1. FCA to apply SM&CR to claims management companies following regulation


The Financial Conduct Authority will begin to regulate claims management companies (CMCs) from April 2019. All firms regulated by the FCA and authorised under the Financial Services and Markets Act 2000 (FSMA), along with individuals performing regulated activities, are required to comply with the rules on professionalism, conduct and governance. The FCA have codified and set out these rules under the Senior Managers and Certification Regime (SM&CR) for all solo regulated firms.


The Financial Guidance and Claims Act 2018 (FGCA) transfers the regulation of CMCs to the FCA from the existing Claims Management Regulator (CMR). It will also extend regulation to Scotland and includes CMCs dealing with section 75 claims. The FCA had consulted on how they propose to regulate CMCs in CP18/15, published in June 2018. In the paper they outlined high-level standards and rules relating to conduct of business, supervision, reporting, prudential management, wind-down procedures, client money, dispute resolution and enforcement. FCA did not include detailed proposals relating to the SM&CR in CP18/15, because they had by then not finalised the SM&CR rules that will apply to firms regulated solely by the FCA. Near-final rules for these firms were published in July 2018 (PS18/14).


In a paper published in September 2018, the FCA have stated that an independent review by them into CMCs found evidence of harm to customers, including harassment, aggressive sales tactics and business practices that reward the firm at the expense of its customers. The review also highlighted issues with the fitness and propriety of senior managers within CMCs. The FCA’s confirmation to apply SM&CR proposals to CMCs aim to reduce misconduct by raising standards of governance, management and professionalism in the claims management sector. The new framework will make individuals accountable for their actions and decisions.


The SM&CR is set to replace from next year the Approved Persons Regime (APR), which is how the FCA currently regulate people working in financial services sector other than banks for whom the new framework has already been applied since 2016.





  1. Data Protection in the event of no Brexit deal


The Department for Digital, Culture, Media & Sport published in September 20187 a guidance paper regarding application of the data protection law in the scenario in which the UK leaves the EU without agreement (a ‘no deal’ Brexit).


The paper affirms that negotiations are progressing well and both the UK and the EU continue to work hard to seek a positive deal. However, it acknowledges that, as a responsible government, the UK must prepare for all eventualities, including ‘no deal’, until “we can be certain of the outcome of those negotiations”.


For two years, the government has been implementing a significant programme of work to ensure the UK will be ready from day 1 in all scenarios, including a potential ‘no deal’ outcome in March 2019.


The paper argues that “It has always been the case that as we get nearer to March 2019, preparations for a no deal scenario would have to be accelerated”. Such an acceleration, however, does not reflect an increased likelihood of a ‘no deal’ outcome but rather it is about ensuring that the plans are in place in the unlikely scenario that they need to be relied upon.


The series of technical notices set out in the paper provide information and guidance to allow businesses and citizens to understand what they would need to do in a ‘no deal’ scenario, so they can make informed plans and preparations.


The paper also includes a framing notice explaining the government’s overarching approach to preparing the UK for this outcome in order to minimise disruption and ensure a smooth and orderly exit in all scenarios.


Rules governing the collection and use of personal data are currently set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the GDPR (in conjunction with and supplemented by the Data Protection Act 2018) provide a comprehensive data protection framework. Most other EU countries have their own supplementary legislation. Under GDPR rules, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so. Transfers of personal data within the EU are not restricted.


If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.


The EU has an established mechanism to allow the free flow of personal data to countries outside the EU, namely an ‘adequacy decision’. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. While the UK has made it clear it is ready to begin preliminary discussions on an adequacy assessment now, the European Commission has not yet indicated a timetable for this and have stated that the decision on adequacy cannot be taken until the UK is deemed a third country.


If the European Commission does not make an adequacy decision regarding the UK at the point of exit and organisations want to receive personal data from organisations established in the EU (including data centres) then they should consider working with their EU partners in identifying a legal basis for those transfers.


For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on UK entities and their EU partner and the rights for the individuals whose personal data is transferred. In certain circumstances, the EU partners may alternatively be able to rely on a given derogation to transfer personal data.






  1. FCA approve CII test for continuing professional competence for retail investment advisers


The FCA have collaborated with the Chartered Insurance Institute (CII) to create a re-assessment test of the level 4 Diploma in Financial Planning. The CII will make the ‘Regulated Retail Investment Adviser Re-Evaluation’ available from 1 October 2018 and the assessment aims to raise the standards and competence of Financial Advisers. There are also other bodies which offer relevant level 4 qualifications and the FCA will work with some of them in creating their own re-evaluation tests and writing to others to invite them to do the same.

FCA believe that advisers having a good level of knowledge is the foundation to giving sound financial advice. This is particularly the case with the more technical aspects of financial advice.

The level 4 Diploma became the standard when the Retail Distribution Review (RDR) came into force from January 2013. Advisers are required complete a minimum of 35 hours continuous professional development each year with the aim of maintaining their knowledge. However, the FCA have observed that not all firms test their advisers’ knowledge yearly as part of their Statement of Professional Standing, with many advisers never being retested.

The objective of the re-evaluation is to identify areas of strength and weakness in technical knowledge and its application that underpins suitable financial advice. While there is no FCA requirement for advisors periodically to sit such a test, professional development can identify areas of strength and weakness in technical knowledge and its application that underpins suitable financial advice.

The FCA will encourage firms to use it and they may also use it as a supervisory tool if they think it is appropriate to ask firms to re-test specific advisers based on the firm’s internal controls and risk governance arrangements.




  1. Key risks and vulnerabilities in the EU financial markets


The Joint Committee of the European Supervisory Authorities published a report in September 2018 to highlight key risks and vulnerabilities in the EU financial services sector (including in the UK) that all firms and governments must try and address to avoid a material, adverse impact on the markets.


The report cautions that in light of the current risks and uncertainties, supervisory vigilance and cooperation across all sectors remains key. The Joint Committee advises the following policy actions by the European Supervisory Authorities (ESAs), national competent authorities, financial institutions and market participants moving forward:


  1. Against the backdrop of rising interest rates and the potential for sudden risk premia reversals, it remains crucial to conduct and develop further stress test exercises across all sectors. These risks are therefore embedded in the scenarios for both the insurance stress test and the EBA 2018 EU-wide bank stress test exercise. In addition, European Securities & Markets Authority (ESMA) is progressing on the conceptual development of its approach to stress testing in the asset management industry and is developing guidelines for stress testing carried out by money market funds as well as guidelines for asset managers on liquidity stress testing.


  1. Supervisory authorities need to pay continued attention to the risk appetite of financial institutions. In particular, banks should accelerate addressing their stocks of non-performing loans and adapt business models to sustainably improve profitability. In addition, it is important that financial institutions carefully manage their interest rate risk. Similarly, (retail) investors should carefully consider the risk attached to moving into higher yielding, leveraged products, while public authorities should monitor changing investor preferences and, when appropriate, warn against risky products.


  1. Macro- and micro prudential authorities should contribute to further address possible contagion risks, and they should continue their efforts in the monitoring of lending standards. Authorities concerned should moreover continue their efforts in monitoring and improving asset quality.


  1. It is crucial that EU financial institutions and their counterparties, as well as investors and retail consumers plan appropriate mitigating actions in a timely manner, to prepare for the UK’s withdrawal from the EU. Preparations should address relevant risks that inconclusive agreements on withdrawal terms would pose. Financial institutions should inform their competent authorities about the actions they are taking and be clear about implementation timelines concerned. Competent authorities concerned should monitor contingency plans that financial institutions should have in place in case of inconclusive agreements on withdrawal terms, and encourage the speedy implementation, where required, of adequate contingencies.





  1. FCA review consumer harm from outsourcing models


The FCA have completed a review of retail banks and other firms’ use of material outsourcing arrangements. They have identified potential types of harm arising from outsourcing models that include service disruption (impacting consumers’ access to products and services) and poor customer service. The regulatory review focused on firms’ approaches to outsourcing and did not test whether these were mitigating the risk of harm in practice.

The FCA summarised the following areas for firms to focus their attention on in their outsourcing arrangements to mitigate any potential harm to consumers:

  • In November 2017, the regulators introduced a prescribed responsibility for outsourcing and firms should be clear that those assigned this prescribed responsibility have overall accountability for outsourcing. This includes where the responsibility for managing third parties is delegated.
  • Firms must continue to have robust governance arrangements for outsourcing, including effective processes to identify, manage, monitor and report the risks it is (or might be) exposed to, as appropriate. These arrangements should help firms identify and reduce the potential harm to consumers if things were to go wrong.
  • Consumers can be exposed to potential harm when a firm’s third party relationship ends, particularly if it ends unexpectedly. Robust oversight arrangements, that include sufficiently tested exit plans for different scenarios, will help reduce the potential harm by ensuring business continuity.
  • Firms appear to be increasingly considering outsourcing to the cloud. The have explained their expectations in this area in their recent Regulation Round-up published in July 2018.
  • The European Banking Authority is currently consulting on draft Guidelines on outsourcing arrangements and the FCA will provide further guidance to all firms based on their finalised approach on the subject.

The FCA have stated that there will be a continued regulatory focus on outsourcing and they may undertake further work and keep firms’ compliance with the requirements under a regular review.