Firms will need to ensure their systems and controls to prevent financial crime and money laundering are working effectively: this is just part of the message contained in the FCA’s Business Plan for 2019/20. The Business Plan sets out a road map for the FCA’s strategic objectives and areas of focus in the year ahead, thereby providing an insight for firms as to likely areas of enforcement risk.

We have analysed the Business Plan and set out a summary of the key regulatory areas on which firms should concentrate.

Financial Crime and Anti-Money Laundering (AML)

These hot topics remain firmly in the FCA’s cross-hairs, as recently confirmed by the FCA’s Director of Enforcement and Market Oversight¹ and recent enforcement action by the FCA. For example, last month the FCA issued a bank with its second-largest penalty ever for AML controls failings. It is therefore imperative that firms ensure their systems and controls to identify and prevent financial crime are working effectively. Just as importantly, to mitigate the risks of any enforcement action, firms must be able to point to documentary evidence and records to show that this is the case.

With regard to regulatory technology, the FCA will use enhanced analytical software and its own intelligence-gathering to become “faster, smarter and more efficient” in its AML work. The FCA will also explore how it uses technology to be more intrusive in assessing the effectiveness of firms’ AML systems and controls. Further, the FCA will host an international ‘TechSprint’ on AML and financial crime, during which it will test nascent “Privacy Enhancing Technologies." The FCA will share the outcomes from this experimental work, with the aim of encouraging firms to adopt new technologies to improve the detection and prevention rates of money laundering and financial crime. The implication of the above proposals for firms is that they can expect increased scrutiny from the FCA on their AML systems and controls and, if the technology proves to be as useful as the FCA believes, an increased number of investigations into any failings may follow.

Accountability and Culture

The focus on individual accountability and cultural change remains a key priority on the FCA’s agenda as they are seen as critical to mitigating market and consumer harm. Some of the ways in which the FCA will seek to achieve these goals are as follows:

1. The Senior Managers and Certification Regime (SMCR) – the SMCR remains a pivotal weapon in the FCA’s armoury as it focuses on individuals and their personal accountability, rather than on the corporate. The SMCR already applies to banks, building societies and insurers, and from December 2019 it will be extended to apply to all FCA-authorised firms. As a result, we expect to see an increase of enforcement activity under the SMCR next year.
2. Remuneration and recognition practices – the FCA will review firms’ practices over the coming year to identify if firms are encouraging staff to act in ways that could harm consumers or markets.

In addition to embedding the right culture, it is equally important that firms can evidence the steps they have taken to do so, not least as the FCA expects firms to “demonstrate awareness of our expectations on culture” and “reflect this in their practices.”

Wholesale Financial Markets

From the FCA’s perspective, the health and effectiveness of the wholesale markets relies on them being visibly fair, transparent and efficient and as such the FCA will be engaging in a number of activities including:

1. Compliance with the Market Abuse Regulation (MAR) – The FCA will pay particular attention to key areas in firms’ control frameworks, including (i) the control of inside information within M&A businesses and (ii) corporate broking functions. The FCA has flagged that its supervisory engagement with firms’ capability to detect and report suspected market abuse will focus particularly on the surveillance of fixed income markets. Finally, the FCA is developing new monitoring and detection tools focusing on (i) delayed disclosure and misleading statements by issuers (ii) secondary market behaviour including (a) cross-market manipulation, (b) abuse in fixed income markets and (c) equity insider dealing. From this we can assume that the FCA will be paying particular attention to any failings in firms’ systems and controls insofar as they relate to the management of inside information, and to the extent that inside information has been misused, enforcement action is likely to follow.
2. Compliance with the Markets in Financial Instruments Directive (MiFID) II – this remains high on the FCA’s agenda as the FCA continues its use and review of MiFID II transaction reporting data to help detect market abuse. However, it remains to be seen just how effective the FCA will be in reviewing this wealth of data, which includes transaction orders as well as executed trades.
3. Data use and access – the FCA plans on carrying out a call for input in respect of data use and access in the wholesale market around Q2 2019/2020 with a view to publishing a feedback statement in April 2020. Its purpose will be to (i) better understand market dynamics, competition and other regulatory issues to decide which of them, if any, the FCA can address and (ii) potentially prompt customers to come forward with complaints that may be relevant from a competition law perspective.

Investment Management

Following the FCA’s Asset Management Market Study, the FCA made certain changes including as to its fund governance rules² which clarify and strengthen authorised fund managers’ existing duty to act in the best interests of investors. The FCA also provided further rules and guidance to improve the quality, comparability and robustness of information for investors.³ The FCA will continue to focus on the implementation of these new requirements once they come into effect in October 2019. If they do not already do so, firms should ensure that they are ready to implement the rules accordingly.

Operational Resilience

Following on from the £16.4 million fine issued to Tesco Personal Finance Plc (Tesco Bank) in October 2018 for failing to exercise due skill, care and diligence in protecting customers against a cyber-attack, in circumstances where Tesco Bank failed to address a known risk to prevent the attack from occurring in the first instance, the FCA’s Business Plan expressly recognises that boards and senior management are responsible for operational resilience. The FCA will develop policy proposals in this regard and consult later in 2019 following responses to its operational resilience Discussion Paper.

The FCA will continue to use regulatory tools to test the cyber capabilities and resilience of “high impact firms” and plans to give feedback on how firms detect, and how they may improve their resilience to, cyber-attacks by Q4 2019/2020.

Conclusions

The FCA has a number of regulatory areas of focus in the coming year, as it attempts to bring further stability to financial markets and eradicate consumer harm. Firms can expect increased scrutiny in respect of these regulatory areas and where failings are found, enforcement action may be likely to follow.

It would therefore be prudent for firms to assess how well they are performing in each of these areas. For example, firms should be asking themselves: What is the approach of senior management to ensuring a good culture and how is that approach perceived within the firm? How capable is the firm at combatting the threat of cyber-attacks? If firms can show that they have considered these types of issues and sought to remedy any weaknesses, this will place them in far better stead to avoid possible FCA enforcement action in the future.