Compliance Insights Articles

The past two years have brought a whirlwind of new regulatory requirements, guidance and legislation that financial services firms have had to keep up with. But this doesn’t make the existing regs any less important – in fact, some of the new requirements make familiarity with existing ones all the more vital. A great example is the importance of SYSC to Senior Managers, whom the Senior Managers and Certification Regime makes individually accountable for the areas in their re

The European Banking Authority (EBA) Outsourcing Guidelines come into force on 30 September 2019. The revised guidelines, which replace the 2006 Committee of European Banking Supervisors Guidelines on Outsourcing, set out specific requirements for all financial institutions within the EBA’s remit, including banks, building societies, designated investment firms, IFPRU investment firms and credit institutions when they outsource functions to a service provider. The Guidelines

Most financial service providers and consumer credit firms must be authorised by the Financial Conduct Authority in order to operate and in 2019 these firms will be joined by Claims Management Companies when the regulator switches from the Claims Management Regulator to the FCA in April. Inwardly passported firms should also ensure that they are properly authorised before Brexit. The good news is that the time taken to process authorisation applications has fallen from an ave

This week we’re going to take a look at how Non-Executive Directors will be affected by the implementation of the Senior Managers and Certification Regime in solo-regulated firms. Previously, under the Approved Persons Regime, all of a firm’s directors needed approval from the Regulator. This changes with the SM&CR, and from commencement, non-executive directors that do not also undertake a Senior Management Function do not require approval under the Senior Managers Regime. T

Solo-regulated firms that will be within the scope of the Senior Managers and Certification Regime from the end of this year should consider the impact of the requirement to assess and certify the fitness and propriety of their Senior Managers and Certification staff on current process. The Fit and Proper requirement in the SMCR is designed to reinforce that firms need to take responsibility for their staff being fit and proper to do their jobs. Whilst the Financial Conduct A

Accountability is not a new concept in data protection, but whereas the principle of accountability was implicit in the Data Protection Act 1998, the General Data Protection Regulation explicitly enshrines accountability as an obligation for controllers, meaning that firms will need to take responsibility and prove that they are compliant. Articles 5 and 24 of the GDPR require that controllers be able to demonstrate compliance; Article 5 specifically defines ‘accountability’

As of the 10th December, insurance firms are now subject to the Senior Managers and Certification Regime. So as an insurance firm what do you need to be doing now to ensure continued compliance? SM&CR: A Summary The Regime replaces the revised Approved Persons Regime, and last month’s extension to insurance firms is part of the eventual roll-out of the Regime to all financial services firms. The SM&CR was introduced to banking firms in 2016 to address some of the issues that

With the commencement date looming, insurance firms should be well within the final stretch of their preparation for the new Senior Managers and Certification Regime. The new regime replaces the Approved Persons Regime, following the enactment in May 2016 of the Bank of England and Financial Services Act, which required the SM&CR be extended to all authorised financial services firms. The SM&CR has been in place for banking firms since March 2016, and will apply to insurance

Following the implementation of the General Data Protection Regulation eleven weeks ago, the Information Commissioner’s Office have published a suite of guidance documents for all types of firms, helping to interpret the new rules and guide firms to apply the rules in practice. This is particularly helpful for firms experiencing some confusion about some of the more complex parts of the Regulation. The new guidance provides a helpful run-down of the process of undertaking a D

The FCA have now published the ‘near-final’ draft rules for the Senior Managers and Certification Regime (SM&CR), which currently only applies to UK banks, building societies, credit unions and branches of foreign banks operating in the UK. SM&CR is now being extended to all authorised firms. The FCA released a suite of information on the new regime in 2017 and the first half of 2018 to ensure that firms had plenty of time to prepare prior to implementation. The exact date of

In this article we’ll be taking a look at how to ensure physical records processes don’t fall foul of the General Data Protection Regulation. The headlines in the run-up to implementation made much of the Regulation’s impact on digital data, with plenty of focus on the changes the tech titans were required to make to online and digital platforms. All firms, however, should be aware of the obligations the GDPR places on business with regard to physical – paper and hard-copy –

Following up on last week’s article about timescales, we’ll look this week at the issue of logging requests that come in as part of the eight rights under GDPR. Customers, clients and users exercise most of these rights by submitting a request to the firm holding and processing their data - the right to be informed is more automatic, with the onus on the body collecting the data, and the right to restrict processing can also be triggered as part of the right to rectification.

Reflecting on the three weeks since the General Data Protection Regulation implementation date, it’s clear that the impact of the new legislation on the financial services sector is not limited to pre-deadline work. Firms are working hard to continue to embed business changes and evolve with the Information Commissioner’s Office’s recent guidance, new industry norms, and peer and supplier practices. At this juncture, firms should be settling in to the new regime, undertaking

With the 25th May implementation date for the General Data Protection Regulation looming at the end of this week, our handy guide to making good use of the final few days will help you to ensure compliance before the deadline. Regulatory change can be daunting, and both the sheer number of new rules and the much talked about consequences of getting it wrong can be intimidating. There’s no one ‘right way’ to go about preparing for the GDPR, and whether arrangements have been u

With the implementation of GDPR less than a week away, firms across the country have been preparing for the new regulation. Most of us will have noticed the influx of emails from companies asking us to read updated privacy notices and terms and conditions and to opt-in if we want to keep receiving communications. What is less obvious are the changes that are being made behind the scenes. Most firms should, by now, be aware of whether they need to appoint a Data Protection Off

It’s never too late to take action on GDPR. As recently as March 2018, just 5% of EU companies believed they were compliant with all of the requirements. It is essential that firms work towards achieving compliance before the implementation date – now just 17 days away. The new Regulation is wide-ranging, and can seem overwhelming at first glance, especially to small and medium sized businesses trying to meet current challenges without having to factor in GDPR on top. If you

With just twenty-four days to go until GDPR is enforced in the UK, now is the time to review your compliance and ensure any last-minute amendments. It is never too late to make adjustments and modifications to process, policy and cybersecurity to ensure compliance with the new regulation. A variety of recent news reports have highlighted how firms such as Apple, Facebook and Whatsapp are dealing with the new requirements, with many subscribers receiving a number of emails upd

The Financial Conduct Authority (FCA) have published the final rules and guidance relating to staff incentives, remuneration and performance management in consumer credit, and have confirmed the implementation date of 1 October 2018. The publication confirms that the new rules take the form of a new section in CONC, along with non-handbook guidance designed to aid firms’ journey to compliance before the implementation date. The FCA began their thematic review of firms’ arrang

With many changes to our working practices on the horizon it’s easy to forget the importance of understanding what to do when things go wrong. There are specific requirements in GDPR setting out what we should do if we have caused a “personal data breach”, none more obvious than the need to report it within, ideally, 72 hours. First let’s consider the definition of a Personal Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful

The UK’s communications regulator, Ofcom, published a Statement and Consultation paper setting out the review of its General Conditions of Entitlement at the end of 2017. The changes, which will apply to all UK communications providers, will come into effect on 1st October 2018. They follow a consultation on proposed changes in consumer protection in December 2016, and a consultation on network functioning and numbering and other technical matters in August 2016. Seeking to ‘