UK: 10 Things Authorised Firms Need To Know For 2018 The World Of Financial Regulation As The UK Prepares To Exit The EU



There is much for authorised firms to consider in the year ahead. Firms have been through the intensive period of the enactment of the second Markets in Financial Instruments Directive (MiFID II), but must now step up their work on implementation of the General Data Protection Regulation (GDPR) and transition to the extension of the Senior Managers and Certification Regime (SMCR). The Brexit leave date of 29 March 2019 is fast approaching, and we can only hope that we will enter 2019 with greater certainty than 2018 as to how the regulatory landscape will look.

Executive Summary

In this publication, we focus on 10 key issues that authorised firms should have at the forefront of their minds as they enter 2018:

  1. GDPR: Described as one of the biggest changes in data protection law for a generation, the GDPR – which is set to come into force on 25 May 2018 – is intended to strengthen, unify and harmonise the European Union (EU) data protection regime, ensuring that non-European companies will have to deal with only one set of data protection laws. The GDPR broadens the territorial reach of the EU data protection regime and, importantly, significantly increases sanctions for non-compliance. Despite the UK's impending exit from the EU, it is expected that the UK's post-Brexit data protection regime will embrace the GDPR.
  2. Increased regulatory scrutiny of the asset management industry: The shift in regulatory focus of the Financial Conduct Authority (FCA) towards the asset management industry in recent times is notable. In the past year, there has been an FCA market study of the asset management industry, an FCA market investigation reference to the Competition and Markets Authority (CMA), and an FCA statement of objections issued to four asset managers alleging certain competition law breaches. The action taken by the FCA in this space demonstrates both the focus and priority that it places on the asset management industry. The regulator is evidently increasing in both confidence and willingness to utilise its wider tool kit, and firms should prepare themselves for further scrutiny and possible enforcement action.
  3. The extension of the SMCR: Having successfully rolled out the SMCR to banks, building societies, credit unions and dual regulated investment firms in March 2016, the FCA is now preparing to extend the SMCR to all other authorised firms. The new regime is expected to be implemented in 2019 and while the extended SMCR retains key elements of the regime applicable to banks, the FCA has adopted a proportional approach to implementation for the rest of the financial services industry. The extension of the SMCR is expected to be an important weapon in the regulator's armoury to help ensure that individuals who have committed misconduct are brought to account.
  4. Industry codes of conduct: The FCA's recent consultation paper recognised that its expectations for markets and activities not covered by regulatory rules and FCA Principles are not as clear as they could be. The FCA seeks to resolve this issue and proposes, among other suggestions, to publicly recognise certain industry codes that set out proper standards of market conduct for unregulated markets and activities. The FCA also discusses the possibility of extending the application of Principle 5 of the FCA's Principles for Businesses – which requires firms to observe proper standards of market conduct – to unregulated activities.

EU regulatory developments: Changes to EU regulation continue to take place at pace. The key development this year is undoubtedly the coming into force of MiFID II, which alters the regulatory landscape ulators alike. As with the implementation of any new rules, unforeseen consequences can occur and it will be interesting to see how the regulators respond to this. In addition to MiFID II, 2018 will see advanced proposals (expected to be approved) for important changes to the marketing of investment funds, rules relating to short selling, proposals to amend the European Market Infrastructure Regulation (EMIR) and securities financing transactions (SFT).

  1. Enforcement action in relation to MiFID II: The FCA has stated that the wider information available to it under MiFID II (in conjunction with that collected under the Market Abuse Regulation (MAR)) will shape its enforcement work – in addition to its supervision and policy assessments – for the better. In particular, it will allow the FCA to read across venues and markets, virtually in real time, to enable it to gain a holistic view of activity in wholesale markets. It remains to be seen how effective the FCA will be in utilising the additional information available to it and whether it has systems capable of synthesising the information in a manner that enables it to act quickly.
  2. Anti-money laundering developments: The FCA's focus on financial crime and anti-money laundering (AML) has been a continuing theme for some years now, and was again emphasised in the regulator's 2017/18 Business Plan and in recent enforcement action (discussed below). Regulated firms are required to maintain robust and risk-focussed AML systems and controls, and to promote a culture that supports these controls and that impresses on staff the importance of complying with them.
  3. FCA investigations – a quiver full of arrows? The FCA is taking a new approach to its investigations – it will not use investigations as a precursor to contemplated enforcement action when something has gone wrong, but rather as a tool for finding out what has happened. The regulator acknowledges that a necessary result of the change in approach is that an increased number of investigations will be open. Firms and individuals will therefore need to be prepared for more investigations and resource themselves accordingly. While enforcement action following an investigation may no longer be seen as inevitable, it will still remain a real risk.
  4. Challenges to privilege: As firms have increasingly hired external law firms to conduct internal investigations, they have often assumed that any interviews conducted by the law firm with the firm's employees would attract privilege – particularly if these were investigations conducted after a notice of investigation had been received from the FCA. However, two recent cases have illustrated that the courts may take a narrower approach to privilege, especially in relation to material generated as a result of internal investigations.
  5. Key FCA enforcement cases in 2017: Last year, we saw the FCA place particular focus on market abuse cases involving capital markets; the regulator used its power for the first time to require a listed company to pay compensation to investors, while individuals were held to account for disseminating false and misleading information relating to publicly listed companies. In addition, a firm was found to have breached the FCA's disclosure and transparency rules, action was taken in relation to failures in respect of EMIR reporting requirements, and a decision was handed down by the Supreme Court setting out the position on third party rights in the context of FCA regulatory action. In the course of this year, we can expect more investigations and, most likely, more action against senior individuals as the SMCR beds down for banks and insurers. We also expect to see firms and individuals beginning to utilise the new options in the enforcement decision- making process, such as making direct referrals to the Upper Tribunal.

Firms are strongly encouraged to ensure that they are well-positioned to manage changes in the regulatory environment and to ensure that they are meeting regulatory expectations, and taking advice from legal experts where necessary. The consequences of doing otherwise could be severe.


Another key piece of European legislation (following MiFID II), the GDPR1, is set to come into force on 25 May 2018. Described as one of the "biggest changes in data protection law for a generation,"2 the GDPR is intended to strengthen, unify and harmonise the EU data protection regime. The GDPR seeks to provide a single legal data protection framework across the EU, the product of which should be that non-European companies need only to comply with one set of data protection rules when dealing with European individuals' personal data.

1. Key changes

The key changes under the GDPR are as follows:

Broadened Territorial Scope3

The GDPR broadens the territorial reach of the EU data protection regime. The current EU data protection regime applies only to entities whose data processing activities were "carried out in the context of the activities of an establishment of the controller on the territory of the Member State"4 or made use of "equipment, automated or otherwise, situated on the territory of the said Member State"5 for purposes of processing personal data.

As expected, the GDPR will apply in full to the processing of the personal data of data subjects in the EU by a controller or processor that is established in the EU. In addition, and as a departure from the scope of the existing data processing rules, the GDPR will also apply to the processing of personal data of EU data subjects by a controller or processor that is not established in the EU, provided that the data processing activities relate to the offering goods or services to EU citizens;6 or "the monitoring of behaviour that takes place within the [EU]."7


The sanctions for non-compliance with the new regime can be significant, with fines up to €20 million or 4 per cent of the worldwide annual turnover (whichever is greater). The maximum fine is likely to be reserved for the most serious violations. Sanctions can be imposed on both controllers and processors.


Where it is appropriate to obtain valid consent from the data subject, the GDPR strengthens the qualitative requirements applicable to such consent. Requests for consent must be made in an intelligible and easily accessible form, using plain and clear language. Furthermore, it must be as easy to withdraw consent as to give it.

Breach Notification10

The GDPR requires a breach notification to the supervisory authority in all Member States where a data breach is likely to result in a risk for the rights and freedoms of individuals11. The notification must be made without delay and where feasible not later than 72 hours after becoming aware of it12.

Increased Control for Data Subjects13

Under the GDPR, data subjects have the right – free of charge14 – to obtain confirmation from the data controller as to whether, where and for what purpose their personal data is being processed. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing15.

Furthermore, in certain circumstances, data subjects are entitled to request the data controller to erase their personal data (right to be forgotten).

Wider Definition of Personal Data

Personal data now includes online identifiers, such as IP addresses16.

The GDPR is intended to bring a more 21st century approach to the processing of personal data protection; the UK Information Commissioner has said, "The message about GDPR is continuity and change17". New technology and new regulation will be a challenge for regulators and businesses alike. Firms will need to take active steps to ensure compliance and have confidence that their systems can meet the regulatory requirements.

2. How will the UK data protection regime be affected by Brexit?

Territorial Scope of the GDPR

Even though the UK government has confirmed18 that the GDPR will apply to the UK when it comes into force on 25 May 2018, and new data protection legislation is being passed setting out derogations from the GDPR and other national implementing measures19, the regulation may not technically continue to bind the UK post-Brexit. In practice, however, many UK businesses will still need to comply with the provisions of the GDPR because of its wide territorial scope and application.

As a general rule, any business that collects, stores and/ or processes personal data of EU subjects is likely to fall within the scope of the GDPR. Thus, UK companies that process data on behalf of an EU-based data controller, or UK companies that offer or provide services to, or monitor the behaviour of, EU citizens, will continue to be subject to the GDPR post-Brexit.

This is relevant for a number of businesses, including UK and other non-EU investment funds and their managers and other service providers. The fund, through the administrator and, in some cases, the manager, is likely to store and process the personal data of individual EU investors and, as a result, be required to comply with certain requirements under the GDPR. Such personal data may include contact details of prospective EU investors, payment details, identity documents, information relating to tax residency status, source of wealth and employment status.

In order to ensure that such companies and investment firms may continue to market to prospective investors in the EU, and hold and otherwise process the personal data of EU individuals, and in order to avoid significant disruption to business, it is important that the UK's post-Brexit data protection regime is consistent with the GDPR.

Restriction on the International Transfer of Data

The GDPR regulates the international transfer of personal data of EU subjects to third countries and requires that either the data protection regime in the jurisdiction to which the data is transferred is "adequate,20" that other appropriate safeguards are in place so as to ensure that the transferred data is sufficiently protected or that the relevant transfer falls within an exemption.

When the UK leaves the EU, in order for UK companies to be able to receive EU subject data, the UK must ensure the adequacy of data protection levels. This may be achieved by21:

  1. An adequacy decision: the European Commission (EC) may decide that the UK offers an "adequate level of protection essentially equivalent to that ensured within the [EU]22". If the UK wants to facilitate the transfer of EU personal data into the UK, it will need to ensure that its data protection regime is "adequate" (i.e., equivalent to the regime stipulated by the GDPR).
  2. The use of model contract clauses (MCCs): MCCs are entered into between a controller of EU subject data and another controller or processor that is not based in the EEA so as to enable the transfer of EU subject data between those parties. The MCCs were approved by the EC and remain valid under the GDPR unless the EC repeals the approval or the MCCs are invalidated by the European Court of Justice23.
  3. The use of binding corporate rules ("BCRs"): BCRs are internal safeguarding rules adopted by multinational organisations that enable such organisations to transfer EU subject data outside the EEA but within their corporate group.

Data protection is an increasingly important area of regulation. If they have not already done so, firms should begin to carefully consider their data flows and think about how the new regulations are likely to impact their business. As noted above, the consequences for non-compliance could be severe.

To view the full article click here


1 General Data Protection Regulation 2016/679

2 Information Commissioner's Office – messages for the boardroom

3 GDPR article 3

4 Directive 95/46/EC article 4(1)(a)

5 Directive 95/46/EC article 4(1)(c)

6 GDPR article 2(a)

7 GDPR article 2(b)

8 GDPR article 83

9 GDPR article 7

10 GDPR articles 33 and 40

11 GDPR recital 85

12 GDPR recital 85; article 33(1)

13 GDPR chapter III

14 Unless the request is manifestly unfounded or excessive, particularly if it is repetitive

15 GDPR recital 63

16 GDPR article 4(1)

17 GDPR and accountability (speech Elizabeth Denham 17 January 2017)

18 Culture, Media and Sport Committee ; Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764; Monday Culture, Media and Sport Committee ; Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764; Monday 24 October 2016 ( responsibilities-of-the-secretary-of-state-for-culture-media-and-sport/oral/42119.html)

19 Data Protection Bill 2017-19

20 GDPR article 45

21 Both MCCs and BCRs existed prior to the entry into force of the GDPR but will become relevant to EU-UK transfers of personal data post-Brexit.

22 GDPR recital 104

23 The ECJ is currently considering the validity of the Commission decision on which the MCCs are based; see the referral to the ECJ by the Irish High

Court in DPC v Facebook Ireland Limited and Maximillian Schrems of 3 October 2017 (

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Herbert Smith Freehills
Shepherd and Wedderburn LLP
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Herbert Smith Freehills
Shepherd and Wedderburn LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions