home-finance-related activities, including mortgage lending and administration and entering into and administering home reversion and home purchase plans and sale and rent back agreements;
  • consumer credit regulated activities; and
  • other miscellaneous activities such as establishing a stakeholder pension scheme, specified financial benchmark administration activities, bidding in emissions auctions and certain activities in relation to the Lloyd’s insurance market.

Agreeing to carry on a regulated activity is also generally a regulated activity.

The PRA is responsible for the authorisation of deposit takers, insurers, managing agents in the Lloyd’s insurance market, the Lloyd’s insurance market itself, and certain high-risk investment firms that have been designated by the PRA. Firms authorised by the PRA are subject to dual-regulation by the PRA and the FCA - the PRA is responsible for their authorisation, prudential regulation and supervision, while the FCA is responsible for regulating their conduct. All other FSMA firms are authorised, regulated and supervised by the FCA in respect of both prudential and conduct matters.

Separate regulatory regimes exist in the UK for the regulation of payment services and the issuance of electronic money by institutions other than credit institutions, credit unions and municipal banks (under the Payment Services Regulations 2017 (PSRs) and the E-Money Regulations 2011 (EMRs)). The FCA is responsible for the authorisation and supervision of e-money issuers and payment services firms.

What products does each national financial services authority regulate?

The following are specified products or investments for the purposes of the FSMA regime:

  • deposits;
  • e-money;
  • contracts of insurance;
  • shares;
  • instruments creating or acknowledging indebtedness;
  • alternative finance investment bonds;
  • government and public securities;
  • instruments giving entitlements to investments;
  • certificates representing certain securities;
  • units in a collective investment scheme;
  • rights under a pension scheme;
  • options;
  • futures;
  • contracts for differences;
  • Lloyd’s investments;
  • funeral plan contracts;
  • regulated mortgage contracts;
  • regulated home reversion plans;
  • regulated home purchase plans;
  • regulated sale and rent back agreements;
  • rights to or interests in investments;
  • greenhouse gas emissions allowances;
  • rights under consumer credit and consumer hire agreements; and
  • structured deposits.

Authorisation regime

What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?

The PRA and the FCA have the power to authorise a firm to carry on regulated activities under the FSMA (only firms authorised or exempt under the FSMA may carry on FSMA-regulated activities in the UK).

A firm must apply to the PRA if its application includes certain PRA-regulated activities, such as deposit-taking or the writing of insurance contracts. These firms will have their application considered by both the FCA and the PRA. In any other case the application will be made to the FCA only.

In the case of dual-regulated firms, the PRA leads the authorisation process. This includes pre-application meetings with the FCA and PRA; submission by the applicant of a detailed application pack including a core details form, a regulatory business plan, a controllers form, applications for certain key individuals (such as directors, senior managers and individuals responsible for compliance functions) to perform ‘controlled functions’ or ‘senior management functions’ and an IT self-assessment questionnaire; and the payment of a fee ranging from £1,500 to £25,000 depending on the complexity of the application. The PRA and FCA must be satisfied that certain threshold conditions are met and that the firm will continue to meet certain minimum standards before granting any authorisation. The regulators must come to a decision within six months of the date it receives the completed application.

Applications to the FCA only follow a similar structure; however, the FCA has sole responsibility for the authorisation process.

Certain individuals performing key functions for authorised firms must also be pre-approved by the FCA or PRA (as appropriate). There are currently two separate approval regimes for FSMA firms: the senior managers regime that applies to banks, building societies, credit unions, PRA-designated investment firms and which was extended to insurers from 10 December 2018, and the approved persons regime, which, at the time of writing, applies to all other FSMA firms (although the senior managers regime will be extended to all FSMA authorised firms from 9 December 2019 and will essentially replace the approved persons regime). At present, both regimes extend to directors, partners, officers, senior managers and certain key employees (eg, the money laundering reporting officer and compliance officer). Applications for approval to perform ‘controlled functions’ or ‘senior management functions’ must be made prior to the relevant individual’s appointment, and the PRA and FCA have up to three months to determine an application.

A separate regime applies for payment services firms and e-money institutions. E-money or payment institution authorisation applications must be determined by the FCA within three months. In addition, firms that operate in lower risk environments, such as small e-money institutions and payments firms and consumer buy-to-let firms, may only need to be registered with the FCA.


What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

The FSMA is the basis of the FCA’s and the PRA’s jurisdictions in respect of FSMA-regulated activities and firms. The PSRs and the EMRs are the basis of the FCA’s jurisdiction in relation to the payment services and e-money regimes. Various elements of EU legislation also apply directly in the UK, and the FCA or PRA are empowered as the competent authority in relation to that legislation.

What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?

The current regulatory framework in the UK derives largely from the FSMA and its secondary legislation. The main rules applicable to financial services firms are set out in a combination of directly applicable EU legislation (such as the Capital Requirements Regulation, which, at the time of writing, is under review at the EU level) and the handbooks and rulebooks of the FCA and the PRA. The regulators also set out regulatory expectations in non-rule based materials such as policy statements, approach documents, thematic review reports and speeches.

Scope of regulation

What are the main areas of regulation for each type of regulated financial services provider and product?

Firms performing regulated activities in the UK must generally be authorised by (or, for certain firms, registered with) one of the UK financial services regulators unless they benefit from an exemption or exclusion. Once authorised the requirements that apply vary depending on the types of regulated activities performed.

Most UK authorised firms are subject to regulatory capital requirements, with banks, insurers and investment firms subject to the most stringent capital requirements.

Extensive regulatory rules and guidance also apply to regulated firms under the relevant UK legislation, as well as directly applicable EU laws and the PRA and FCA rules and guidance.

The PRA and FCA rulebooks encompass both high-level standards for conduct, and systems and controls of regulated firms, as well as a number of requirements relating to a firm’s day-to-day business, such as the management of client assets or the disclosures required to be made to clients and counterparties.

UK-regulated firms are under a general duty to inform the UK regulators of a material change in their business, management or of any significant regulatory rule breaches or complaints. In addition, firms are typically required to comply with periodic reporting obligations in respect of their ongoing operations.

Non-FSMA derived rules also apply to UK-regulated firms, such as the UK Money Laundering Regulations 2017 (MLRs). The FCA is responsible for supervising ongoing compliance with the MLRs and both prosecuting offences under that legislation and taking enforcement action for a lack of adequacy of systems of controls to prevent money laundering.

Additional requirements

What additional requirements apply to financial services firms and authorised persons, such as those imposed by self-regulatory bodies, designated professional bodies or other financial services organisations?

Financial services firms and senior managers or approved persons may be subject to the rules and regulations of other professional or self-regulatory bodies. Whether firms are subject to any such rules or regulations, and the nature of those rules or regulations, will depend on the specific firms and bodies in question.


Investigatory powers

What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?

Both the FCA and the PRA have a number of powers to investigate and take disciplinary action against firms and individuals who breach regulatory and some legal requirements.

The FCA has significant powers of investigation and information gathering, which it can exercise against authorised firms. These powers are set out in the FSMA, and include powers to:

  • require information and documents from authorised firms and connected persons;
  • require a report on an authorised firm by a skilled person (and in some cases to appoint that person); and
  • appoint both general and specific investigators.

The FCA has a number of disciplinary and enforcement powers, the most commonly used being the ability to issue public statements and censure, and to impose financial penalties. The FCA can also:

  • vary or withdraw a firm’s regulatory permissions, and impose restrictions or suspensions on a firm’s ability to carry on regulated activities;
  • withdraw or suspend an individual’s approval, or restrict them in, or prohibit them from, performing certain functions;
  • apply to court for injunctions in connection with certain matters; and
  • prosecute certain criminal offences, including insider dealing and money laundering offences.

The FCA’s overall approach to enforcement is a strategy of ‘credible deterrence’ (ie, to deter firms or individuals being disciplined from reoffending and to deter others from making similar mistakes). The FCA has published guidance on its policies and procedures and approach to enforcement in its Decision Procedure and Penalties Manual and its Enforcement Guide. The FCA consulted on its approach to enforcement during 2018 and is expected to publish the results of its consultation and undertake a fuller review of its Enforcement Guide in due course.

The PRA has broadly the same information gathering powers as the FCA against PRA-authorised firms and connected persons, and can also require the provision of skilled persons reports (and to appoint skilled persons) and appoint investigators.

Like the FCA, the PRA has enforcement powers, although it is only able to impose penalties on PRA-authorised firms. The PRA has published statements of policy and procedures detailing how it will exercise its powers to impose financial penalties and suspensions, or impose restrictions on firms or approved persons.

Disciplinary powers

What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?

See question 9. Various other bodies are responsible for compliance enforcement in the UK, depending on the relevant legal or regulatory requirement. For example, the Information Commissioner’s Office is the regulatory authority responsible for enforcement of breaches of UK data protection legislation, while the Office of Financial Sanctions Implementation (part of HM Treasury) enforces financial sanctions in the UK.


What tribunals adjudicate criminal and civil financial services infractions?

The FCA and PRA each have an internal decision-making process that applies in the context of enforcement action.

The FCA’s Decision Procedure and Penalties Manual provides guidance on the nature and procedure of the FCA’s Regulatory Decisions Committee, which is (in most cases) responsible for deciding whether to take enforcement action following an investigation. In August 2018, the Bank of England introduced an Enforcement Decision-Making Committee in respect of contested PRA enforcement actions.

Decisions taken by the FCA or PRA may be appealed by firms and individuals to the Tax and Chancery Chamber of the Upper Tribunal of the High Court.

A criminal prosecution brought by the FCA or PRA would be instituted in the criminal courts in England, Wales or Northern Ireland.


What are typical sanctions imposed against firms and individuals for violations? Are settlements common?

Typically, fines are levied by the PRA and FCA against firms for violations. Discounts are ordinarily applied where firms cooperate with the regulators and for early settlement. In 2018, the FCA imposed fines of approximately £60.5 million, including a fine of £32.8 million levied against Santander UK plc for governance breaches and the unfair treatment of customers in relation to serious failings in its probate and bereavement process.

Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

Regulated firms are required to have in place systems and controls to ensure that they comply with applicable laws and regulated requirements. The nature of these controls and compliance programmes varies depending on the size of the firm and the regulated activities performed.

Compliance requirements are set out in a combination of legislation, including directly applicable EU legislation, and in FCA and PRA rules and guidance. There are also a number of ways best practice may be conveyed to firms, including through ongoing supervision and as a result of thematic reviews undertaken by the FCA.


How important are gatekeepers in the regulatory structure?

In recent years there has been a heightened focus on improving individual accountability for individuals working in financial services.

Senior individuals at FSMA firms performing certain key functions have to be pre-approved by the PRA and FCA, whether pursuant to the senior managers regime or the approved persons regime, depending on the firm type (however, as discussed in question 4, the senior manager regime will be extended to all authorised firms from December 2019). These functions broadly cover roles where individuals have managerial responsibility for a firm’s affairs. Examples of individuals that need to be pre-approved include individuals performing executive director roles, the head of internal audit functions and compliance oversight. Financial institutions are expected to perform due diligence on prospective senior managers in advance of appointing these individuals. These approved individuals are subject to FCA or PRA conduct rules.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

In addition to the high-level requirements imposed on senior managers or approved persons by the FCA or PRA, directors of financial institutions incorporated as companies in England are subject to high-level general and fiduciary duties set out in the Companies Act 2006. In particular, they are required to promote the success of the company, exercise independent judgement and exercise reasonable care, skill and diligence.

When are directors typically held individually accountable for the activities of financial services firms?

Senior managers have a duty of responsibility under the senior managers regime. The FCA and the PRA can take action against senior managers if:

  • they are responsible for the management of any activities in their firm in relation to which their firm contravenes a relevant requirement; and
  • they do not take the steps that a person in their position could reasonably be expected to take to avoid the contravention occurring (or continuing).

The burden of proof lies with the regulator to establish that a contravention has occurred and that the senior manager did not take the steps that an individual in his or her position could reasonably be expected to take to avoid the contravention occurring. The FCA and the PRA have produced separate but largely consistent guidance outlining how a senior manager should behave to comply with their duties of responsibility.

The duty of responsibility for senior managers is supported by conduct rules, which prescribe a base level of good conduct for staff. The FCA’s conduct rules in respect of individuals at firms subject to the senior managers regime are set out in the Code of Conduct source-book, and the PRA’s rules are set out in the Conduct Rules Part of the PRA Rulebook. The duty of responsibility will apply to all senior managers at all authorised firms when the senior managers regime is extended later this year. At present, approved persons are similarly subject to conduct rules set out in the FCA’s Statements of Principle and Code of Practice for Approved Persons. The regulators can take disciplinary action against individuals for non-compliance with the conduct rules.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Section 138D of the FSMA establishes a statutory right for certain private persons who suffer loss as a result of contravention by an authorised firm of an FCA or PRA rule to bring an action for damages, subject to the defences for breach of statutory duty (such as contributory negligence). There is a presumption that breach of an FCA rule is actionable unless the rule states to the contrary, whereas a PRA rule must expressly provide that it is actionable.

Customers may also be able to bring claims against investment firms in contract or tort where there has been a breach of a regulatory rule or requirement, and courts may look to the scope of regulatory rules to inform the scope of common law duties owed by investment firms to clients.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services firms are subject to high-level requirements to treat their customers fairly and to act in the best interests of clients, and a high standard of care applies to financial services firms when dealing with retail customers. Categorisation as a retail client offers the most protection to customers and imposes the most requirements on financial institutions dealing with such clients in terms of communication, disclosure and transparency.

Retail clients also benefit from the additional protections offered by the Financial Ombudsman Service, a UK ombudsman that considers and settles disputes between consumers and financial services businesses, and the Financial Services Compensation Scheme, a UK compensation scheme for customers of insolvent UK financial services firms.

In addition, from January 2019 the UK has introduced a ring-fencing regime around retail deposits held by UK financial institutions. The aim of this is to separate certain core banking services critical to individuals and small and medium-sized enterprises from wholesale and investment banking services, in order to insulate retail customers and smaller businesses from the possible failure of the investment banking entity.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Yes. Both EU legislation (MiFID II) and the various UK regulatory regimes recognise that investors have different levels of knowledge, skill and expertise and that the regulatory requirements should reflect this.

For banks and investment firms, firms are required to categorise clients into retail clients, professional clients and eligible counterparties. Different regulatory protections apply for each of these categories, with those falling within the retail category - the less experienced, knowledgeable and sophisticated investors - afforded a higher level of protection than investors in the other categories.

In addition, the PSRs allow payment institutions to disapply some of the conduct and information requirements set out in the regulations when dealing with certain corporate clients.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

At present, rules that affect the financial services industry in the UK encompass EU legislation, formal guidance issued by certain EU bodies such as European Supervisory Authorities, UK legislation and FCA and PRA rules and guidance.

The process for adopting rules and regulations, including whether a consultation is required and the manner of that consultation, depends on the nature of the rule being adopted. Generally, though, consultations are undertaken in respect of rules that will significantly affect the financial services industry.

The way and the extent to which EU legislation will apply to or be implemented in the UK in the future will differ depending on whether the UK and the EU can conclude a withdrawal agreement before the UK leaves the EU as currently planned for 29 March 2019. If no withdrawal agreement is agreed, provisions in the European Union (Withdrawal) Act 2018 will retain most existing EU law as a new body of UK law and the UK would then decide whether to reflect post-exit changes to EU law in UK law. If a withdrawal agreement is agreed, it is likely that there would be a transition period during which EU law would continue to apply as though the UK remained a member of the EU. It is possible that the financial services industry will be affected by the terms of any longer-term free trade arrangement entered into between the UK and the EU, although such arrangements do not typically contain detailed provisions on financial regulation.

Cross-border issues

Cross-border regulation

How do national financial services authorities approach cross-border issues?

While the UK remains part of the EU, EEA-authorised financial institutions are generally able to operate in the UK without the need for a separate authorisation pursuant to a cross-border services or a branch passport. This ‘passporting’ regime allows EEA-authorised financial services firms to conduct business for which they are authorised in their home state in the UK and vice versa, without seeking a separate UK licence. Passporting is subject to a notification procedure between the EEA financial institution, the EEA home state regulator and the relevant UK regulator, which requires the home state regulator to verify that the firm meets certain specified conditions.

Foreign financial institutions incorporated outside the EEA are able to operate in the UK by establishing a UK-authorised branch or subsidiary, or alternatively may operate without a UK authorisation in reliance on certain overseas persons exemptions. The overseas persons exemption allows overseas firms to provide certain financial services to UK customers on a cross-border basis, although the exemptions only apply to certain regulated activities (including dealing in investments, arranging transactions, advising on investments and certain mortgage related activities) and come with strict conditions preventing the overseas firm from having a physical presence in the UK.

International standards

What role does international standard-setting play in the rules and standards implemented in your jurisdiction?

Generally the UK seeks to implement international standards. EU and international regulatory policy and standards, and their implementation, supervision and enforcement in the UK, are integral to the remits of the FCA and the PRA. The FCA also engages regularly with a wide range of European and international counterparts and stakeholders to enhance cooperation, share best practice and discuss issues of common interest.

Update and trends

Recent developments

Are there any other current developments or emerging trends that should be noted?

With ongoing political uncertainty in the UK, it is difficult to predict the future of the UK’s relationship with the EU. The withdrawal agreement that was agreed between the EU and the UK but rejected in January 2019 by the UK parliament provided for a transitional period that would cover the legal and regulatory framework applicable to financial institutions. At the time of writing, both the UK and the European Commission are intensifying preparations for a ‘no-deal’ scenario where the UK leaves the EU without a ratified withdrawal agreement in place. The European Commission has reiterated that financial institutions that wish to provide banking or insurance services in the EU after Brexit should take steps to be properly authorised by the date of withdrawal, including by establishing a presence in the EU27.