Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Recent regulatory developments of interest to financial institutions generally.
On 7 May 2020, the UK Prudential Regulation Authority (PRA) published a statement that the Prudential Regulation Committee and the Financial Policy Committee have agreed to re-prioritise the following areas of the PRA's work in light of COVID-19:
In addition to these specific areas the PRA is continuing to make other adjustments and review ongoing plans to support firms while ensuring their safety and soundness is maintained. This includes postponing or scaling back planned reviews, consultations and policy announcements where suitable; wide-ranging reprioritisation of the PRA's internal initiatives and development workstreams; and deferring governance decisions on some less critical matters, where possible.
On 6 May 2020, the FCA published its expectations of firms in relation to information security in light of COVID-19. The FCA notes the increased activity by cyber criminals exploiting COVID-19-related themes. As more firms enable their employees to work from home, online systems are becoming increasingly mission critical and cyber criminals are also exploiting the situation for their own gain.
While alternative ways of working may be needed by firms to enable business continuity, the FCA expects firms to prioritise information security and ensure that adequate controls are in place to manage cyber threats and respond to major incidents. Firms should look to implement enhanced monitoring to protect end points, information and firm-critical processes, including network connections and video conferencing software. Firms are expected to proactively manage the increased risk during this unprecedented period. The FCA advises that this includes:
The FCA is in regular contact with the industry, the government, trade associations and other regulators to understand the impact of COVID-19 on firms' operational resilience. In particular, it is working closely with the industry to ensure that workarounds and continuity actions do not adversely impact firms' information security controls and their ability to provide services to customers.
The FCA advises firms to check the National Cyber Security Centre for advice on how to keep their organisations secure.
On 6 May 2020, the FCA published information on its expectations relating to firms' financial crime systems and controls in light of COVID-19. The FCA stresses that, in the current climate, it is important for firms to maintain effective systems and controls to prevent money laundering and terrorist financing. It reminds firms that individuals performing required functions (including the Money Laundering Reporting Officer (SMF17)) should only be furloughed as a last resort.
The FCA notes that criminals are already taking advantage of COVID-19 to carry out fraud and exploitation scams through a variety of methods, including cyber-enabled fraud. Those seeking to launder criminal proceeds or finance terrorism are also likely to exploit any weaknesses in firms' systems and controls. As a result, it is important that firms remain vigilant to new types of fraud and amend their control environment where necessary to respond to new threats. This should include the timely submission of suspicious activity reports (SARs).
Among other things, the FCA considers operational challenges and client identity verification.
Operational challenges
The FCA recognises that the current climate may give rise to operational challenges relating to financial crime systems and controls, but it says that firms should not seek to address operational issues by changing their risk appetite. For example, firms should not change or switch-off current transaction monitoring triggers or thresholds, or financial sanctions screening systems, for the sole purpose of reducing the number of alerts generated to address operational issues. However, the FCA does recognise that, while continuing to operate within the anti-money laundering (AML) and counter-terrorist financing (CTF) legislative framework, firms may need to re-prioritise or reasonably delay some activities. These could include ongoing customer due diligence (CDD) reviews, or reviews of transaction monitoring alerts. The FCA considers these delays reasonable provided a firm does this on a risk basis, and there is a clear plan to return to the business-as-usual review process as soon as reasonably possible. Firms must not weaken their controls in respect of detecting high-risk activity.
Where a firm is collecting information from an existing customer, firms are required to close accounts where the information is not provided. However, in the current situation, it expects firms to make reasonable efforts to collect this information or consider whether there are other ways of being reasonably satisfied with the customer's identity, before deciding to close the account.
Where firms need to amend their controls in response to COVID-19, the FCA advises that decisions should be clearly risk assessed and documented, and go through appropriate governance procedures.
The FCA expects to be notified of any material issues that impact on the effectiveness of a firm's financial crime controls or cause significant delays to remediation plans.
Client identity verification
The MLRs and Joint Money Laundering Steering Group guidance already provide for client identity verification to be carried out remotely and give indications of appropriate safeguards and additional checks which firms can use to assist with verification. The FCA gives examples of how this can be carried out where appropriate and reminds firms that the steps firms take to verify identity must be in line with their overall risk assessment, and the risk profile of the customer.
On 6 May 2020, the FCA published a speech by Nausicaa Delfas, FCA Executive Director of International, on the FCA's response to COVID-19 and Brexit.
In respect of its international work, the FCA is beginning to look at the medium to longer-term implications of the pandemic. These implications are expected to affect UK regulated markets and the regulatory framework for years to come. Ms Delfas notes the following areas of future focus:
On Brexit, Ms Delfas comments on (among other things) certain Brexit-related risks that need multilateral or reciprocal action by both the UK and the EU, which the UK cannot address alone. In respect of issues that cannot be resolved through equivalence (including provision of retail financial services by UK firms to EU customers), Ms Delfas notes that, while the FCA has put in place transitional regimes for EEA firms, the situation for UK firms in the EU is not the same. Their continued operations after the end of the transition period will depend on the regulatory regimes of individual EU member states. Although many of these member states had put in place temporary transitional regimes in the event of a no-deal exit, the majority of these have now lapsed. Therefore, firms must continue to consider what action is needed to prepare for the end of the transition period.
On 6 May 2020, the FCA published a modification by consent relating to the Senior Managers and Certification Regime (SMCR), allowing firms to apply for an extension to the maximum period FCA solo-regulated firms can arrange temporary cover for absent senior managers due to COVID-19. The FCA explains that it has modified its Supervision manual, SUP 10C.3.13R, (known as the "12-week rule") by extending the maximum period firms can arrange cover for a senior manager without being approved, from 12 weeks to 36 weeks, in a consecutive 12-month period. The FCA is also allowing firms to allocate an absent senior manager's prescribed responsibilities to the individual covering the role, by modifying rule 24.2.1 of the Senior Management Arrangements, Systems and Controls sourcebook (SYSC).
The modification by consent is designed to give firms flexibility in managing their governance arrangements during the COVID-19 pandemic. It also reduces their administrative burden by removing the need for firms to submit Form A applications or Form Js and Statement of Responsibilities (SoRs) notifications.
The FCA suggests that firms can use the modification by consent if, for example, a senior manager is absent because of COVID-19, or recruitment to replace a senior manager is delayed due to COVID-19. Firms can apply for the modification by consent as a precautionary measure if they think they may need to make or extend temporary arrangements to cover absences, in advance of actually needing it.
Firms wanting to take up the modification by consent should read the related direction and submit an application into the FCA's Connect system. The modification by consent will take effect from the date a firm applies for it and will end on 30 April 2021. The FCA will list firms that have applied for the modification on its website but will not identify if individuals have been ill with COVID-19.
Firms taking advantage of the modification by consent are reminded about the FCA's expectations on clearly documenting senior managers' responsibilities, including on relevant SoRs and management responsibilities maps (if relevant).
On 6 May 2020, the European Securities and Markets Authority (ESMA) published a statement reminding firms about their conduct of business obligations under the MiFID II Directive in the context of increasing retail investor activity during the COVID-19 pandemic. ESMA reports that several national competent authorities (NCAs) have noticed a significant increase in the number of investment accounts opened by retail clients and a surge in trading by retail clients.
It is therefore drawing firms' and clients' attention to the risks of trading in these highly uncertain market conditions and reminding investment firms of their conduct of business obligations. ESMA believes that firms have even greater duties when providing investment services to investors who decide to invest during these times of intensified market volatility.
It reminds firms of their obligation to act honestly, fairly and professionally in accordance with the best interests of their clients and to comply with all relevant MiFID conduct of business and related organisational requirements. In particular, ESMA highlights firms' obligations in respect of product governance, information disclosure, suitability and appropriateness.
ESMA states that it and NCAs will continue to monitor retail clients' involvement in the financial markets and firms' compliance with their conduct of business obligations and related organisational requirements under MiFID.
On 4 May 2020, Christopher Woolard, Interim Chief Executive FCA, exchanged letters with Caroline Wayman, Chief Ombudsman and Chief Executive, Financial Ombudsmen Service (FOS), on the FOS's approach to dealing with complaints concerning the UK Coronavirus Business Interruption Loan Scheme (CBILS) and the Bounce Back Loan Scheme (BBLS).
The purpose of the correspondence is to clarify for accredited lenders how the FOS will view lender behaviour under the BBLS, which came into force on 4 May 2020, and the changes to CBILS that were made on 27 April 2020.
In his letter, Mr Woolard outlines the new legal and regulatory framework and the differences between the two loan schemes. He also explains the changes the government has made, with effect from 4 May 2020, to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 to ensure that lending under the BBLS falls outside regulated lending activity. Mr Woolard notes that the government will introduce primary legislation at the earliest opportunity to disapply sections 140A-140C of the Consumer Credit Act 1974 for BBLS lending, which will apply with retrospective effect from when the scheme came into effect.
Mr Woolard outlines the FCA's expectations of the FOS' approach to complaints arising from lending under the schemes. Among other things, he refers to the FOS' duty to resolve complaints according to what is fair and reasonable under DISP 3.6.4R and notes the FCA's understanding that the FOS will give due weight to the fact that firms must comply with the schemes' requirements.
In response, Ms Wayman acknowledges the regulatory approach outlined by the FCA and recognises that the schemes require lenders to take a different approach to lending and that this approach will be determined by the schemes' requirements and the new regulatory arrangements. Ms Wayman confirms that the FOS' understanding of how it will approach complaints that might arise from lending under the schemes is as set out by the FCA.
On 4 May 2020, the FCA announced that it will pilot a "digital sandbox", in collaboration with key strategic partners and the industry, to provide enhanced regulatory support to innovative firms tackling the challenges caused by COVID-19. The FCA had been exploring the concept of a digital sandbox prior to the pandemic and has now accelerated its plans as it recognises the important role of innovation in the current climate.
A digital sandbox will allow innovative firms to test and develop proofs of concept in a digital testing environment. The FCA seeks expressions of interest from regulated and unregulated firms, organisations, associations and individuals who would like to learn more, or discuss how they might contribute to developing the digital sandbox. It plans to open applications to the sandbox in summer 2020.
The FCA explains that it will shortly update the digital sandbox webpage with information on specific proposals for launching a coronavirus pilot of the digital sandbox.
An amended draft version of the Financial Services (Miscellaneous Amendments) (EU Exit) Regulations 2020, which have been laid before Parliament, has been published together with a draft explanatory memorandum.
A draft version of the Regulations was previously laid before Parliament on 21 April 2020. No substantive changes appear to have been made.
The Financial Services Regulatory Initiatives Forum has published the Regulatory Initiatives Grid. The Grid sets out the planned regulatory workplan over the next twelve months. The Forum hopes that, but publishing the Grid earlier that initially planned, it will help firms understand, and plan for, the timing of the initiatives that may have a significant operational impact on them.
The format of the Grid is likely to change in future editions. For example, it currently provides detail on the timing of initiatives by quarter over a 12-month horizon, but in future editions the Forum intends to extend this to 24 months. In addition, the Forum comments that there are more initiatives with indicative or indeterminate timing than it would expect in a "business as usual" context. Forum members may alter the timings or substance of initiatives, and announce new initiatives.
This is a one-year pilot exercise and the Grid will be published at least twice a year. The Forum encourages industry and other stakeholders to give it feedback.
TheCityUK has published a report on enhancing the UK's approach to innovation in financial services.
The authors note that UK is seeing the emergence of an increasingly sophisticated FinTech ecosystem as start-ups, technology firms and established operators step up their collaboration efforts. The UK's supportive regulatory landscape is a cornerstone of its FinTech success, and initiatives pioneered by the FCA in particular have been emulated by regulators worldwide. These have enabled the UK to build its reputation as a world leading FinTech hub, attracting and nurturing the companies that are setting the standard for the future of financial services.
However, the authors suggest that more support is needed to help firms take the next step into international markets, both at the regulatory level, as well as the wider challenge of understanding market context, culture and legal frameworks. The report focuses on four key elements which are essential to supporting the next stage of UK FinTech growth:
The European Parliament has published a briefing note on cryptoassets, setting out key developments, regulatory concerns and responses. It focuses on tokens, stablecoins and the possibility of central bank digital currencies (CBDCs).
The European Systemic Risk Board (ESRB) has published an occasional paper on "The making of a cyber crash: a conceptual model for systemic risk in the financial sector". It examines cyber security vulnerabilities within the financial sector and their potential impact on financial stability and the real economy.
The European Commission has published a staff working document setting out a new methodology for identifying high-risk third countries with strategic AML and CTF deficiencies under Article 9(2) of the Fourth Money Laundering Directive (MLD4). The aim of the new methodology is to provide more clarity and transparency in the Commission's process for identifying third countries.
The new methodology supersedes and replaces the methodology set out in the Commission's June 2018 staff working document.
The Commission has adopted its first Delegated Regulation using the new methodology (see below).
The European Commission has adopted a Delegated Regulation that amends the list of high-risk third countries with strategic AML and CTF deficiencies produced under Article 9(2) of MLD4.
The Delegated Regulation will amend the Annex to Delegated Regulation (EU) 2016/1675 by:
The Delegated Regulation will be submitted to the Council of the EU and the Parliament to consider for approval within one month (with a possible one-month extension). If neither objects, it will be published in the Official Journal of the EU (OJ). It will enter into force 20 days after its publication in the OJ.
The Delegated Regulation states that Article 2 (that is, the Article adding third countries to the list) shall apply from 1 October 2020. The Commission has provided a later application date for this Article because of COVID-19. It believes the later date should give sufficient time for effective implementation. The Commission envisages no major implementation issues for the delisting changes, so considers it reasonable to require delisting without undue delay.
This update is necessary since the EU list has not reflected the latest FATF lists adopted since October 2018.
On 5 May 2020, the Financial Action Task Force (FATF) published a report, COVID-19-related Money Laundering and Terrorist Financing Risks and Policy Responses. This report identifies challenges, good practices and policy responses to new money laundering and terrorist financing threats and vulnerabilities arising from the COVID-19 crisis.
It is based on papers shared on 7 and 23 April with the FATF Global Network of FATF Members and FATF-Style Regional Bodies (FSRBs).
This paper is for information and does not constitute the official view of the FATF. It does not imply or constitute any changes to the FATF Standards. The measures cited, and taken by some FATF members’ authorities, have not been reviewed or considered by the FATF membership as a whole.
Authored by Yvonne Clapham