In the 2018 edition of this publication, we ended the introduction with the line, “We can only hope that we will enter 2019 with greater certainty than 2018 as to how the regulatory landscape will look.” Unfortunately, certainty still remains in rather short supply. With Brexit now (at least in theory) a matter of weeks away, it remains unclear what will happen: the government’s original proposed Withdrawal Agreement has been decisively rejected, but Parliament has indicated that it would support that agreement if the “Irish Backstop” provisions are renegotiated. The Prime Minister has therefore been mandated to return to negotiations on this point, in the face of statements by European Union leaders that there is no prospect of such negotiations going ahead. At the same time, Parliament has signalled that it “rejects” a no-deal Brexit, but not agreed to a proposal which would have made this rejection binding. Further Parliamentary proceedings are now planned for the middle of February. Whether there is a hard, soft or no Brexit, there remain a number of issues beyond Brexit that authorised firms will have to consider in the year ahead. Including Brexit, here are 10 things that authorised firms need to know for 2019.
Whilst the commencement date [of the extension of the SMCR] is still some time away, firms would be well advised to have started to think about what they will need to do in good time so as to ensure a seamless transition when this is required.
In the absence of a decision of what will happen come the 29 March 2019 (or indeed, come some future date if “exit day” is postponed”), firms have been left in a state of uncertainty. Whilst this makes planning for what will happen even more difficult, it is possible to plot out how certain more likely scenarios would play out. We consider what asset managers would face if the original Withdrawal Agreement is largely accepted (notwithstanding a change to the Irish backstop), what would happen in the event of the UK leaving the EU without an agreement, and what effect the UK’s remaining in a customs union with the EU would have on asset managers. We also consider what preparations the FCA has made for a no-deal scenario, in particular surrounding the “temporary permissions regime”.
2. The Extension of the Senior Managers and Certification Regime
The Senior Managers and Certification Regime (SMCR), which is currently in force for all banks, building societies, credit unions, and dual regulated investment and insurance firms, will be extended to cover all FCA solo-authorised firms by 9 December 2019. While the Financial Conduct Authority (FCA) will continue to approve people who take on Senior Manager roles, the obligation to certify employees below Senior Manager level as fit and proper will devolve on the firms themselves. Firms will also be required to train staff on the Conduct Rules and implement new or update existing systems and controls, including a variety of policies and procedures. Although the implementation is almost a year away, firms would be well advised to have the new requirements at the forefront of their minds to ensure a smooth transition.
3. Market Abuse
Market abuse continues to be an area of very significant interest for the FCA and growing interest across the rest of the EU. With the FCA’s insight that compliance with the Market Abuse Regulation (MAR) is “state of mind” rather than a matter of following procedures, firms will have to be particularly vigilant to ensure that they remain compliant.
4. The FCA’s Recent Enforcement Trends
Until the end of 2018, the FCA had a comparatively quiet year, at least in terms of the number of investigations publicly brought to a conclusion and the consequent number of fines issued. The number of penalties was down, and the length of investigations was increasing substantially. We have looked at the number and distribution of investigations and decision notices to put together a picture of the FCA’s current enforcement trends.
5. Cybersecurity and Data Protection
2018 was an important year for data protection law with the entry into force of the General Data Protection Regulation (GDPR) in May. We expect to see a trickle of enforcement cases in 2019 under the new regime as the courts and tribunals interpret the new law’s provisions. Especially with the greatly increased size of the penalties available for breaches, firms should continue to carefully monitor compliance with data protection obligations. Further regulatory guidance on core provisions of the GDPR is expected during 2019.
As anyone following the unfolding of the political process of Britain withdrawing from the EU can attest to, the only thing that is certain is the uncertainty.
The inconclusive process has meant that a number of options continue to be discussed and, while within the asset management industry a broadly shared view is that a hard Brexit is unlikely, a number of the options leave the treatment of financial services at best inconclusive. Asset managers have good reason to be vigilant to the political tides: even in the smoothest transition to a soft Brexit, responses will need to be prepared on a relatively quick timetable.
The key concern for asset managers will be the continuing access to EU markets. This means the ability to continue to provide services to existing and future fund and segregated account clients as well as EU investment managers, and the ability to market financial products and services to prospective clients and investors.
The specific mechanism that would allow for continuing and unrestricted access to the EU markets is still unclear: While some EU laws allow for an equivalency assessment, this is not the case in all relevant legislation, and it is likely that in some cases the price of market access will be a substantially higher regulatory burden that UK managers would have to bear. In the short term the patchwork of access provisions for third country entities under the existing laws is likely to result in unsatisfactory arrangements and a higher level of regulatory risk across the industry.
The now-partially rejected withdrawal agreement contemplates a transition period from 29 March 2019 until (at least) the end of 2020. While the final form of any agreement is still subject to active negotiations, a substantial transition period is now likely, not least because Parliament has expressed its disapproval to a no-deal Brexit which would serve to create significant instability in the markets and to have an adverse impact on consumer outcomes not only in the UK but across the EU. During such a transition period, for all relevant intents and purposes, EU law would continue to apply in the UK, and asset managers would not be required to make substantial changes in response to “exit day” in the short term.
While some jurisdictions and regulators have ensured that bilateral arrangements to ensure ongoing mutual access and regulatory cooperation have been concluded in advance of the 29 March withdrawal date, such bilateral arrangements are unlikely to be comprehensive, and are subject to revision depending on the ultimate outcome of negotiations with the EU and on ESMA’s views on the appropriate regulatory approach and solutions.
What happens if the UK “crashes out” with no deal? The EU and the UK would still be able to investigate and make equivalency determinations, though as it would likely take months, if not years, for these determinations to be made, in the short term there could be substantial difficulties for UK and EU entities to ensure that they were compliant.
Without a transition agreement, therefore, equivalence determinations could only provide a medium-term solution for those in the financial services sector and, given the limitations to relying on equivalence, a somewhat limited one at that.
The Labour Party is currently the largest opposition party in the UK Parliament, and whilst there remain uncertain contours over its Brexit policy, it has declared that it would like the UK to be part of a “permanent custom union”.
Whilst a customs union would go some way to permitting the free movement of goods, critically for asset managers, a customs union without an
explicit extension to include services would preclude free movement of services of the kind that asset managers currently rely upon. In particular, under MiFID II and the AIFMD, and absent any specific further legislative solution, a customs union will likely preclude firms being able to use passporting rights as they would now. While both above directives contain mechanisms for a third country passport, the regulatory framework for this does not currently exist, and the attendant conditions for the same would be onerous, and subject to material uncertainty. By contrast, membership of the single market would likely bring with it some form of passporting rights – if not in exactly the same way as they currently benefit the industry.
Temporary Permissions Regime
In preparation for a no-deal Brexit, the Treasury and the FCA have shown willing. Regulations have been proposed to implement a “temporary permissions regime”, under which non-UK EEA firms currently operating in the UK would continue to be able to act as if they were authorised for a period of time.
Ultimately, firms relying on a temporary permission will have to make a transition to full authorisation. The FCA has actively encouraged incoming EEA firms currently using passports to prepare applications for a temporary permission to avoid overcrowding at the last moment before the curtain falls.
Increasingly, a shared commonsense that a no-deal Brexit should be avoided at all, or nearly all, costs has seeped into the political discourse, and valiant efforts have been made by manufacturing and services industry lobbies to steer clear of a cliff-edge departure on 29 March. As the past years have shown, however, one does well to expect the unexpected, and the haphazard contingency plans that have been drawn up to this end could be put to test yet. The contingency plans of individual firms who, without any clear guidance are left eagerly poised for action, meanwhile, often have a significant component of hoping for the best.
On 4 July 2018, the FCA published near-final rules setting out how it intends to implement the extension of the SMCR to all FCA-authorised, nonbanking firms.1 The FCA has proposed for this new regime to become effective on 9 December 2019, albeit with a transitional period to give firms time to implement it fully.
As had been previously proposed by the FCA, the SMCR will be implemented in tiers. Most firms will fall within the “Core Regime”; however, a small number of firms categorised as “enhanced regime” firms will be subject to additional requirements, and there will be fewer rules for “limited scope” firms.
The proposed new rules require firms to obtain prior FCA approval for “Senior Managers.” An individual who is designated a Senior Manager may be personally liable for breaches of FCA requirements that take place within his or her area of responsibility. In addition, firms will be required to certify the fitness and propriety of individuals who are not Senior Managers, but who may cause significant harm to the firm or to its customers due to the nature of their role. A new set of Conduct Rules will apply to virtually all individuals within a firm.
The first enforcement case under the SMCR, regarding the CEO of Barclays, was decided in 2018: We discuss it in more detail under “Recent Case Law and Key Enforcement Cases” below.
To Whom Does This Apply?
The SMCR will apply to all UK nonbank firms authorised by the FCA. This will include UK group entities of non-UK firms, including US and Asian investment managers with a UK sub-advisor or a UK execution-only presence. The rules will also affect some non-UK staff of UK firms, including directors or material risk takers based outside the UK.
The Core Regime consists of three main elements: the Senior Managers Regime, the Certification Regime and the Conduct Rules.
(i) Senior Managers Regime
An FCA-authorised firm will need to obtain prior approval by the FCA for the most senior staff members whose roles include the performance of “Senior Management Functions.” As has been the case under the current system, the Senior Managers will need to demonstrate to the FCA that they are fit and proper to undertake their roles. As part of this, firms will need to obtain criminal records checks for all proposed Senior Managers. Approval to hold a Senior Management Function may be granted outright by the FCA for a limited time period or subject to conditions.
The Senior Management Functions include the Chairman function (SMF9), the Chief Executive function (SMF1), the Executive Director function (SMF3), the Compliance Oversight function (SMF16) and the Money Laundering Reporting Officer (SMF17). Anyone who performs these functions in a firm covered by the SMCR, whether present in the UK or not, will need to seek this authorisation.
Under the current Approved Person/Controlled Function regime, a corporate entity was permitted to hold a Controlled Function. Under the Senior Managers Regime, however, only individuals can hold a Senior Management Function, and it cannot be held by a corporate entity. In firms where a corporate entity currently performs a Controlled Function, it will be necessary to consider which individual will hold the Senior Management Function. Whilst the FCA has not made explicit how this will work, firms should consider who is directing the corporate entity that is performing the controlled function. It is likely that a director of that corporate entity will be the most suitable person to hold that Senior Manager position.
Statement of Responsibilities
Firms must prepare a Statement of Responsibilities (SoR) with respect to each Senior Manager. Firms will need to provide the SoR to the FCA when a Senior Manager applies to be approved, and then whenever there is a significant change to his or her responsibilities. If a Senior Manager holds more than one Senior Management Function within one firm, he or she will be required to have only a single SoR describing all of his or her responsibilities. However, if a Senior Manager holds Senior Management Functions in two or more firms, he or she will need a separate document for each firm.
The FCA has published guidance on the contents of an SoR: An SoR must be a self-contained document, which does not incorporate any other document by reference. It must show clearly how the responsibilities performed by a Senior Manager fit in with the firm’s overall governance and management arrangements, and this must be consistent with a firm’s management responsibilities map. Ultimately, the firm’s set of SoRs should demonstrate, when put together, that there are no gaps in the allocation of responsibilities among the Senior Managers.
Duty of Responsibility
Each Senior Manager will owe a duty of responsibility. This means that, if a firm is in breach of its obligations under the FCA’s rules or principles, the Senior Manager responsible for the area in which the breach took place could be held personally accountable. In order to hold someone individually accountable, the FCA would have to show that the Senior Manager did not take the steps that a person in his or her position could reasonably be expected to take to avoid the breach occurring. This duty is included to improve accountability, not just of the junior decision-makers, but to the highest echelons of the business.
The FCA has proposed a number of “Prescribed Responsibilities.” Firms will be obliged to ensure that, at all times, a Senior Manager has responsibility for each of the Prescribed Responsibilities. Some examples of Prescribed Responsibilities include the performance by the firm of its obligations under the Senior Managers Regime (including its implementation and oversight), the performance by the firm of its obligations under the Certification Regime (discussed below), the performance by the firm of its obligations in respect of notifications and training in relation to the Conduct Rules, and the responsibility for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime.
(ii) Certification Regime
The Certification Regime will apply to employees who are not Senior Managers, but whose role means that it is possible for them to have a significant impact on customers, the firm or market integrity. These roles are called “Certification Functions.” For each employee undertaking a Certification Function, the firm must assess whether they are fit and proper to do their job, and the firm must provide each such employee with a certificate to that effect. This certificate must circumscribe the areas of the business with which that employee will be involved. For each employee, certification must be undertaken at least once a year. In deciding whether someone is fit and proper under the Certification Regime, the firm will have to take into account several different factors, including whether that person has obtained relevant qualifications, whether he or she has undertaken certain training programmes, whether he or she possesses the requisite level of competence and whether he or she has the appropriate personal characteristics for the role.
The Certification Functions include what was CF29 under the Approved Persons regime, which was (unfortunately) called the “significant management function.” Care should be taken that no confusion arises: To be clear, holders of the significant management function under the Approved Persons regime in all likelihood will be subject to the Certification Regime and not the Senior Managers Regime.
The restriction of the Certification Regime to “employees” is somewhat deceptive: Not only does it encompass “employees” in the ordinary sense of the word, but it also includes anyone who provides, or is under an obligation to provide, services to the firm and who is subject to the supervision, direction or control by the firm as to the manner in which those services are provided. Third-party contractors and other agents may fall within this definition. The Certification Regime applies to all UK-based employees, any non-UK-based employees who have contact with UK clients and any material risk takers, regardless of where they are located.
Whilst perhaps uncommon, it is possible that someone performing a Senior Management Function will also be performing a Certification Function. In this case, it is necessary for both procedures to be followed, that is, the FCA will have to authorise that person to hold a Senior Management Function, and the firm will have to certify them as fit and proper to perform their role.
As the SMCR replaces the Approved Persons regime, the number of people approved individually by the FCA will decrease dramatically, since the vast majority of employees will not be Senior Managers, but will fall within the Certification Regime. Consequently, the Financial Services Register currently maintained by the FCA will become much less useful, since only those people approved by the FCA (Senior Managers) would likely continue to appear on it.
In light of this, the FCA published a consultation paper in July 2018 proposing the introduction of a new Directory. This Directory would contain information not only on Senior Managers, but also on all people who have been certified by their organisation. Populating this Directory will require the co-operation of authorised firms, since they will be the ones with the information on their certifications. The provision of this information to the FCA for the Directory may well be a nontrivial matter for firms.
The FCA’s consultation closed on 5 October 2018, and we expect the FCA to issue a policy statement in Q1 of this year. At that point, we will hopefully know much more about what is proposed and what burdens might be placed on individual firms.
(iii) Conduct Rules
The Conduct Rules will be enforceable by the FCA against individuals. The individual Conduct Rules will apply to all staff (barring certain ancillary staff, such as receptionists, cleaners and catering staff). The FCA will apply the Conduct Rules to a firm’s regulated and unregulated financial services activities. It should be noted that this is a narrower scope than how the Conduct Rules apply within the SMCR as applied to banks, where the Conduct Rules apply across the board to all activities.
The Conduct Rules are divided into two tiers, the first tier being applicable to all staff, and the second tier being applicable to Senior Managers only.
The Conduct Rules are high-level guidance and largely replicate the principles currently applicable to Approved Persons. They are informed by the
Principles for Businesses, which remain unchanged. Firms will be obliged to train all staff on how the Conduct Rules apply to their activities within the firm.
The Enhanced Regime
The largest and most complex firms will be subject to certain additional requirements under the enhanced regime. Enhanced regime firms will include “significant investment (IFPRU) firms” and firms with assets under management of £50 billion or more.
Enhanced firms will need to comply with the Core Regime requirements and certain additional requirements. Such requirements include additional Senior Management Functions and Prescribed Responsibilities, as well as an overall responsibility for every business activity and management function of the firm. In addition, an enhanced regime firm will have to compile a responsibilities map that sets out the firm’s management and governance arrangements.
For incoming employees who are either going to be performing Senior Management Functions or who will be covered by the Certification Regime, a firm will have to request a reference from their previous employers covering the preceding six years. This reference will be known as a “Regulatory Reference.” This reference must include information of any disciplinary action following breaches of the Conduct Rules, as well as any information relevant to whether the employee was fit and proper. This information will need to be shared in a standard template, and, for each employee, the Regulatory Reference must be updated appropriately if and when any new relevant information comes to light.
Since Regulatory References will be mandatory to provide, it is important that firms do not attempt to enter into agreements that conflict with their obligation to provide such references (for example, NDAs).
Non-Executive Directors (NED) will need to be approved by the FCA if they are to perform the SMF9 Chair Function or the SMF14 Senior Independent Director Function. NEDs who do not need to be approved may still be subject to the Conduct Rules and the Certification Regime. In addition to the generally applicable Conduct Rules, NEDs will also need to comply with Rule SC4 (the requirement to disclose appropriately any information of which the regulator would reasonably expect notice), which otherwise applies to only those holding Senior Management Functions.
The FCA has announced various conversion mechanisms that should ease the transition from the current Approved Persons regime to the SMCR. For example, Approved Persons at “core” firms will have their Controlled Function approval mapped to the relevant Senior Management Function where possible (e.g., a director holding CF1 will become (if appropriate) an executive director holding SMF3). Other Approved Persons holding just CF30 (Customer), for example, may not need to hold a Senior Management Function at all and will simply be covered by the Certification Regime. Whilst this will ease the transition somewhat, this automatic mapping will not be possible for all Approved Persons (e.g., an Approved Person holding CF4 (Partner) may have to hold SMF3 (Executive Director), as well as SMF27 (Partner). It will be necessary, therefore, for some care to be taken to ensure that the conversions to the new regime are all correctly completed.
The FCA has also announced transition provisions with respect to the Certification Regime. For example, firms will have one year from the commencement date of 9 December 2019 to provide a certificate to employees as required. However, firms will have to have identified who will need to be certified under the Certification Regime on day 1.
Whilst the commencement date is still some time away, firms would be well advised to have started to think about what they will need to do in good time so as to ensure a seamless transition when this is required.
“Complying with [MAR] is more than adhering to a set of prescriptive requirements”; it is a “state of mind,” so says the FCA.2 In reiterating its understanding of MAR, the FCA once again has provided firms with a high bar to meet in the detection and avoidance of market abuse, but at the same time providing comparatively little direction on how to comply.
Market abuse remains a high priority for the FCA. In 2017/2018, the FCA received 4,829 insider dealing reports and 666 market manipulation reports, and consequently opened 87 abuse cases. The regulator’s continued interest makes it all the more important to glean as much as possible from the FCA’s publications to try to discern how best to satisfy the requirements placed on firms as the “first line of defence” against market abuse.3 A few themes from the FCA’s recent publications are worth highlighting.
First, in relation to systems surrounding internal alerts and warnings of potential market abuse, the FCA has warned against relying on “out of the box” or “industry standard” software. Whilst the FCA has appreciated that generic software can be helpful to a firm, the FCA thinks that this is too blunt an instrument for a firm to rely on. There is a danger that people who are intent on market abuse will not be caught if they deviate at all from the most common forms of market abuse that such software is designed to detect. The remedy, from the FCA’s point of view, is that each firm must assess what warnings and alerts are for the business that firm conducts, taking into account the scale, size and nature of the firm’s activity. Whilst this may be informed by “industry standards,” the firm must exercise its own independent judgment in determining what will be sufficient.
Second, the FCA has reported that it thinks that there is a level of underreporting of suspicious trades and orders (Suspicious Trades and Order Reporting, or STOR). In particular, the FCA thinks that firms are sometimes taking too narrow a view of the market, and thereby missing suspicious behaviour; the example used by the FCA is in relation to fixed income products, where firms may analyse the trades of one particular product and not consider trades in other related products that, when analysed together, would require a STOR submission.4
Third, the FCA has scrutinised firms’ use of insider lists. Under MAR, firms are required to maintain insider lists, and there are templates that must be used setting out what information should be contained within an insider list. When requested, these lists must be provided to the FCA. The FCA notes that it has “observed varying quality in the insider lists we have received to date.”5 A particular concern that the FCA has is the overuse of permanent insider lists as a way of trying to avoid keeping temporary insider lists up to date. The advice to firms given by the FCA is to anticipate likely sources of insider information and set up systems that can ensure that insider lists for individual deals or events are naturally created whenever a market participant gains inside information. Removing a dependence on permanent insider lists is, it appears, designed to encourage this behaviour.
The European Securities and Markets Authority
2018 saw ESMA issue its first annual report under MAR, providing a summary of actions under MAR across the EU in 2017.6 In summary, the results are as follows:
The FCA’s enforcement figures do not make for comfortable reading for financial institutions. Year on year, the number of investigations opened by the FCA is increasing. This zeal for opening investigations, however, is not matched by an equivalent growth in the number of cases reaching a conclusion. In real terms, this means not only that, statistically speaking, you are more likely to be the subject of an investigation, but that this investigation is likely to take a significant time to conclude.
In the minutes of the meeting of the FCA board in September 2018, it is noted that the FCA planned to “clea[r] all legacy cases by Q1 of 2019.”7 Our review of the notices that the FCA has produced since then would suggest that this was perhaps optimistic.
We note that the accuracy of the FCA’s reports on the number of open investigations has been placed under some scrutiny recently. At the end of last year, the results from several freedom-of-information requests made to the FCA within a matter of weeks of each other were published.8 Each of these requests ostensibly asked for the same information, how many open investigations there are, yet the FCA gave three different, incompatible answers.
Whilst we have no reason to doubt the figures provided by the FCA, which we review here, it is evident that the presentation of the data is not intended to be neutral and that further contextualisation is required.
Number of Cases
The latest full figures on the number of cases that we have are for the 2017/2018 year.9 On 1 April 2017, there were 410 investigations open. In the following 12 months, 208 cases closed, and another 302 investigations started. Ultimately, by 31 March 2018, there were 94 more open investigations than the previous year.
The most striking increase in this period relates to investigations into culture and governance. The number of cases in this category increased by more than 300%, from 15 to 61 cases. Financial crime cases also showed a substantial increase of more than 50%, from 55 to 86 open investigations, and market abuse investigations were up by nearly 30%, from 22 to 28 open cases. The only type of investigation showing a substantial decrease in this period was wholesale conduct investigations, which declined by just more than 30% from 38 to 26 cases.
Whilst these statistics must be understood within the context of a comparatively small data set, these figures do tally with the FCA’s stated priorities, particularly with the ever-increasing focus on individual accountability and acting against criminal conduct threatening the integrity of the market.
The average length of civil and regulatory cases brought by the FCA, including cases that settle or where the FCA decides to take no further action, has increased by about a month and a half, from 17.6 to 19.1 months.
This figure, on its own, however, is somewhat misleading: This modest increase in the overall average covers some more concerning changes in particular categories. For example, in a case that eventually settles, the length of time from commencement of the investigation up to settlement has increased by nine months to 32.3 months. Of even greater concern, the average length of a concluded case that was referred to the RDC has nearly doubled since the previous year to 59.4 months (almost five years). Since this is an average, it is quite possible that some cases have taken substantially longer than this.
In contrast to these figures, however, the average duration of a concluded case that is eventually referred to the Upper Tribunal has decreased by approximately nine months to 52.4 months.
Final Notices and Financial Penalties
In 2017/2018, the FCA issued 269 final notices, with penalties imposed of almost £70 million. By contrast, in the first six months of 2018/2019, the FCA issued only 77 final notices, and penalties of only just under £2.4 million. While the FCA was more active in the second half of last year – notably, in October, it fined Tesco Personal Finance plc £16.4 million, and, in December, it fined Santander UK plc £32.8 million – the £60.4 million total fines for 2018 remains the second lowest since the regulator’s inception by both volume and number of fines.
The FCA noted in its 2017/2018 Enforcement Annual Report that “[c]riminal cases can take significantly longer to resolve than regulatory cases” and reports that the average length of all criminal cases is 58.2 months10. Whilst substantially longer than the “average” civil or regulatory case – that is, including investigations that are not pursued or that settle – we note that this is eminently comparable to the average duration of cases involving an RDC or Upper Tribunal reference.
One recent criminal case is of particular note. The FCA brought a prosecution against a former UBS compliance officer and a UBS trader over allegations of insider dealing.11 The two defendants had their first hearing before the City of London Magistrates in June 2017. Only in October 2018 did the eight-week trial start. Then, in December 2018, after five days of deliberations, a jury was unable to reach a verdict and was discharged. This was despite the judge permitting the jury to come to only a majority verdict. The FCA has notified the court that it intends to seek a retrial against these defendants.12
Financial regulation is now inexorably intertwined with data protection rules. It is also striking that these rules often have very broad application beyond the EU. As explained below, recent enforcement cases indicate that the nexus does not have to be extremely obvious or clearly direct.
(i) The GDPR
The data protection framework set out in the GDPR continues to become further entrenched in the financial regulatory framework relevant to financial market participants, including asset managers. This is reflected, for example, in the FCA’s focus on cybersecurity in its 2018/2019 Business Plan, which sets out the FCA’s objectives for the period,13 joint FCA and UK Information Commissioner’s Office (ICO) statements,14 and co-ordinated investigations and enforcement actions of the FCA acting with the ICO.15
It is worth looking back to two enforcement actions of 2018 to be reminded of the direction in which GDPR enforcement is going, which accords with the expectations of many of aggressive enforcement and (a concern for non-EU-based asset managers) the relatively narrow connection to the EU that is being considered sufficient by the ICO to bring an enforcement action.
(ii) AggregateIQ Data Services Ltd – Enforcement over an Entity with no Presence in the EU
In October 2018, AggregateIQ Data Services Ltd (AIQ) was the first target of a formal enforcement notice by the ICO under the GDPR.16 AIQ, which is a Canadian business, was required to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise.” AIQ breached the GDPR because it “processed personal data in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for processing”. The case is significant for non-EU businesses in particular because the enforcement notice was served on an entity established outside of the UK that had no presence at all in the EU. The ICO took the view that AIQ’s processing of personal data related to the monitoring of data subjects’ behaviour in the EU and that it was therefore within the scope of its enforcement powers.
(iii) Equifax Ltd. – Non-EU Cyber-Attack Did Not Preclude Application of EU Rules; and Significant Fine
In September 2018, the ICO issued Equifax Ltd, a UK-based credit reference agency, with a £500,000 fine for failing to protect the personal information of approximately 15 million UK citizens whose data was breached during a cyber-attack against Equifax that took place in 2017.17 The fine was the maximum permitted to be levied under the pre-GDPR legislative framework. Since the failings occurred before the date of entry into force of the GDPR (25 May 2018), the investigation was carried out under the previous UK regime. The case is significant for non- EU businesses in particular because the location of the cyber-attack in the US did not preclude strict application of the UK’s data protection rules. Although the information systems of Equifax in the US were compromised, Equifax in the UK was identified as responsible for the data of its UK customers: The ICO took the view that the UK arm of Equifax failed to take appropriate steps to ensure that its US parent, which was processing the data on its behalf, was protecting the information. Although too soon to tell, compliance challenges may arise post-Brexit if it is the case that, over time, the substance of key requirements under the GDPR diverge from the form of the GDPR that is adopted by the UK as a legally separate regime on “exit day”: There may eventually, in effect, be two fairly distinct versions of the GDPR.
Regulatory guidance is expected to be forthcoming in 2019 concerning, among other aspects of the GDPR, its high-level principles, including lawfulness, fairness, transparency of data processing and storage requirements.
The EU e-Privacy Regulation
The e-Privacy Regulation (the EPR) impacting, among other matters, “direct marketing” in the EU, is in the process of being finalised, and it is expected to come into effect in late 2019 or early 2020 once the legislative process has concluded.
Although the rules replace and tighten existing “direct marketing” requirements under the existing e-Privacy Directive from 2002,18 direct marketing will, as explained below, now be subject to EU-wide rules that are uniform across the EU rather than, as currently, implemented differently by member state. Further, the stricter concept of “consent” from the GDPR will now be applied. Consent must therefore be freely given, obvious and evidenced by a positive action of the recipient: A pre-checked consent box, for example, is unlikely to suffice. The EPR presents the possibility of significant fines along the lines of the GDPR.
The territorial scope of the EPR is wide-reaching: In addition to compliance being required by legal and natural persons within the EU, legal and natural persons located outside of the EU will also be required to comply with the EPR where they provide electronic services to users located in the EU. Whilst enforcement against non-EU persons may be difficult, for anyone with any connection to the EU, these rules will be important to follow as well.
Direct marketing is defined broadly as “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the placing of voice to voice calls, the use of automated calling and communication systems with or without human interaction, electronic message, etc.” Those engaging in direct marketing will need to display their phone number or, alternatively, use a special identifiable pre- fixed number that makes clear that the call relates to marketing.
One of the most significant rules that is expected to be contained in the EPR and so will be in force across the EU provides for a “soft opt-in” in particular circumstances. The soft opt-in provides that direct marketing will be permitted to be directed towards a person who has already received goods or services from the business, provided that (a) the direct marketing relates to similar goods or services, and (b) that, in each communication, the subscriber is given the opportunity to “opt-out.” This rule is similar to the one already in force in the UK under the Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR);19 however, it will be necessary to wait and see whether the concept is given the same meaning by the EU courts as it has been understood domestically.
In October 2018, the FCA fined Tesco Personal Finance plc £16.4 million for its systems and controls- related failings following a cyber-attack that the FCA considered “largely avoidable”.20 The FCA said in its final notice that Tesco Personal Finance plc failed to take appropriate action to prevent the foreseeable risk of fraud. In doing so, it breached Principle 2 of the FCA’s Principles for Businesses to conduct their business with due care, skill and diligence.
The second part of this article – from The Hedge Fund Journal Issue 140 – can be found here.
2. CA, Market Watch, December 2018, Issue 58, https://www.fca. org.uk/publication/newsletters/market-watch-58.pdf.
3. FCA, Market Watch, December 2018, Issue 58, https://www.fca. org.uk/publication/newsletters/market-watch-58.pdf.
4. FCA, Market Watch, September 2018, Issue 56, https://www. fca.org.uk/publication/newsletters/market-watch-56.pdf.
5. FCA, Market Watch, December 2018, Issue 58, https://www.fca. org.uk/publication/newsletters/market-watch-58.pdf.
6. https://www.esma.europa.eu/sites/default/files/library/esma70- 145-1081_mar_article_33_report_sanctions.pdf.
7. https://www.fca.org.uk/publication/minutes/fca-board-26-and- 27-september-2018.pdf, point 11.2.
8. See L. Rogerson and R. Wolcott, “UK FCA published inconsistent, double counted enforcement statistics in freedom of information responses” (Thomson Reuters, 14 December 2018).
9. Unless otherwise stated, figures in this section are taken from: https://www.fca.org.uk/publication/corporate/annual-report-2017-18- enforcement-performance.pdf (last accessed 14 December 2018).
10. https://www.fca.org.uk/publication/corporate/annual-report- 2017-18-enforcement-performance.pdf, page 9.
11. https://www.fca.org.uk/news/press-releases/two-charged- insider-dealing.
12. https://www.ft.com/content/9b00c710-fe17-11e8-ac00- 57a2a826423e.
13. https://www.fca.org.uk/publication/business-plans/business- plan-2018-19.pdf.
15. https://ico.org.uk/about-the-ico/news-and-events/news-and- blogs/2018/09/credit-reference-agency-equifax-fined-for-security- breach/.
16. https://ico.org.uk/media/action-weve-taken/enforcement- notices/2260123/aggregate-iq-en-20181024.pdf.
17. https://ico.org.uk/media/action-weve-taken/mpns/2259808/ equifax-ltd-mpn-20180919.pdf.
18. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
19. The Privacy and Electronic Communications (EC Directive) Regulations 2003 SI 2003 No.2426.
20. We discuss this case further in the “Recent Case Law and Key Enforcement Cases”.