What’s in store for firms in 2020? In our first newsletter of 2020, we mentioned that pace of regulatory changes seems to continue unabated. Here, we list a few of the things we believe will need to be addressed.

MiFID II
On its second birthday, the application of MiFID II is moving, in the regulator’s eyes, towards being “business as usual”. As such, we believe that, in the year ahead, the FCA is likely to increase supervisory (and potentially enforcement) focus in areas which may adversely impact retail investors, including but not limited to costs & charges, inducements and conflicts management.

It’s also worth mentioning that a review of several important aspects of MiFID II is being undertaken, and changes to legislation and/or guidance may be on the cards. The key changes being considered are:

• Regulation in relation to costs and charges statements;
• A mandate for producing guidelines for product governance.

Some specific questions to consider …

Aggregated costs
Are you producing your own costs and charges statements (in addition to the costs and charges produced by platforms)?

Is there management oversight of how the costs and charges are calculated? Could you explain this if asked?

PROD
Do you know if you are considered a manufacturer, a distributor, both? Have you segmented your client base to a sufficiently granular level? Do you know why the platform(s) used are compatible with your client segments? Do you know why your ongoing service is appropriate, proportionate and value for money for each of your client segments?

SM&CR
By the end of 2020, almost all staff who work in financial services will be expected to meet minimum standards of behaviour. The key milestone is 9 December 2020. This is the date by which:

• all staff in a certified role should have been assessed and certified;
• all staff (other than ancillary staff) must have been trained on the individual Conduct Rules. This training should give individuals an in depth understanding of the practical application of the specific rules which are relevant to their job.

(NB – Senior Managers, Certified Persons and Non-Executive Directors are already subject to the Conduct Rules which apply to them).

The FCA has already undertaken a review of the implementation of the SM&CR in the banking sector. The review found significant weaknesses in its implementation. And it is worth noting that there was a particular focus on the Conduct Rules, so firms should treat this aspect seriously. The review might well be worthwhile reading.

We think it likely that 2020 will be about allowing solo regulated firms that came under the SM&CR in December 2019 to embed its implementation into the business. However, firms that were already subject to the SM&CR can expect increased scrutiny.

The SM&CR is likely to be evolutionary rather than revolutionary and firms will need to respond to additions to the regime if and when regulators identify areas requiring specific oversight. For example, we are aware that the FCA and PRA have asked for a Senior Manager at some firms to be allocated responsibility for new roles (e.g. resolution assessments). This suggests that the regime will be extended as and when ‘gaps’ are identified.

Last, but not least, all SM&CR firms will need to start uploading data about in-scope individuals to the new FCA Directory. You can read more about the Directory here.

Culture
During 2019 there were a number of enforcement decisions published by the FCA that illustrate how poor workplace cultures pose a risk to consumers.

A quick look at the final notices identified:

• The risks inherent in sales cultures – in particular in relation to aggressive incentive schemes;
• A firm being fined in respect of delays in reporting suspected fraud, which arose, in part, from a workplace culture where there was insufficient challenge, scrutiny or inquiry.

This scrutiny on misconduct is set to intensify, in particular with the implementation of SM&CR and the Conduct Rules.

There has been a lot of commentary last year in the financial press about FCA becoming involved in sexual harassment cases and the unethical use of confidentiality clauses and non-disclosure agreements (NDAs).

In the articles and commentary, FCA have been clear that the way in which a firm deal with allegations of this type of behaviour is potentially as relevant to its assessment of that organisation as the way in which it deals with any other type of misconduct.

From a Government legislation perspective, the response in relation to sexual harassment in the workplace and the misuse of NDAs could include:

• New legislation to tackle the misuse of NDAs;
• The likely introduction of a mandatory duty on employers to protect employees from workplace harassment;
• A statutory code of practice on sexual harassment being launched early in 2020;
• Employers being made liable for acts of harassment by third parties (e.g. customers and clients) also appears likely.

Whistleblowing
The EU Whistleblowing Directive was adopted by the EU Council in October 2019. This Directive will require companies with over 50 employees to create a channel for whistle-blowers to report, whilst also introducing safeguards to protect them from retaliation. Breaches relating to financial services are in scope of the Directive.

The directive will require firms to respond and follow up any whistle-blower’s report within three months (6 months in some cases). The Directive must be implemented into national law by each member state by  17 December 2021, though the internal reporting channel provision will not apply until December 2023.

However, the UK Government has stated that the Directive will NOT be transposed into UK law as the UK is leaving the EU. In addition, the UK already has legislation around whistleblowing and protecting individuals who whistleblow. The UK legislation has been criticised in a number of respects and might well be amended as a result. Meantime, the FCA Handbook contains rules and guidance that firms must implement in relation to whistleblowing.

Operational resilience
Operational resilience is the ability of financial services firms to respond to, and quickly recover from, disruption to their business, regardless of the cause. This risk has increased over the past few years following a number of high-profile incidents of disruption to financial service firms. As a result, regulators have called on firms to change the way they prepare for and manage disruptive event. Most likely events include:

• Cyber attack;
• IT systems upgrade;
• Failure of third party service provider;
• Data breaches.

There is no single set of requirements in relation to operational resilience. Instead, it is imposed by a variety of legislation including the Capital Requirements Regulation (CRR), Markets in Financial Instruments Directive (MiFID) etc. and the requirements contained within on risk management, outsourcing, systems and controls, communication plans and business continuity plans.

It’s important to note that the FCA is currently consulting on proposed rules and draft guidance. The consultation paper can be viewed here. Firms have until 3 April 2020 to provide feedback.

That the regulators consider this aspect as a serious are of concern can be seen from the fact that the PRA has several enforcement cases underway against Senior Managers for IT failures.

The FCA has given some insight into how they will test firms’ systems and controls. The intention is to use regular CBEST testing (a type of penetration test) for a larger number of firms in 2019/20. We think it is likely that the aggregated findings from those tests will feed into the regulators’ policies and indicators of good and poor practice.

The Fifth Money Laundering Directive (5MLD)
Key issues for firms include:

• Each Member State will have to issue a list setting out which functions qualify as “prominent public functions”. These lists are designed to make it easier for smaller compliance teams, or those with lower volumes of customers, to identify the PEPs that they should be screening against and monitoring for ongoing changes to risk. It might be worthwhile checking in with your electronic provider of PEPs and Sanctions checks whether these lists will be factored into their checks;
• The EU will produce a list of high-risk third countries where obligated entities will have to carry out Enhanced Due Diligence (EDD). Firms that have non-UK clients should ensure they obtain a copy of these lists so they can check them against their client bank.

We believe that the FCA Enforcement team will want to progress its AML work in 2020. In March 2019 it had 12 more open AML/ financial crime investigations than it had the year before. It’s also worth noting that the FCA has stated that they are keen to use their full range of powers. Accordingly, it is likely that they will open AML investigations on a dual-track civil and criminal basis.

There have been some notable enforcement actions recently:

• One firm was fined £102 million (the FCA’s second largest ever fine);
• £76,400 fine against a former CEO.

It’s also worth noting that Financial Crime related issues took the largest share of FCA Skilled Persons appointments in the year to March 2019.