Financial Services Round Up - August

Introduction

This article rounds up some of the key recent developments in UK financial services that may be of interest to clients. This is a bumper edition, following the summer break. It includes a deep-dive into DORA, which is a subject close to our hearts, and one which is becoming front-and-centre for our clients. If you’d like to discuss anything contained in this article, please contact us using the contact details below.

FCA Criminal Background Checks on Controllers

In a recent Quarterly Consultation Paper (CP24/11),the FCA has proposed to require individuals that will become controllers and beneficial owners of UK authorised firms to obtain criminal background checks. This would occur when the firm is first authorised, and on any subsequent change in control. Obviously, criminal records checks would only be undertaken against individual persons, not companies (and, notably, would not apply to directors of corporates). The new rules would take effect from January 2025.

DORA

The financial services industry appears to be waking up to DORA. There are only five months to go before the January 2025 implementation deadline, so there is much to be done in a very short timeframe.

Just a quick recap on DORA. It applies to financial services entities regulated in the EU. Many of Cambitas’ clients are banks, broking firms, trading firms etc, headquartered in the UK, the US or Asia. DORA will still be relevant for them, as they have European subsidiaries/ sister companies. It creates a comprehensive framework addressing various core components of the digital operational resilience of financial entities. It will enhance the overall conduct of ICT risk management, establish testing rules for ICT systems, increase financial supervisors’ awareness of cyber risks through an EU harmonized incident reporting scheme and introduce Union oversight to oversee financial entities’ dependency on critical ICT third-party service providers. In short, DORA is a very significant piece of legislation for financial services firms. It will also have major implications for ICT third party service providers, who will need to repaper their contracts with financial entities.

The following RTS / ITS /guidelines were published on 17 July 2024:

·      RTS on sub-contracting ICT services supporting critical or important functions;

·      RTS on major ICT-related incidents and significant cyber threats reporting;

·      ITS on reporting details for major ICT-related incidents;

·      RTS specifying elements of threat-led penetration testing;  

·      Guidelines on estimation of aggregated costs / losses caused by major ICT-related incidents;

·      Guidelines on cooperation of ESAs and competent authorities regarding DORA oversight;

·      RTS on harmonisation of oversight conditions; and

·      RTS on composition of joint examination team.

Some of the challenges we have seen for clients so far include:

·      Scope and impact: firms need to undertake an initial piece of work to establish which financial entities within a group are in-scope, and also work out which are ICT services and which are ICT service providers. The broad definition of ICT services has been a major challenge for firms: it is not just traditional IT providers who are caught; data providers are included within scope, for example.

·      Gap analysis: this is an important part of the implementation process for DORA. Many financial entities will meet large parts of the DORA requirements already, but will still need to undertake a rigorous gap analysis to ensure that all applicable rules are captured, and the necessary changes implemented in time.

·      Repapering: once financial entities have defined the scope, undertaken a gap analysis, and identified the relevant ICT service providers, they will likely have a significant repapering exercise to meet all the DORA requirements. This will require extensive and time-consuming engagement with ICT service providers, including on sub-contracting.

·      Reporting: financial entities will need to make changes to their processes to notify regulators of major ICT incidents.

·      Critical and important functions: financial entities will need to determine which of their functions are critical and important (CIFs) and why. For CIFs, there are a number of obligations which need to be taken into account, including additional elements to include in contractual arrangements, a policy on contractual arrangements on ICT services supporting CIFs, monitoring the chain of subcontracting, recording subcontractors in the DORA register, regular review of risks by the management body, appropriate annual testing, additional reporting to regulators, and additional scrutiny under the ICT risk management framework.

·      CTPPs: ICT third-party providers who provide ICT services to financial entities and who are determined to be critical will be subject to an EU oversight framework. The European Supervisory Authorities (ESAs) – EBA / ESMA / EIOPA – will be assigned the role of lead overseer, to ensure that CTPPs are monitored on a pan-European scale for the risks they may pose to the EU financial sector. Whether or not a third-party provider will be determined to be a CTPP will depend on a series of criteria which are set out in Article 31(2) of DORA. The ESAs and the Commission have set out indicators of a qualitative and quantitative nature for each of the four criteria set out in Article 31(2) of DORA, which are accompanied by minimum thresholds triggering such indicators. The majority of the proposed indicators are expected to be informed by the data to be provided by financial entities (falling under the scope of DORA) via their registers of information as per Article 28(3) of DORA. The thresholds are too complex to set out in detail here; however, in summary, they include any service provider providing services to more than 10% of financial entities or to systematically important FMIs, or any service provider providing services which are highly complex or difficult to migrate. Potential CTPPs should be considering now whether they are likely to trigger the thresholds, as it is likely to have a major impact of their business.

Consumer Duty

The deadline for implementation of the Consumer Duty for closed products was 31 July 2024. The FCA defines a closed product as one with existing contracts with retail customers that were entered into before 31 July 2023, and which is not marketed or distributed to retail customers (including through renewals) on or after that date.

The FCA has published various Dear CEO letters for different sectors, including asset management, consumer finance, consumer investments, life insurance, retail banking and all other firms, ahead of the deadline.

The FCA has also announced a call for input on its requirements relating to the Consumer Duty. Comments are sought by 31 October 2024. The FCA note its secondary objective of facilitating the competitiveness of the UK economy, and the FCA want the Consumer Duty to support this objective. The FCA has stated that it is not looking at a wholesale review of the Consumer Duty requirements, but that it aims to see where it can refine its retail conduct rules and conducts. It particularly wants to address potential areas of complexity, duplication, confusion or over-prescription. If you have identified any of these areas, please consider responding to the call for input. If you would like assistance in doing so, please contact us.

Firms should by now have made all their preparations for the Consumer Duty to apply to closed products. However, experience to date has shown that firms have varied in their implementation approach and how rigorous they have been. The FCA will be looking for egregious examples of Consumer Duty failures, and will be prepared to utilise the full range of regulatory tools available to it, including, without limitation, section 166 notices and investigations / disciplinary action. If you would like to discuss the approach you have taken to Consumer Duty implementation, or to review any aspect of it, please let us know.  

FCA Fines HSBC for Failures in Treatment of Customers

The FCA has fined HSBC UK Bank plc, HSBC Bank plc and Marks and Spencer Financial Services plc (HSBC) £6,280,100 for failures in its treatment of customers who were in arrears or experiencing financial difficulty. 

Between June 2017 and October2018, HSBC failed to properly consider people’s circumstances when they had missed payments. This meant it did not always do the right affordability assessments when entering arrangements with people to reduce or clear their arrears. Sometimes it took disproportionate action when people fell behind with payments, which risked people getting into greater financial difficulty.

The failings were caused by deficiencies in HSBC’s policies and procedures and the training of their staff, as well as inadequate measures to identify and address instances of unfair customer treatment.

In 2018, HSBC identified that there were issues with their handling of customers in financial difficulty and notified the FCA. HSBC invested £94 million in identifying the issues and putting them right. HSBC also issued redress payments totalling £185 million to over 1.5 million customers. 

Cambitas are currently working on 7 separate regulatory investigations / disciplinary actions. We also recently achieved the closure of an investigation with “no further action” being taken. If you would like to discuss investigations / enforcement, please let us know.

Consolidated Tape

The FCA has appointed Europe Economics to perform an independent review on consolidated tape for equities. The review will look at use cases for including pre-trade data within the equities CTP and also look what can be learned from the US equities CTP. The FCA has also announced that it is finalising the tender to appoint a bond CTP.

Clearing

'CDS Clearing and Depositary Services Inc.' (CDSC) has been added to the list of Tier 1 CCPs following a Memorandum of Understanding with the British Columbia Securities Commission.

Derivatives Trading Obligation under UK MiFID

Following the Wholesale Markets Review, the FCA is consulting on three distinct but interconnected parts of the derivatives trading obligation (DTO) under UK MiFID: (1) including certain overnight index swaps (OIS) based on the US Secured Overnight Financing Rate (SOFR) within the classes of derivatives subject to the DTO; (2) expanding the list of post-trade risk reduction (PTRR) services exempted from the DTO and from other obligations; and (3) how the FCA intend to use its power to suspend or modify the DTO once its transitional powers under Part 7 of the Financial Services and Markets Act 2000 (Amendment) (EU Exit) Regulations 2019 expire at the end of 2024.

By way of side comment, it is interesting to note that the list of derivatives subject to the DTO is still very limited. When will e.g. commodities be included?

Cryptoassets

In June 2023, the FCA set new requirements for promoting qualifying cryptoassets to retail clients. These included a 24-hour cooling-off period, personalised risk warnings, client categorisation and appropriateness assessments. This constituted the first conduct regulation for many firms, and has required extensive investment. The FCA therefore published a set of observations on good and poor practice relating to firms’ implementation of these rules. The FCA has emphasised the importance of these rules in preventing harm to consumers. They help ensure that consumers understand the risks of purchasing cryptoassets, and can absorb potential losses, before they decide to invest. Firms are strongly encouraged to review themselves against the observations to ensure that they are adhering to best practice. Failure to do so could result in the FCA utilising its range of regulatory tools. If you would like assistance in performing a review, please let us know.

Complaints Commissioner Annual Report

The new Complaints Commissioner, Rachel Kent, has published her annual report for 2023 – 2024. Casework has doubled, from 421 to 861 cases dealt with by the Complaints Commissioner’s Office. The number of complex and group investigations increased, and Rachel is also dealing with a number of complex policy issues. Having worked with Rachel extensively in the past, and knowing what an excellent lawyer she is, we wish her the very best in her new role.

About Cambitas

Cambitas offers legal and consultancy services in the areas of financial markets regulation, enforcement and ESG.

For more information, see www.cambitas.com.

If you’d like to discuss any of the above, or need assistance on any of the areas we cover, please contact tom.hine@cambitas.com.