IN PRINCIPLE: 10 THINGS AUTHORISED FIRMS NEED TO KNOW FOR 2018 – THE WORLD OF FINANCIAL REGULATION AS THE UK PREPARES TO EXIT THE EU
There is much for authorised firms to consider in the year ahead. Firms have been through the intensive period of the enactment of the second Markets in Financial Instruments Directive (MiFID II), but must now step up their work on implementation of the General Data Protection Regulation (GDPR) and transition to the extension of the Senior Managers and Certification Regime (SMCR). The Brexit leave date of 29 March 2019 is fast approaching, and we can only hope that we will enter 2019 with greater certainty than 2018 as to how the regulatory landscape will look.
In this publication, we focus on 10 key issues that authorised firms should have at the forefront of their minds as they enter 2018:
- GDPR: Described as one of the biggest changes in data protection law for a generation, the GDPR – which is set to come into force on 25 May 2018 – is intended to strengthen, unify and harmonise the European Union (EU) data protection regime, ensuring that non-European companies will have to deal with only one set of data protection laws. The GDPR broadens the territorial reach of the EU data protection regime and, importantly, significantly increases sanctions for non-compliance. Despite the UK's impending exit from the EU, it is expected that the UK's post-Brexit data protection regime will embrace the GDPR.
- Increased regulatory scrutiny of the asset management industry: The shift in regulatory focus of the Financial Conduct Authority (FCA) towards the asset management industry in recent times is notable. In the past year, there has been an FCA market study of the asset management industry, an FCA market investigation reference to the Competition and Markets Authority (CMA), and an FCA statement of objections issued to four asset managers alleging certain competition law breaches. The action taken by the FCA in this space demonstrates both the focus and priority that it places on the asset management industry. The regulator is evidently increasing in both confidence and willingness to utilise its wider tool kit, and firms should prepare themselves for further scrutiny and possible enforcement action.
- The extension of the SMCR: Having successfully rolled out the SMCR to banks, building societies, credit unions and dual regulated investment firms in March 2016, the FCA is now preparing to extend the SMCR to all other authorised firms. The new regime is expected to be implemented in 2019 and while the extended SMCR retains key elements of the regime applicable to banks, the FCA has adopted a proportional approach to implementation for the rest of the financial services industry. The extension of the SMCR is expected to be an important weapon in the regulator's armoury to help ensure that individuals who have committed misconduct are brought to account.
- Industry codes of conduct: The FCA's recent consultation paper recognised that its expectations for markets and activities not covered by regulatory rules and FCA Principles are not as clear as they could be. The FCA seeks to resolve this issue and proposes, among other suggestions, to publicly recognise certain industry codes that set out proper standards of market conduct for unregulated markets and activities. The FCA also discusses the possibility of extending the application of Principle 5 of the FCA's Principles for Businesses – which requires firms to observe proper standards of market conduct – to unregulated activities.
EU regulatory developments: Changes to EU regulation continue to take place at pace. The key development this year is undoubtedly the coming into force of MiFID II, which alters the regulatory landscape ulators alike. As with the implementation of any new rules, unforeseen consequences can occur and it will be interesting to see how the regulators respond to this. In addition to MiFID II, 2018 will see advanced proposals (expected to be approved) for important changes to the marketing of investment funds, rules relating to short selling, proposals to amend the European Market Infrastructure Regulation (EMIR) and securities financing transactions (SFT).
- Enforcement action in relation to MiFID II: The FCA has stated that the wider information available to it under MiFID II (in conjunction with that collected under the Market Abuse Regulation (MAR)) will shape its enforcement work – in addition to its supervision and policy assessments – for the better. In particular, it will allow the FCA to read across venues and markets, virtually in real time, to enable it to gain a holistic view of activity in wholesale markets. It remains to be seen how effective the FCA will be in utilising the additional information available to it and whether it has systems capable of synthesising the information in a manner that enables it to act quickly.
- Anti-money laundering developments: The FCA's focus on financial crime and anti-money laundering (AML) has been a continuing theme for some years now, and was again emphasised in the regulator's 2017/18 Business Plan and in recent enforcement action (discussed below). Regulated firms are required to maintain robust and risk-focussed AML systems and controls, and to promote a culture that supports these controls and that impresses on staff the importance of complying with them.
- FCA investigations – a quiver full of arrows? The FCA is taking a new approach to its investigations – it will not use investigations as a precursor to contemplated enforcement action when something has gone wrong, but rather as a tool for finding out what has happened. The regulator acknowledges that a necessary result of the change in approach is that an increased number of investigations will be open. Firms and individuals will therefore need to be prepared for more investigations and resource themselves accordingly. While enforcement action following an investigation may no longer be seen as inevitable, it will still remain a real risk.
- Challenges to privilege: As firms have increasingly hired external law firms to conduct internal investigations, they have often assumed that any interviews conducted by the law firm with the firm's employees would attract privilege – particularly if these were investigations conducted after a notice of investigation had been received from the FCA. However, two recent cases have illustrated that the courts may take a narrower approach to privilege, especially in relation to material generated as a result of internal investigations.
- Key FCA enforcement cases in 2017: Last year, we saw the FCA place particular focus on market abuse cases involving capital markets; the regulator used its power for the first time to require a listed company to pay compensation to investors, while individuals were held to account for disseminating false and misleading information relating to publicly listed companies. In addition, a firm was found to have breached the FCA's disclosure and transparency rules, action was taken in relation to failures in respect of EMIR reporting requirements, and a decision was handed down by the Supreme Court setting out the position on third party rights in the context of FCA regulatory action. In the course of this year, we can expect more investigations and, most likely, more action against senior individuals as the SMCR beds down for banks and insurers. We also expect to see firms and individuals beginning to utilise the new options in the enforcement decision- making process, such as making direct referrals to the Upper Tribunal.
Firms are strongly encouraged to ensure that they are well-positioned to manage changes in the regulatory environment and to ensure that they are meeting regulatory expectations, and taking advice from legal experts where necessary. The consequences of doing otherwise could be severe.
Another key piece of European legislation (following MiFID II), the GDPR1, is set to come into force on 25 May 2018. Described as one of the "biggest changes in data protection law for a generation,"2 the GDPR is intended to strengthen, unify and harmonise the EU data protection regime. The GDPR seeks to provide a single legal data protection framework across the EU, the product of which should be that non-European companies need only to comply with one set of data protection rules when dealing with European individuals' personal data.
1. Key changes
The key changes under the GDPR are as follows:
Broadened Territorial Scope3
The GDPR broadens the territorial reach of the EU data protection regime. The current EU data protection regime applies only to entities whose data processing activities were "carried out in the context of the activities of an establishment of the controller on the territory of the Member State"4 or made use of "equipment, automated or otherwise, situated on the territory of the said Member State"5 for purposes of processing personal data.
As expected, the GDPR will apply in full to the processing of the personal data of data subjects in the EU by a controller or processor that is established in the EU. In addition, and as a departure from the scope of the existing data processing rules, the GDPR will also apply to the processing of personal data of EU data subjects by a controller or processor that is not established in the EU, provided that the data processing activities relate to the offering goods or services to EU citizens;6 or "the monitoring of behaviour that takes place within the [EU]."7
The sanctions for non-compliance with the new regime can be significant, with fines up to €20 million or 4 per cent of the worldwide annual turnover (whichever is greater). The maximum fine is likely to be reserved for the most serious violations. Sanctions can be imposed on both controllers and processors.
Where it is appropriate to obtain valid consent from the data subject, the GDPR strengthens the qualitative requirements applicable to such consent. Requests for consent must be made in an intelligible and easily accessible form, using plain and clear language. Furthermore, it must be as easy to withdraw consent as to give it.
The GDPR requires a breach notification to the supervisory authority in all Member States where a data breach is likely to result in a risk for the rights and freedoms of individuals11. The notification must be made without delay and where feasible not later than 72 hours after becoming aware of it12.
Increased Control for Data Subjects13
Under the GDPR, data subjects have the right – free of charge14 – to obtain confirmation from the data controller as to whether, where and for what purpose their personal data is being processed. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing15.
Furthermore, in certain circumstances, data subjects are entitled to request the data controller to erase their personal data (right to be forgotten).
Wider Definition of Personal Data
Personal data now includes online identifiers, such as IP addresses16.
The GDPR is intended to bring a more 21st century approach to the processing of personal data protection; the UK Information Commissioner has said, "The message about GDPR is continuity and change17". New technology and new regulation will be a challenge for regulators and businesses alike. Firms will need to take active steps to ensure compliance and have confidence that their systems can meet the regulatory requirements.
2. How will the UK data protection regime be affected by Brexit?
Territorial Scope of the GDPR
Even though the UK government has confirmed18 that the GDPR will apply to the UK when it comes into force on 25 May 2018, and new data protection legislation is being passed setting out derogations from the GDPR and other national implementing measures19, the regulation may not technically continue to bind the UK post-Brexit. In practice, however, many UK businesses will still need to comply with the provisions of the GDPR because of its wide territorial scope and application.
As a general rule, any business that collects, stores and/ or processes personal data of EU subjects is likely to fall within the scope of the GDPR. Thus, UK companies that process data on behalf of an EU-based data controller, or UK companies that offer or provide services to, or monitor the behaviour of, EU citizens, will continue to be subject to the GDPR post-Brexit.
This is relevant for a number of businesses, including UK and other non-EU investment funds and their managers and other service providers. The fund, through the administrator and, in some cases, the manager, is likely to store and process the personal data of individual EU investors and, as a result, be required to comply with certain requirements under the GDPR. Such personal data may include contact details of prospective EU investors, payment details, identity documents, information relating to tax residency status, source of wealth and employment status.
In order to ensure that such companies and investment firms may continue to market to prospective investors in the EU, and hold and otherwise process the personal data of EU individuals, and in order to avoid significant disruption to business, it is important that the UK's post-Brexit data protection regime is consistent with the GDPR.
Restriction on the International Transfer of Data
The GDPR regulates the international transfer of personal data of EU subjects to third countries and requires that either the data protection regime in the jurisdiction to which the data is transferred is "adequate,20" that other appropriate safeguards are in place so as to ensure that the transferred data is sufficiently protected or that the relevant transfer falls within an exemption.
When the UK leaves the EU, in order for UK companies to be able to receive EU subject data, the UK must ensure the adequacy of data protection levels. This may be achieved by21:
- An adequacy decision: the European Commission (EC) may decide that the UK offers an "adequate level of protection essentially equivalent to that ensured within the [EU]22". If the UK wants to facilitate the transfer of EU personal data into the UK, it will need to ensure that its data protection regime is "adequate" (i.e., equivalent to the regime stipulated by the GDPR).
- The use of model contract clauses (MCCs): MCCs are entered into between a controller of EU subject data and another controller or processor that is not based in the EEA so as to enable the transfer of EU subject data between those parties. The MCCs were approved by the EC and remain valid under the GDPR unless the EC repeals the approval or the MCCs are invalidated by the European Court of Justice23.
- The use of binding corporate rules ("BCRs"): BCRs are internal safeguarding rules adopted by multinational organisations that enable such organisations to transfer EU subject data outside the EEA but within their corporate group.
Data protection is an increasingly important area of regulation. If they have not already done so, firms should begin to carefully consider their data flows and think about how the new regulations are likely to impact their business. As noted above, the consequences for non-compliance could be severe.
1 General Data Protection Regulation 2016/679
2 Information Commissioner's Office – messages for the boardroom
3 GDPR article 3
4 Directive 95/46/EC article 4(1)(a)
5 Directive 95/46/EC article 4(1)(c)
6 GDPR article 2(a)
7 GDPR article 2(b)
8 GDPR article 83
9 GDPR article 7
10 GDPR articles 33 and 40
11 GDPR recital 85
12 GDPR recital 85; article 33(1)
13 GDPR chapter III
14 Unless the request is manifestly unfounded or excessive, particularly if it is repetitive
15 GDPR recital 63
16 GDPR article 4(1)
17 GDPR and accountability (speech Elizabeth Denham 17 January 2017)
18 Culture, Media and Sport Committee ; Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764; Monday Culture, Media and Sport Committee ; Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764; Monday 24 October 2016 (http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/culture-media-and-sport-committee/ responsibilities-of-the-secretary-of-state-for-culture-media-and-sport/oral/42119.html)
19 Data Protection Bill 2017-19
20 GDPR article 45
21 Both MCCs and BCRs existed prior to the entry into force of the GDPR but will become relevant to EU-UK transfers of personal data post-Brexit.
22 GDPR recital 104
23 The ECJ is currently considering the validity of the Commission decision on which the MCCs are based; see the referral to the ECJ by the Irish High
Court in DPC v Facebook Ireland Limited and Maximillian Schrems of 3 October 2017 (http://www.europe-v-facebook.org/sh2/ES.pdf).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.