Financial Services Updates - September 2021
In this article you'll find a summary of recent financial services updates from the FCA and the impact of these on regulatory compliance.
UK Government proposals to reform UK Data Protection Laws
The Department for Digital, Culture, Media and Sport published a new consultation on reforms to the UK’s data protection regime, setting out the proposed reshaped approach to data protection regulation that takes advantage of the regulatory landscape post-Brexit.
The proposal builds on the UK GDPR, but aims to drive growth and innovation through maintaining high standards without excessive barriers, helping innovative businesses to use data responsibly without undue risk, and ensuring the ICO can regulate effectively.
Among the proposed changes are the plan to remove the requirement to undertake a Data Protection Impact Assessment (DIPA), instead requiring firms to identify, assess and minimise risks through a risk management practice appropriate to the firm. To limit the risk that firms may not feel obliged to undertake adequate assessment prior to high-risk processing, the Government has proposed a new Privacy Management Programme (PMP) which would require firms to have these risk management processes in place. A PMP would mean that firms must have a tailored programme that is appropriate for their processing activities which should ensure privacy is considered holistically. The wider PMP would include policies and processes for the protection of personal information, which will include setting out any responsibilities for data protection compliance, evidence of appropriate oversight from senior management, and measures for ensuring the firm is compliant with data protection legislation.
The consultation also sets out the proposal to change the threshold for reporting a data breach to the ICO so that only breaches which might materially impact on individuals should be reported, with a recommendation to the ICO that they publish examples of what constitutes a non-material risk, as well as examples of what is and what is not reportable. This proposal will likely lead to fewer reports being required, lowering the threshold from ‘result in a risk to the rights and freedoms’ of individuals, to ‘material risk’, but there is clearly some further clarification around what will constitute a material risk required.
Amendments to the existing rules for grounds for lawful processing are set out, including the creation of a new, separate lawful ground for research, the creation of a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test – which should reduce the overuse of consent – and a clarification that processing personal data for the purposes of bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest and a balancing test is not required.
Some further proposals aim to reduce the burden on firms, such as allowing a soft-opt into electronic communications for non-commercial firms including charities and political parties, and the removal or amendment of some current requirements, including removal of the requirement to designate a data protection officer, removal of the requirement for prior consultation with the ICO in certain circumstances, and the removal of record keeping requirements under Article 30.
Consumer investments data review 2021
The FCA has published a report summarising their work to tackle consumer harm in the investment market during the year to 31 March 2021.
The report supports the Regulator’s Strategy publication and future publications which will aim to set out their ambitions for the market. Highlighting a proactive approach to preventing harms, the FCA note that 1 in 5 new firms were prevented from entering the market, which the FCA attribute to these firms not being able to meet the standards required or where the potential for consumer harm was identified. Nine firms and two individuals were suspected of “phoenixing”- where those responsible for unsuitable advice set up new firms to avoid action.
The report also sets out how the FCA are using data and analytics to identify and predict risks, which has led to 1700 supervisory cases involving scams or higher risk investments. In addition, over the 12-month period, over 30,000 reports about potential unauthorised business were made, with around 1320 consumer alerts published and 180 firms remaining under investigation at 31 March.
Over the foreseeable future, the FCA aim to focus on addressing misuse of the Appointed Representatives regime, review the adviser capital requirements and review the compensation framework as well as examine ongoing levels of compensation and consumer protection. In the immediate term, the Regulator will continue to use the new analytics tools to strengthen their ability to prevent firms offering poor advice from entering the market and will monitor and respond to changes within the PII market.
The FCA will remove unused firm permissions
The FCA has published draft guidance on a power that will allow it to move faster to remove regulatory permissions that are not being used by financial services firms. The Regulator notes that held and unused permissions can give credibility to a firm’s unregulated activities. The Executive Director of Enforcement and Market Oversight, Mark Steward said that “firms can and should apply to have their permissions cancelled if they no longer plan to use them, but many fail to do so. We understand that business models may evolve over time and there may be valid reasons why regulatory permissions are not being used, but unless firms notify us and keep their permissions up to date, they will risk losing market access.”
Firms that have not used their permissions for 12 months or more are at risk of having them cancelled.
The consultation will run until 29 October 2021.
Calls for consideration of unintended consequences of the ‘Consumer Duty’
The FCA’s initial consultation on the proposed Consumer Duty – an obligation for firms to put customer interests at the centre of business strategy and practices – is now closed, with the second consultation on proposed text, guidance, and intentions for supervision due by 31 December 2021.
Opinions from across the industry are highlighting potential knock-on effects of the Duty. The ICAEW note that some firms might have to consider limiting the conduct risk their business is exposed to through reducing service provision, an act that may fall most heavily on vulnerable customers. Some firms may need to exit the market, which could leave poorer customers and the most vulnerable without access to services.
Whatever the Consumer Duty will look like in 2022, a strong regulatory focus remains on firms treating their most vulnerable customers fairly. Regular staff training supports the practice of fair treatment and can demonstrate to the Regulator that your firm takes fair treatment seriously. Our online training course on Treating Customers Fairly explains the background to TCF, the FCA’s expectations and why compliance matters, and how each individual can play an integral part. Priced at just £15 per user, the course is accessible at the delegate’s convenience and provides a certificate upon successful completion, allowing firms to track and record each user’s progress.
For large groups, we can offer a simplified enrolment service and pricing, simply email Robert.firstname.lastname@example.org.