Looking back, thinking forward

Size: px

Start display at page:

Download "Looking back, thinking forward"

Judith Glenn
5 years ago
Views:

Looking back, thinking forward 31 January 2018

1 Looking back, thinking forward 31 January PRECISE. PROVEN. PERFORMANCE.

2 Welcome & Introduction Tim West PRECISE. PROVEN. PERFORMANCE.

3 Agenda Looking back Thinking forward General Data Protection Regulation (GDPR) MiFID II The Second Payment Services Directive (PSD2) SM&CR Q & A Summary Questions Close

4 Looking back Regulatory change in 2017 and into 2018 MiFID II MLD4 FCA Perspective Asset Management Market Study Consultation Papers Policy Statements Enforcement/s.166 Business Plan

5 Roadmap March 2019 Operational Passporting Territorial Scope Brexit SM&CR All firms Accountability Governance Organisation GDPR Data Security Privacy Information Flow IT Security PSD2 June 2017 AML framework PEP Classifications Systems and Controls MLD 4 Cyber crime Authorisation MiFID II Market Structure Reporting Investor Protection

6 Thinking forward Regulatory landscape in 2018/19 GDPR MiFID II further developments PSD2 SM&CR Brexit

7 General Data Protection Regulation (GDPR) Update Chris Beveridge 2017 Moore Stephens LLP PRECISE. PROVEN. PERFORMANCE.

8 What is data privacy and personal data? Data Privacy Information privacy, or data privacy (or data protection), is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them Personal Data Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

9 Why is privacy important? Technological change affecting customer experience more and more. Think about how much customers can now do within the financial services environment that involves the processing of their personal information. Individuals requiring more assurance that their personal data is secure and not being used for anything else outside of the specific reason it was collected. Reputational damage very important in the financial services sector.

10 Current regulatory requirements Data Protection Act important principles to remember won t be disappearing under the GDPR: i. Data used fairly ii. Specific purpose iii. Adequate iv. Accurate v. Retention vi. Rights of individual vii. Security viii. International

11 The General Data Protection Regulation (GDPR) Adopted by the European Commission in April 2016 Dubbed biggest shake up of data protection laws for 20 years Organisations around the globe will have until 25 May 2018 to fully comply with the new GDPR regulations Non compliance could result in considerable fines being issued 20m or 4% Global turnover Designed to strengthen and unify data protection for individuals within the EU. It s primary objective is to give citizens back control of their personal data, along with simplifying the regulatory environment for international companies.

12 GDPR Considerations what do firms need to be aware of? Increased territorial scope Penalties Data processors Consent Breach notification Data portability Subject access requests Right to be forgotten Data protection by design Data protection officers

13 What can you do now to best prepare? Be aware What personal information do you currently hold? Information audit? Review and ensure privacy notices are up to date Individual s rights how would you deal with deletion and data portability requests? What procedures have you in place to handle subject access requests? Document the legal basis for processing the information you control. Think about how you are requesting, obtaining and recording consents?

14 What can you do now to best prepare? Personal data held on children needs to be considered. Consider current procedures in place to detect, investigate and report data breaches. Undertake privacy impact assessments on any new systems planned. Ensure you have a DPO or designated data controller within your organisation that takes control of GDPR compliance issues. If you operate internationally need to consider data protection authority you may fall under in addition to GDPR requirements. Have you assessed the adequacy of the jurisdiction you are sending information too?

15 Questions or comments? Christopher Beveridge Associate Director & Privacy Lead E christopher.beveridge@moorestephens.com T +44 (0)

16 MiFID II Giovanni Giro PRECISE. PROVEN. PERFORMANCE.

17 MiFID II areas of impact MiFID II impacts the entire working and operating model of firms Governance, oversight and risk management Client categorisation Suitability and Appropriateness Product governance Best Execution Post-trade transparency Transaction Reporting Investor protection Execution Transparency Conflicts of interest Telephone recording Safe custody of client assets Inducements and research Costs and charges disclosure Client reporting Record-keeping

18 MiFID II key challenges investor protection Client categorisation: Identify who are the firm s clients Local public authorities are to be treated as retail clients by default Firms without retail permission must re-categorise clients to professional client or eligible counterparty Consider client base and re-assess permission profile Suitability: Client interactions Extended suitability assessment criteria All advisory firms will need to provide a suitability report with prescribed content and time of disclosure Guidance on suitability assessment for a legal person or group of entities Appropriateness: Specific rules for MiFID activities Firms are required to record the outcome of appropriateness assessments for 5 years Appropriateness questionnaires to be reviewed Exemption where firm offers limited range of non-complex investments

19 MiFID II key challenges investor protection Governance Product governance: MiFID II has placed greater focus on product manufacturers and distributors Firms must identify whether they are manufacturer, distributor or both Manufacturers must complete their target market analysis with sufficient granularity All information on products and services must be available to distributors Telephone recording: Firms must understand the scope of application and what are relevant conversations Possible exclusions for portfolio managers and AIFMs subject to conditions Extension of the requirement to new types of firms including corporate finance Firms must consider the importance of monitoring calls

20 MiFID II key challenges investor protection Research as inducement Research Unbundling: Identify what represents research Breakdown of services provided to include separation of execution from research Firms may pay for research out of their own P&L or create Research Payment Accounts Execution agreements and CSA arrangements to be reviewed Research budget to be disclosed through terms of business or website Extraterritoriality 3 month grace period for brokers to provide free research as an acceptable Non-Monetary Benefit ESMA considers group-wide scope of receiving research

21 MiFID II key challenges - execution Best Execution: Firms must understand the scope of the definition of execution Ability to assess Best Execution especially in illiquid asset classes Firms may implement qualitative or quantitative scorecards, including all execution costs Investment Managers executing through one venue only must be able to justify this choice CFD firms require bespoke solutions as execution venues trading OTC (as principal) Firms will need to comply with RTS 27 or RTS 28 Inducements: Execution Firm cannot pay to or accept from any party other than the client any fee, commission or non-monetary benefit in connection with the provision of an investment service or an ancillary service (impacts IBs) Only acceptable if payments allow to enhance the quality of service to the client and the Firm acts in accordance with the best interests of the client Full disclosure of any acceptable fees, commissions or benefits Greater restrictions for advising and portfolio management Very limited scope for sourcing clients through IBs and affiliates

22 MiFID II key challenges - transparency Client disclosures Costs and charges disclosure: Firms to follow requirements and guidance to build bespoke disclosure templates More clarity now thanks to EFAMA forms and recognised guidelines Breakdown by product costs and service costs Partial overlap with PRIIPS disclosures Client reporting: Firms to provide regular information about the services offered to clients Depending on scope it can be generic or detailed Mandatory updates on any depreciation equal to or greater than 10% of investment

23 MiFID II key challenges - transparency Reporting Transaction Reporting: Transaction Reporting seen as a priority Harmonisation through the use of LEIs Some firms have not considered systems compatibility and dealing with rejections Firms should have governance structure in place ESMA s temporary grace period from 3 January 2018 six months to trade with client without LEI provided the client gives the trading firm a mandate to acquire the LEI on their behalf. Post Trade transparency: Uncertainty around scope of application Relevant to specific types of firms defined as a trading venue, market maker, Systematic Internaliser etc For firms in scope timeliness is essential

24 Looking forward to 2018 Firms should continue to work on MiFID II implementation Systems and controls Updating polices and procedures with changes under MiFID II as soon as possible Building strong Compliance Monitoring Programmes (CMPs) to ensure on-going compliance Dealing with key topical implications (e.g. Best Execution and annual publication) Training staff on changes due to MiFID II and monitoring their performance periodically Client outreach Updating client agreements and other client-facing documents to meet MiFID II requirements Putting resources (or systems) in place to ensure periodic reporting to clients IT Analysing data privacy implications and secure data transfer protocols (in-line with GDPR) Performing system compatibility testing (e.g. Transaction Reporting) Identifying the right technology solution through detailed vendor due diligence (e.g. telephone recording) Monitoring and testing business continuity

25 The Second Payment Services Directive (PSD2) Wajid Latiff PRECISE. PROVEN. PERFORMANCE.

26 Introducing PSD II PSD I was transformative it changed the payments landscape PSD II seeks to secure and build on that achievement by: Introducing Third Party Service Providers Expanding scope of transactions to include one leg out transactions Access to the information on consumers payment accounts (with consent) Enhancing Payment security Managing operational and security risks Payment fraud Ensuring PIs have access to bank accounts Complaints

The road to implementation PSD II is a maximum harmonisation directive Implemented in the UK through the Payment Services Regulations 2017 PSD II published on the Official Journal EBA consultation

27 The road to implementation PSD II is a maximum harmonisation directive Implemented in the UK through the Payment Services Regulations 2017 PSD II published on the Official Journal EBA consultation for RTS Came into effect on the 13 January 2018 Scope of impact on Firms: To impact an estimated 1550 existing firms Bring into scope firms FCA Call for Input HMT and FCA response on implementation EBA publish RTS Member States to complete transposition Strong Customer Authentication 2019

28 The Payments Services Landscape SoIP Security of Internet Payments Replaced by the EBA Regulatory Technical Standards on Strong Customer Authentication and Secure Communication. Network and Information Security Directive Introducing a higher common level of cyber security in the EU. NISD PSD II 4MLD 4th Anti-Money Laundering Directive Risk-sensitive anti-money laundering policies, procedures and internal controls. Interchange Fee Regulation Ban merchants from surcharging consumers. IFR GDPR General Data Protection Regulation Significant overlaps between the GDPR and PSD2.

29 Current Challenges New firms in scope unaware of the regulatory requirements Fraud and Financial Crime IT, Cybersecurity and Technological risks Complying with GDPR

Providers (PISPs) Collection of statistical data on fraud relating to various means of payment and management.

30 Fraud and Financial Crime Fraud Safeguarding of sensitive data. Enhanced Security requirements for Third Party Providers (TPPs) Account Information Service Providers (AISPs) Payment Initiation Service Providers (PISPs) Collection of statistical data on fraud relating to various means of payment and management. Financial Crime Institution wide Financial Crime Risk Assessment. The Internal Control Environment to comply with the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs) and the EU Funds Transfer Regulations.

IT Security, Risk Mitigation and Business Continuity IT

reporting Strong customer authentication and secure

Risk Assessment Risk assessment in relation to payment

31 IT Security, Risk Mitigation and Business Continuity IT Security Operational and security risk management and incident reporting Strong customer authentication and secure communication Security policies and procedures. Risk Assessment Risk assessment in relation to payment services. Business Continuity Significant disruptions to significant continuity events and disruptions

32 FCA Supervision Role of the FCA Retail Banking Division supervises around 2,000 firms. Since implementation of PSD II, the FCA are planning to supervise up to 200 AISP/PISPs. 3 pillar approach: Pillar 1 proactive supervision for the biggest firms. Pillar 2 event-driven, reactive supervision of actual or emerging risks according to our risk appetite. Pillar 3 thematic work that focuses on risks and issues affecting multiple firms or a sector as a whole. Role of the Payment Systems Regulator Responsible for monitoring compliance with Regulation 61 (Information on ATM withdrawal charges); Part 8 (Access to payment systems and bank accounts) of the PSRs 2017 in the UK; and taking enforcement action where appropriate.

33 What does this mean for Payment Institutions Use of the Customer Contact Centre as the Firms Supervisors Direct feedback on particular events Sector-wide or firm-specific feedback after Sector reviews Communication and Education

34 Looking back Assessment of Business Model for both existing and new Firms Fraud, Security and Risk Management Assessment of products and services including opportunities Reporting Requirements Assessment of IT, Security and Customer Interfaces Applied for: Authorisation/Registration Re-authorisation/re-registration

Looking forward Provide training on: the revised

Protection Maintain enhanced reporting mechanisms

threats Technological advances get on board or get

35 Looking forward Provide training on: the revised Payment Services Regulations, Financial Crime, Data Protection Maintain enhanced reporting mechanisms for incident reporting Periodic IT assessment Cyber threats Technological advances get on board or get left behind Firm visits and Thematic Reviews Exiting the EU

36 The Senior Managers & Certification Regime Andrew Jacobs PRECISE. PROVEN. PERFORMANCE.

for the extended SM&CR 2018 2017 FCA Consultations Effective

37 The background and timeline for the Senior Managers & Certification Regime (SM&CR) 2019/20 Target introduction date for the extended SM&CR FCA Consultations Effective date of SM&CR for Banks and SIMR 2016 HMT Policy Paper Banking Reform Act

38 Overview of the regime as currently proposed 1) Senior Managers Regime Statement of responsibilities Management responsibilities map Subject to Fit and Proper requirements 2) Certification Regime Applicable to those performing a Certification function Annual Certification required Senior Managers & NEDs Certification Functions: Supervisors of functions & Material Risk Takers 3) Conduct Rules Subject to Conduct Rules Subject to Annual declarations Other employees who perform a role not specific to the Financial Services Activity of a firm Excluded staff Not subject to Senior Managers or Certification Regime Not subject to the Conduct Rules Employees involved only in an ancillary capacity or function

39 Scope of the Regime Limited Scope SM&CR Firms Limited Permission Consumer Credit firms Sole-traders Authorised Professional Firms whose only regulatory activities are in non-mainstream regulated activities Internally managed AIFs Core SM&CR Firms All other firms Enhanced Scope SM&CR Firms Significant IFPRU firms CASS large firms Firms with Assets Under Management of 50 billion or more Firms with total intermediary regulated business revenue of 35 million or more per annum Out of scope (general guidance) Certain overseas firms operating in the UK Payment services firms E-money firms Appointed Representatives

40 Summary of application of the SM&CR Firm type under the SM&CR Area Limited Scope Core Enhanced 1. Senior Managers Functions > 3 > 6 > Duty of responsibility 3. Prescribed responsibilities Statement of responsibility 5. Responsibility Map 6. Criminal Records checks 7. Regulatory references 8. Handover procedures 9. Overall responsibility function 10. Certification regime 11. Conduct rules

41 The Core Regime: Applicable Elements of the SM&CR Senior Management Functions (SMF): Roles cover the individuals deemed by the FCA to pose the greatest potential risk to consumers or market integrity. Criminal Records checks The proposed regime for core firms does not include the SMF18 (Other Overall Responsibility) function Statements of responsibilities: Statement of Responsibility Senior managers in all firms must succinctly and clearly document the scope of their responsibilities in a statement of responsibilities covering the whole lifecycle of a Senior Manager Duty of responsibility: If a firm breaches a regulatory requirement, the Senior Manager with responsibility could be held to account if they failed to take reasonable steps to prevent the breach from occurring or continuing References & Criminal Records checks Regulatory References Fitness and propriety Senior Management Functions Certification Regime Duty of Responsibility Conduct Rules Past business conduct references/ regulatory references covering a six year period

42 The Core Regime: Prescribed responsibilities 1) Performance of obligations under the Senior Managers regime, including implementation and oversight; 2) Performance of obligations under the certification regime; 3) Performance of obligations in respect of notifications and training of the Conduct Rules; 4) Responsibility for the firm s policies and procedures for countering the risk in financial crime; 5) Responsibility for the firm s compliance with CASS (if applicable); 6) Responsibility for informing the governing body of its legal and regulatory obligations; 7) Responsibility for an authorised fund manager s value for money assessments, independent director representation and acting in investors best interests (only applies to AFMs).

43 The Core Regime SMF list Function Description SMF1 Chief Executive This is the person(s) with responsibility, under the immediate authority of the governing body, for the conduct of the whole of the business (or relevant activities) SMF3 Executive Director A director of a firm, other than a Non-Executive Director SMF 9 Chair (Non-executive) The person with responsibility for chairing, and overseeing the performance of the role of, the governing body of the firm. SMF 16 Compliance oversight This is the person responsible for the compliance function in the firm and reporting to the governing body on this. SMF 17 Money Laundering This is the person who has responsibility for overseeing the firm s compliance with the FCA s rules on systems and controls against money laundering SMF 27 Partner A partner in a firm, other than a limited partner in a partnership registered under the Limited Partnership Act SMF29 Limited Scope Function (relevant to some Limited Scope Firms only) This is currently called the Apportionment and Oversight Function under the Approved Persons Regime. It is the person who deals with the apportionment of responsibilities under SYSC R and oversees the establishment and maintenance of controls under SYSC R.

Annual regulated revenue from consumer credit lending of > 100million or more Significant

outstanding regulated mortgages Large CASS firm AUM > 50billion at any time in the last 3

Prescribed responsibilities Responsibilities map Handover procedures Senior manager with

44 Who is in scope of the Enhanced Regime? EXCLUDED Firm with total intermediary regulated business revenue of > 35million per annum Annual regulated revenue from consumer credit lending of > 100million or more Significant IFPRU firm Firms subject to Enhance application Mortgage lender (non-bank) with > 10,000 outstanding regulated mortgages Large CASS firm AUM > 50billion at any time in the last 3 years Limited scope firms EE branches Non-EEA branches CORE +: Senior Manager Functions Prescribed responsibilities Responsibilities map Handover procedures Senior manager with overall responsibility for every area business activity & management function Transitional Criteria: 6 months: Core to Enhanced 1 year: Enhanced to Core

45 Application of the SM&CR Enhanced Scope Firm type under the SM&CR Area Limited Scope Core Enhanced 1. Senior Managers Functions > 3 > 6 > Duty of responsibility 3. Prescribed responsibilities Statement of responsibility 5. Responsibility Map 6. Criminal Records checks 7. Regulatory references 8. Handover procedures 9. Overall responsibility function 10. Certification regime 11. Conduct rules

46 SMF list All Firms (except Limited Scope) Required Functions Enhanced Firms SMF1 Chief Executive SM16 - Compliance Oversight SMF2 - Chief Finance Function SMF3 Executive Director SMF17 - Money Laundering Reporting Officer SMF4 - Chief Risk Function SMF 9 Chair (Non-executive) SMF29 - Limited Scope Function SMF5 - Head of Internal Audit SMF 16 Compliance oversight SMF 17 Money Laundering SMF 27 Partner SMF7 - Group Entity Senior Manager SMF10 - Chair of the Risk Committee SMF11 - Chair of the Audit Committee SMF12 - Chair of the Remuneration Committee SMF13 - Chair of the Nominations Committee SMF24 - Chief Operations Function SMF18 - Other Overall Responsibility

47 Application of SM&CR to Enhanced firms Core Responsibilities 8 Compliance with the rules relating to the firm s responsibilities map 13 developing & maintaining the firm s business model 14 managing the firm s internal stress-tests and information to the FCA Additional Requirements for Enhanced Firms Responsibilities Map It demonstrates how the prescribed responsibilities have been allocated Provide a collective view of the allocation of responsibilities across the firm Proportionality & Record Keeping Requirements Duty of Responsibility Keep adequate records of steps taken including handover certificates and notes Create a policy and procedures about how they will meet requirement Review and update employment Contracts

48 Application of the SM&CR Limited Scope Firm type under the SM&CR Area Limited Scope Core Enhanced 1. Senior Managers Functions > 3 > 6 > Duty of responsibility 3. Prescribed responsibilities Statement of responsibility 5. Responsibility Map 6. Criminal Records checks 7. Regulatory references 8. Handover procedures 9. Overall responsibility function 10. Certification regime 11. Conduct rules

49 Who is in scope of the Limited Regime? Sole trader with no employees Internally managed AIFs Limited Permission consumer credit firm Firms subject to limited application Authorised Professional Firms carrying out non-mainstream regulated activities Insurance intermediaries not doing insurance intermediation Who can t be a Limited Scope firm? Core & Enhanced regime firms Firms that are currently subject to the approved persons regime Oil market participants, service companies, subsidiaries of local authorities

50 What are the key differences in limited scope? Prescribed Responsibilities Responsibilities maps Handover procedures But the following will still apply to Limited Scope SM&CR firms: Some Senior Management Functions Certification Regime Conduct Rules Statement of Responsibilities Fit & Proper requirements Duty of responsibility Criminal records checks Regulatory references SMF 16 Compliance Oversight Only mandatory SMF for a sole trader with no employees SMF 17 Money Laundering Reporting Officer Required in APF, oil market participant, service companies SMF 29 Limited Scope Function All limited scope firms other than sole trader with no employees

51 The other components of the SM&CR applicable to all firms The Certification Regime Certification Functions 1. Significant Management Functions 2. Proprietary Traders 3. Cass Oversight Function 4. Functions subject to Qualifications 5. Client Dealing function 6. Material Risk Takers 7. Algorithmic Traders Conduct Rules Two tiers of Conduct Rules: 1 st tier Individual Conduct Rules 2 nd tier Senior Manager Conduct Rules Contained in the COCON Sourcebook and applicable to all employees and directors other than ancillary staff. Virtually identical to the existing Principles for Business for Approved Persons 8. Supervisors / Managers of Certified Functions

52 Updates to the Consultation Core and Limited scope firms Conversion process for existing governing and required controlled functions Nuances in respect of Chair function: Existing CF1 Directors: automatically converted to a SMF3, plus must submit Form A for SMF 9 (will hold two functions) Existing CF2 notification required to become SMF 9. Individual Statements of Responsibility (if converted) must be available upon request, but not submitted. CF10A, CF28, CF29 & CF30 automatically cease to be approved persons. Appointed Representatives (ARs) remain on the register of approved persons. Enhanced scope firms Submit a conversion notification form to the FCA to map existing Significant Influence functions to SMFs, plus supply individual Statements of Responsibilities and Management Responsibilities Map.

53 Final Thoughts Tim West PRECISE. PROVEN. PERFORMANCE.

54 Summary Topic Looking back Thinking forward MLD 4 Adopted all new requirements under the updated 4 th MLD, as transcribed into the MLR 2017 and JMLSG Ensure changes are embedded Consider the changes in the UK National Risk Assessment (NRA) MiFID II Undertaken a gap analysis and implemented changes across all areas of MiFID II applicable to your Firm PSD II Understood the requirements in relation to the type of activity undertake in your business Become clear about any existing exclusions which may no longer be applicable GDPR Be clear about the data you use and require as a firm Challenged yourself about whether you need all of the data in your organisation Conclude implementation of MiFID II changes Assess effectiveness of the work undertaken Look out for further transposition Ensure that your applications are submitted in time and complete Examine any and all new compliance requirements Undertake a readiness assessment and plan your response Ensure that you have increased levels of awareness an cornels to me the more stringent requirements SM&CR Kept abreast of the developments and the overriding principles, to begin to incorporate them into your Firm s culture Plan a timely response from your firm in respect of SM&CR

55 Eyes to the future.. In the rear view.. Directives that have come into from as from 1 January 2017 MiFID 2 MLD4 FCA Perspective Asset Management Market Study Policy Statements Consultation Papers Approach Document for PSR s and the EMRs. Enforcement/s.166 Business Plan On the horizon.. The future of CFDs FAMR- definition of Personal Recommendations Hot Topic- Asset Management Market Study Prudential developments: CRD V & CRD for Investment Firms

56 Brexit

57 Questions or comments?