1. Senior Managers and Certification Regime set to replace Approved Persons Regime for all FCA regulated firms


The FCA and Prudential Regulation Authority (PRA) introduced a range of policy changes that aim to increase individual responsibility within the banking and insurance sectors by introducing a new, accountability-driven Senior Managers and Certification Regime (SM&CR) from 7 March 2016. The FCA are now finalising their approach for the extension of SM&CR to all FCA authorised firms.

The new regime focuses on the senior management members who hold key roles or have overall responsibility for specific areas of business within regulated firms. Firms need to:

  • ensure each Senior Manager has a Statement of Responsibilities setting out the areas for which they are personally accountable
  • produce a Firm Responsibilities Map that knits these together
  • ensure that all Senior Managers are pre-approved by the regulators before carrying out their roles

The regime which forms part of the Bank of England and Financial Services Act 2016 has also introduced a ‘duty of responsibility’, which means Senior Managers are required to take the steps that it is reasonable for a person in that position to take, to prevent a regulatory breach from occurring.

The rules make it easier for firms and regulators to be clear about who is responsible for what with the statutory expectation that “clear individual accountability should focus minds, drive up standards, and make firms easier to run and to supervise”. Moreover, if things go wrong, the new framework allows senior managers to be held to account where they are at fault for any conduct that falls within their area of responsibility. The rules also hold individuals working at all levels within relevant firms to appropriate standards of conduct.


Their current plan is to set out the details for replacing the current approved persons’ regime for non-banks and all other firms by an appropriate SM&CR framework in a consultation paper in Q2 of 2017 with the aim of implementing the new regime across all regulated firms by next year.





  1. ICO fines Digitonomy £120K for sending marketing texts without due consent

The Information Commissioner’s Office (ICO) has warned businesses engaged in electronic direct marketing about the risks of relying on third party consent mechanisms as a basis for sending marketing messages to consumers.

The ICO issued the warning as it announced that it had fined a credit broker £120,000 for failing to secure appropriate consent from consumers who it had targeted with more than five million marketing text messages.

The ICO said Digitonomy was responsible for “a serious contravention” of the UK’s Privacy and Electronic Communications (e-Privacy) Regulations (PECR).

PECR generally prohibits organisations from sending or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has given their prior consent for the messages to be sent or other limited exceptions apply.

Digitonomy instigated the transmission of 5,238,653 spam text messages to consumers between 6 April 2015 and 29 February 2016, the ICO said.

The company obtained consumer’s contact details from third parties it was working with on affiliate marketing activities. It provided the ICO with copies of the wording the data providers had used in their contracts with consumers and claimed the terms provided it with the consent it required to target those consumers with its marketing messages.

In a statement Digitonomy said “appropriate due diligence” had been conducted, however, the ICO said that the “consent wording” relied upon did not demonstrate that the consumers who received the messages had given their consent to receiving marketing communications from Digitonomy.

In its penalty notice to Digitonomy, the ICO said: “Consent must be freely given, specific and informed, and involve a positive indication signifying the individual’s agreement. Indirect, or third party, consent can be valid only if it is clear and specific enough. Just informing individuals that their details will be shared with unspecified third parties, is neither freely given nor specific and does not amount to a positive indication of consent.”

“It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence,” it said.

Steve Eckersley, ICO’s Head of Enforcement said: “Businesses that rely on direct marketing must be able to confirm that people have given their permission to receive text messages and to comply with the law they must have the evidence to prove it. Depending on the word of another company is simply not acceptable and is not an excuse.”


[Our Note: The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000. This limit is set to increase to up to 4% of annual worldwide turnover or €20 million, whichever is higher, with the implementation of the General Data Protection Regulation next year]


  1. What makes good ‘conduct’ regulation….?


In a speech delivered on 13 February at the Cambridge Judge Business School, John Griffith Jones, Chairman of the FCA, stated that “good conduct regulation is built upon clear objectives and perimeters, shared understanding of risk tolerance, operational excellence, and efficient measurement of outcomes”.


He said that the FCA were in the process of building an optimal model for good conduct through their new Mission Statement which together with the input received from respondents should provide crucial input to their future success.

Mr Jones outlined the key building blocks for good conduct regulation as:

  1. Government policy
  2. A clear set of objectives for the regulator, and a clear perimeter of coverage
  3. A well developed and shared understanding of risk tolerance
  4. Operational excellence
  5. A basis of measurement of inputs, outputs and outcomes, including intended and unintended consequences, with transparency of results

He stressed that “if the first two building blocks were not entirely within the regulator’s control, the next two [Risk tolerance and Operational excellence] largely are, though none the easier for so being”. Whilst ‘risk tolerance’ covers a multitude of sins, but at its core lies “a recognition that we do not live in a perfect world, that our rules are going to be broken periodically and that we shall be accused of being deficient in allowing, or not preventing, such infringements to happen”.

Explaining what regulators perceive as good conduct, Mr Jones said that “attempts to quantify ‘acceptable’ detriment, typically numbers of people affected or amounts involved, unsurprisingly cut no ice with the people disadvantaged”. The approach adopted by the FCA has evolved over their short four year life, but there is more debate to be had. He said that, “in trying to understand conduct risk, we have to distinguish between ex ante and ex post”.

He added that “Ex ante, we seek to anticipate the more material things that are more likely to go wrong, and to pass rules, conduct supervision, or occasionally to ban practices in order to reduce the likelihood of such events crystallising with detriment. Sometimes we can foresee issues before they surface, but more frequently it is the speed of response to early signals that is key to containing the scale of the damage that might otherwise occur. Sometimes, regrettably, it has to be a case of learning with hindsight, but this is still better than letting history repeat itself”.

He went on to say that “Given these inevitable fragilities we need, ex post, to have a system of safety nets. Some of these are: redress programmes, the Financial Ombudsman Service, the Financial Services Compensation Scheme, which are designed to protect those within the perimeter up to certain limits, and of course access to the law courts. We have learned from experience that ex ante prevention is much better – and much cheaper – than ex post cure. PPI is the ultimate case in point with a cumulative cost of rectification to date of over £25billion, for what was in essence an add-on product”.

The speech makes it clear that the regulatory focus is on firms’ proactive strategy to manage conduct risk and firms are expected to identify key conduct risks to their businesses and put in place systems and controls to prevent these risks from crystallising.


  1. Emerging FinTech trends in the securities market


Working intensively with the G20 and the Financial Stability Board (FSB) on the global regulatory reform agenda, the International Organisation of Securities Commissions (IOSCO) develops, implements and promotes adherence to internationally recognized standards for securities regulation. The term Financial Technologies or “FinTech” is used to describe a variety of innovative business models and emerging technologies that have the potential to transform the financial services industry.


In February, IOSCO published a report which focuses on the delivery of securities and capital market products and services through the use of FinTech. In particular, the report examines:


  • Financing platforms, including peer-to-peer lending and equity crowdfunding
  • Retail trading and investment platforms, including robo-advisers, social trading and investing platforms
  • Institutional trading platforms, with a specific focus on innovation in bond trading platforms, and
  • Distributed ledger technologies, including application of the block-chain technology and shared ledgers to the securities markets


IOSCO says that other categories of FinTech such as those that make use of big data analytics and artificial intelligence, regulatory technologies (Regtech) and cyber security and cloud-based technologies are also relevant in this context but these are being studied separately.


The report analyses FinTech trends in emerging markets where due to the lack of legacy infrastructure, FinTech is often able to race ahead of current technology and bring about greater financial inclusion. The report also provides an overview of the regulatory challenges common to different areas of FinTech and the regulatory responses to these.




  1. FCA call for improved client focus by investment firms when acquiring clients from other firms


In a Supervisory Review paper published in February 2017, the FCA have set out their findings on how firms treat the clients they acquire from advisory firms or client

banks. The review focussed on:


  • Communications provided to clients at the point of acquisition


  • Integration of clients into the new service proposition, and


  • Suitability of replacement business recommendations

The FCA have expressed their disappointment that none of the firms assessed were able to consistently show that clients’ needs were suitably considered. They found that, while firms focused on the commercial benefits, they did not focus enough on how clients were impacted by the acquisition.


The review also showed that, where firms had clearly considered potential disadvantages to clients and designed their practices to mitigate these, this approach was not consistent across all of the aspects that the FCA assessed. This, in FCA’s view, resulted in a potential detriment for clients whose needs had not been appropriately considered.


FCA’s outcomes testing of replacement business did not indicate widespread common themes of unsuitability. However, they identified individual areas requiring improvement for many of the firms assessed. Some of the issues noted by the FCA included:


  1. a) The communications to clients did not provide enough information to meet the requirements of Principle 6 and 7,


  1. b) Firms did not always recognise where the contract between the original firm and the client did not allow ongoing services provided and charged for to be transferred to the acquiring firm,


  1. c) Where the acquiring advisory firm had not established the client’s agreement to the adviser charge, it wasn’t clear as to how the provider firm could have obtained and validated the client instructions,


  1. d) Some firms failed to meet the intended service standards for acquired clients because of inadequate planning or resources, and


  1. e) In some of the firms, adviser remuneration was calculated partly in line with the level of initial adviser charges generated for replacement business. Where firms did this, there was a risk of unsuitable advice.


Following the review, FCA have provided feedback to the firms assessed, clearly pointing out areas for improvement. The FCA expect all other relevant firms to now consider the findings of this report and assess whether they need to improve their own practices and procedures.





  1. Bank of England becomes the Prudential Regulation Authority


The Bank of England and Financial Services Act 2016 (“the 2016 Act”) ends the

status of the Prudential Regulation Authority (“the PRA”) as a subsidiary of the Bank

of England (“the Bank”) by making the Bank the PRA effective from 1 March 2017. The 2016 Act also creates the Prudential Regulation Committee (PRC), through which the Bank must exercise its functions as the PRA. References to the PRA in the 2016 Act or any other enactment are now treated as references to the Bank acting as the PRA through PRC. As a result, the Bank now functions as the PRA with the PRA Board having been replaced by the PRC as one of the key decision-making committees the Bank.


This instrument makes consequential amendments to references to the Bank and the

PRA in various enactments to account for the change in status of the PRA.