Looking back on January and February, the first couple months of 2018 have not paved the way for any post- MiFID II relief. Although the regulator kicked off the year by handing the London International Financial Futures and Options Exchange (LIFFE) and the London Metal Exchange (LME) a 30-month extension to comply with MiFID II requirements, 1 January 2018 also saw the EU benchmark regulation come into force.

Financial Reporting

As new regulations swept in, the regulator continued to press on and highlight new issues. In February, CEOs of IFPRU and BIPRU firms should have received a letter from the FCA stating that the quality of prudential regulatory returns has fallen below the appropriate standard, with some data being incorrect and/or incomplete. Additionally, the FCA disclosed that they will be scrutinising a sample of firms' returns. In anticipation of this, our clients will have received a regulatory alert from us to encourage them to examine their own data.

AIFMD Survey

From a European perspective, firms subject to AIFMD will have also received an opportunity to complete a survey designed to collect feedback on the implementation of AIFMD (commissioned by The Directorate General for Financial Stability, Financial Services and Capital Markets Union of the European Commission (DG FISMA)). KPMG have been contracted to assess how the directive has worked in practice and to what extent its objectives have been met. We issued a regulatory alert regarding this, encouraging all our clients to complete the survey by the deadline of 15 March as this may influence the likely implementation of AIFMD II.

RTS 28 Disclosures

However, as new tasks arise, we would also like to remind our readers that new MiFID II deadlines are approaching, with respect to best execution venues. RTS 28 disclosures (such as top-five execution venues) must be made by 30 April 2018. Given that these requirements are new, these disclosures may lack the intended granularity, so we point our clients to the ESMA guidance on this topic (please refer to question 6 on page 20). In brief, whilst some of the disclosures may be incomplete, firms should endeavour to provide as much data as possible.

Cayman Islands Monetary Authority Anti-Money Laundering (AML) Guidance

Finally, we point our readers to the guidance issued by the Cayman Islands Monetary Authority. New money laundering regulations came into force on 2 October 2017. The expanded requirements necessitate the appointment of a money laundering reporting officer (MLRO) and a deputy MLRO, or delegation of this role to a third party. Please note that these requirements will apply to unregulated funds from 31 May 2018.

General Data Protection Regulation (GDPR)

As the deadline of 25 May approaches fast, Duff & Phelps has developed a GDPR toolkit to help firms prepare for and ensure compliance with the regulation. This was presented by Latha Balakrishnan at our quarterly breakfast briefing, held on 22 February 2018 at the Savile Club, and is now available for purchase.

SUPERVISION MATTERS

FCA statement on proposals to introduce a public register

26 February 2018

The FCA has made a statement regarding the public FCA register, in light of feedback concerning its potential decreased value, as a by-product of the proposed Senior Management and Certification Regime (SMCR).

As a reminder, once the SMCR comes into force, under the current proposals only senior managers will appear on the register, as they are the only category the FCA will be actively approving. As a result, a significant number of individuals won't appear on the register, despite the fact that they will have roles that are able to impact the market and customers (for example, nonexecutive directors, financial advisors and portfolio managers).

The FCA has stated that it has listened to this feedback and will consult on proposals to address this issue and widen the scope of the public register, alongside other matters relative to the regulation, by summer 2018.

FCA and PRA publications on algorithmic trading supervision

12 February 2018

The FCA published a report on 12 February regarding the supervision of algorithmic trading in wholesale markets. The report provides examples of good and bad practices within the sector.

The report also highlights the regulator's focus points in the algorithmic trading space, specifically identifying five key areas:

  • defining algorithmic trading,
  • development and testing,
  • risk controls,
  • governance and oversight and
  • market conduct.

The FCA notes that whilst automated technology brings various benefits to investors, such as increased execution speed and reduced costs, it also has the potential to increase risks. As such, the regulator considers it imperative that key oversight functions (such as compliance and risk management) keep pace with technological advancements.

Megan Butler, Director of Supervision - Investment, Wholesale and Specialist at the FCA, said, 'This report is relevant for all firms developing and using algorithmic trading strategies in wholesale markets. Firms should consider and act on its content in the context of good practice for their business'.

The report can be read in full here.

The PRA also published on the same day a consultation paper setting out a draft supervisory statement outlining the PRA's expectations regarding a firm's governance and risk management of algorithmic trading.

The consultation period closes on 7 May. The PRA proposals can be found here.

FCA and ICO publish joint update on GDPR

8 February 2018

The implementation date for the EU's General Data Protection Regulation (GDPR) is fast approaching and will apply in the UK from 25 May 2018. The Financial Conduct Authority (FCA) and the Information Commissioner's Office (ICO) are working closely together to prepare for GDPR. The FCA and ICO have had a Memorandum of Understanding in place since 2014, which demonstrates their joint commitment to co- operation and co-ordination with regards to their activities.

Although the GDPR will be regulated and enforced in the UK by the ICO, compliance with the GDPR requirements is something that the FCA will consider within their rules - for instance, with regards to Systems and Controls (SYSC) and the Senior Management Arrangements. The FCA has stated that compliance with GDPR is now a board-level responsibility in which firms will need to evidence the steps that they have taken to achieve compliance. The FCA does not consider that the requirements under GDPR are incompatible with the Handbook rules, but considers that there are several common requirements - for example, with regards to the requirement to treat customers fairly, which is central to both the FCA and the new GDPR regime.

To read the full article, please click here.

FCA speech on building cyber resilience

26 January 2018

The Head of Technology, Resilience & Cyber at the FCA, Robin Jones, delivered a speech on building cyber resilience at the PIMFA Financial Crime Conference on 25 January 2018. He announced that cyberattacks were on the increase. There were 69 material attacks reported in 2017, an increase on the 38 reported in 2016 and 24 from 2015.

The FCA's ambition was to raise the awareness and capability of firms to have good cyber hygiene, a good security culture and good governance. This translated into an expectation for firms to understand their key assets and their backup arrangements and constantly assess where they are vulnerable. Firms must also create a good security culture with their staff, for example, for staff to be able to spot phishing emails, ensure password discipline and maintain data controls. Finally, the FCA expects firms to implement effective governance around this area, namely that business leaders must understand what a cyberattack could do and how to respond and recover. A cyberattack needs to be understood as a significant risk to a business's operation, its consumers and to the wider market.

Mr Jones concluded by emphasising that firms can learn key lessons from cyberattacks that have already happened:

'The first lesson is addressing the basics... Attacks often exploit well- known vulnerabilities... so addressing basic hygiene factors such as vulnerabilities in old systems or patching on a regular cycle is important.

The second lesson is to detect attacks, stop them from spreading and have in place robust contingency plans.

The third lesson is to ensure any contingency plan includes a communications plan; for example, [in the event of a cyberattack, firms should] know how to get hold of key people, [whether they are staff, consumers or the authorities]'.

The full speech can be accessed here.

To read this Regulatory Focus in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.