General

FCA regulatory sandbox: cohort 6 open for applications

The Financial Conduct Authority (FCA) has opened applications from firms to cohort 6 of its regulatory sandbox. The sandbox is open to authorised firms, unauthorised firms that require authorisation and technology businesses looking to deliver innovation in the UK financial services market. Read more in our separate bulletin, here.

Cryptoassets: FCA AML/CTF regime

The FCA has published a webpage on its role as the anti-money laundering (AML) and counter terrorist financing (CTF) supervisor, from 10 January 2020, of UK cryptoasset businesses under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

On its webpage, the FCA gives information for cryptoasset businesses. In particular, the FCA describes the scope of cryptoasset activities for this purpose, the registration requirements, steps and timeline, and the FCA's approach to supervision and enforcement.

As part of its implementation of the Fifth Money Laundering Directive in the UK, HM Treasury will amend the Money Laundering Regulations 2017 (MLRs) to reflect the FCA's new role. HM Treasury published a consultation on its proposals in April 2019. The FCA indicates that it will update the new webpage once the Treasury publishes its policy statement.

IT failures in the financial services sector: House of Commons Treasury Committee report

The House of Commons Treasury Committee has published a report on IT failures in the financial services sector. The report follows the Committee's inquiry, launched in November 2018, following a number of high profile IT failures in the industry.

The Committee's observations and recommendations include:

  • further regulatory intervention is needed to improve the operational resilience of the financial services sector. Regulators must give as much prominence to regulating operational risk and resilience as they currently afford to regulating prudential and conduct risks;
  • financial services providers must treat their ability to manage and prevent incidents with a level of seriousness appropriate to the significant impact when incidents occur;
  • the Committee is concerned about the lack of consistent and accurate recording of data on operational incidents. The regulators should conduct an exercise to assess the accuracy and consistency of incident reporting. If necessary, the regulators should clarify standards, guidance and definitions for industry on what incidents firms should both record and report. They should also consider the need to expand current reporting requirements, to cover broader services provided by firms;
  • the regulators should require clearer and more prominent public reporting to empower customers to make informed decisions regarding which provider they use, and to increase firms' focus on operational resilience. Where firms already publish incident information, this should be given greater prominence in information made available to prospective and existing customers, such as that given to wait times and complaints, which are visibly displayed in bank branches for all to see;
  • the regulators should publish further guidance for firms on how their different operational resilience requirements interact, and their expectations of firms when implementing them. This should be done as the policy is developed, and not after firms have begun implementation;
  • the regulators should set out publicly how they intend to measure the effectiveness of future policy in this area;
  • the Committee urges the regulators to prioritise the publication of their final policy and guidance on operational resilience (following their July 2018 Discussion Paper). In responding to this report, the regulators should set out their upcoming timetable for publication;
  • the regulators provide clear guidance to firms on their expectations around the definition of business services and the level of impact tolerances. While the regulators' current expectation is that firms would set their own impact tolerances, ultimately firms must not be allowed to set tolerance for disruption too high;
  • in response to this report, the regulators should describe extreme scenarios under which firms would not be expected to meet their own impact tolerance, and what the regulatory response would be to protect consumers from harm in such scenarios;
  • where a firm's response proves ineffective and there is a risk to the regulators' objectives, the regulators must be willing and able to take appropriate action to mitigate risks to their objectives;
  • the regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth. The Committee raises concern that there have been no successful enforcement cases against individuals following IT failures under the Senior Managers Regime (SMR) and that this may evidence an ineffective regime. The regulators should consider whether there are any barriers to the effective operation of the regime, and whether any changes to the requirements or standards are necessary to ensure that individuals can be held accountable. If future incidents continue to occur without any sanction to individuals under the SMR, the Committee and Parliament will have to consider whether the powers it has given to the regulators are fit for purpose;
  • the regulators must provide a full report of their investigation into the TSB incident in their response to this report, or provide an update on timelines and issue the full report as soon as possible;
  • remuneration structures throughout firms should reflect the importance of operational resilience. If the regulators observe that firms are not adequately taking operational performance into account, they must intervene;
  • it is vital that senior management at financial market infrastructure (FMI) firms are accountable for their management of operational incidents. The government should expand the SMR to include FMI firms supervised by the Bank of England;
  • the Committee expects the regulators to increase their staff capability to supervise IT operational resilience, particularly at the more senior levels. The regulators should increase financial sector levies to ensure they can hire the staff with the expertise they need;
  • firms must ensure their systems are robust and, particularly for legacy systems, their use remains appropriate. Regulators should have a strong framework to oversee firms' assessments and challenge these where necessary, including by commissioning independent section 166 skilled person reviews where necessary;
  • as a matter of urgency, firms should address any issues identified in their risk management, including ensuring that they have sufficient skills and experience to
  • manage change. The regulators should ensure that best practice and lessons learnt from past change projects are disseminated to the industry;
  • the regulators must also review their approach to supervising firms' large-scale change programmes to ensure that proactive intervention is possible ahead of IT failures, so that customers are protected. This should include the level of engagement with firms, the level of specialist resource required, and the degree of assurance sought;
  • if the regulators are not observing a good standard of management of third parties by regulated firms, the Committee says they should amend, as appropriate, their rules or guidance to prompt an improvement;
  • the regulators should reconsider the case for conducting a sector mapping exercise to identify and continually monitor the risks of common critical service providers and interconnectivity in the financial services sector;
  • where the regulators identify that third-party providers are becoming a potential source of concentration risk, they should highlight this risk and consider whether action is required to mitigate it. Where common providers are systemic, and concentration risk is high or becoming high, the Financial Policy Committee should in each case consider recommending to the Treasury that these should be regulated, as the Financial Policy Committee has done for FMI. Specifically, the government should urgently consider how best to regulate cloud service providers;
  • the regulators should ensure they have the capability and capacity to monitor the use of new technologies in the financial services sector. Regulators must also assess whether firms are rolling out new technologies before they have proven their resilience;
  • the Committee urges the regulators to set clear guidance for the sector relating to the potential downsides of technology, such as discrimination in the use of artificial intelligence;
  • the Committee urges the government to consider the review of the payments landscape as a priority, and requests that the government set out the scope and timelines for the review in response to this report;
  • if the regulators have identified specific risks from IT failures in sectors other than banking and payment services, they should briefly set out in their response to this report how these risks are being identified and mitigated;
  • the Committee expects the regulators to ensure that firms are focussed on recruiting the right skills and experience for their boards and senior management and that they are developing diverse pipelines of talent for the future;
  • the Committee expects the regulators to set out, in their response to this report, their plans to build on their existing work facilitating industry collaboration;
  • in the absence of market initiative, the regulators should take stronger action to foster market solutions, or to enforce regulatory ones, to mitigate the risks of severe operational disruption, for example, in the use of sector exercises.
  • to drive up standards, the regulators, or industry bodies, should issue best practice guidance against which firms can assess their own procedures;
  • firms should not unnecessarily delay or withhold information given to customers, even where reports of an incident may risk their reputation. It should not be left to a firm's discretion as to whether to communicate to customers or not. If in rare circumstances there is a valid reason not to inform customers, this should require regulatory permission, and must not cause greater harm to customers. Where communications are ineffective, or in major incidents where there is the need for a central source of trusted information, the regulators should step in; and
  • given increasing demand on complaints teams following an incident, firms must be able to quickly scale up their capability. The FCA must ensure that firms are resolving
  • complaints and awarding any compensation quickly and take action where this is not the case.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.