Investment Management Update
- Data protection law changes - 12 months to GDPR
- FCA guidance on cyber resilience
- FCA initial report on the Assessing Suitability Review
- ESMA issues principles on relocations from the UK
- ESMA updates and AIFMD and UCITS Q&As
- ESMA Money Market Funds consultation
The recent ransomware attacks should have provoked at least some renewed focus among business leaders on their standards of information security. Another potential cause of disruption is the change to EU rules on data protection, in the shape of the General Data Protection Regulation (GDPR) which is due to take effect on 25 May 2018. With one year until implementation, the GDPR needs attention now.
Brexit will not affect the introduction of GDPR. Following its introduction, this law is unlikely to be materially amended, assuming the UK wishes to remain at the forefront of digital evolution. To fulfil that wish requires international data exchange, including with remaining EU Member States.
Whether or not a business is established in the EU, if it processes personal data relating to EU citizens, then the GDPR will apply to it, and it will apply both to data held now and data collected in the future.
What needs to be done?
It is not too late to get started, but 12 months is not a luxury of time. Businesses need to be aware of what personal data they are collecting and processing now, as well as what they want to do with it. Businesses also need to be aware of the security measures they are applying to keep that personal data safe. To achieve that understanding requires some form of survey or internal audit. This in turn can generate a form of “data map” identifying where and how personal data comes into the business, what happens to it internally and then how (if ever) it leaves.
The GDPR focuses heavily on transparency – enabling individuals whose information is collected (data subjects) to know far more clearly what is collected, when it is collected, how it is collected and what then will happen to it. The consequence of this is that a review of various data-related documents must be undertaken to ensure compliance with the new rules, including as appropriate:
- data collection notices and privacy policies;
- customer and subscription agreements;
- supplier relationships; and
- investor documentation.
All of these will need to reflect the new responsibilities which the GDPR places on both the collector (controller) of such personal data as well as the recipient (processor). In particular, collection notices and privacy policies will need to be enhanced to reflect the increased information fields which are now required. Whether data is inputted directly into a website or arrives in the form of a business card at a coffee shop, the analysis will need to be done.
A key change to the regime is the direct responsibility of processors to the data subjects themselves, and amendments will be needed to supply chain relationships to ensure that any processor to whom personal data is transferred in the course of operations is fixed with managing that data in such a way as to limit exposure to the data controller. Such amendments ought not to be controversial, although any requests for (disproportionate) indemnity protection are bound to be made and contested.
The approach of encouraging compliance by sanction has occupied much of headlines to date. The existing maximum penalty of £500,000 will be increased to a maximum of 4 per cent of global turnover for certain breaches. Each business based in the EU will have a lead supervisory authority to which it will answer in the case of problems. For businesses headquartered in the UK this will in most cases be the Information Commissioner's Office.
As a result of the intersection of cyber-security and regulatory pressures, there will be increased pressure to react swiftly and effectively to data breaches and/or losses. Technology plays a major part in managing the risk here, but so too does culture. Training and the raising of general awareness among those who work around personal data is critical in the ongoing fight against data loss.
Consistent with the need for transparency is the need for processors of data to hold evidence to justify their actions. That means that a paper record of any significant changes to the manner in which personal data is processed will need to be held. This will serve as a mitigating factor should anything untoward occur, and so the immediate burden of compliance may well prove to be time well spent at a later date.
In summary, it is not too late to start work on a compliance process to move from the current Data Protection Act-led position to a regime governed by the GDPR, but 12 months is not long. Relevant data authorities are producing guidance and businesses should monitor that as part of designing and implementing their new processes.
Following the recent ransomware attacks in the UK, the FCA has published guidance on “cyber resilience” to remind financial services firms of the FCA’s goal of protecting consumers and upholding market integrity, as well as each firm’s need to develop a “security culture” taking into account all levels of the business.
The FCA has directed firms to the National Cyber Security Centre for information on how to protect information and how to ensure that cyber security response systems are in place. The FCA guidance also includes links to FCA speeches and guidance around outsourcing IT services to third parties; spotting ransomware or fake emails from the FCA; and the current threat landscape.
Finally, the FCA guidance reminds firms of their duty (under Principle 11) to report material cyber incidents. A material cyber incident is defined as one which:
- results in significant loss of data, or the availability or control of IT systems;
- impacts a large number of victims; or
- results in unauthorised access to, or malicious software present on information and communication systems.
If any of the above applies, the incidence should be reported to the FCA, the PRA (if applicable) and the Action Fraud team (all details are available in the FCA’s guidance note).
The suitability of advice to consumers was highlighted as one of the seven priorities in the Financial Conduct Authority’s (FCA) Business Plan 2016 / 2017. As a result, the Assessing Suitability Review was initiated in April 2016 to assess a statistically robust sample of advice files, allowing the FCA to draw conclusions on the suitability of advice and quality of disclosure in the sector as a whole. The FCA has now released its initial report.
The review assessed 1,142 pieces of advice given by 656 firms and found the following:
- Suitability of Advice
- In 93.1 per cent of cases, the sector provides suitable advice
- In 4.3 per cent of cases, the sector provides unsuitable advice
- In 2.5 per cent of cases, the sector provides unclear advice
While the overall results are positive, the FCA has identified specific areas of advice which pose a higher risk to customers and will therefore consider focusing more resource on them as announced in the Business Plan for 2017/18.
- Disclosure to Consumers
- In 52.9 per cent of cases, the sector provides acceptable disclosure (i.e. our disclosure requirements have been complied with)
- In 41.7 per cent of cases, the sector provides unacceptable disclosure (i.e. our disclosure rules have not been complied with)
- In 5.4 per cent of cases, the sector provides uncertain disclosure
The disclosure results show that the main area of concern is with firms’ initial disclosure, which includes firms’ costs and services. The overwhelming issues were: firms disclosing charging structures with wide ranges; and firms using hourly charging rates failing to provide an indication of the number of hours for the provision of each service, rather than firms failing to provide any cost information.
- Next Steps
- The FCA will share more detail of their findings, including communicating examples of good and poor practice, through a communication programme which comprises written publications, digital media and speeches.
- The FCA expects firms to consider the results and identify areas where they can improve.
- Important changes are coming to the advice and disclosure requirements through the Markets in Financial Instruments Directive II (MiFID II), the Packaged Retail and Insurance-based Investment Products regulation (PRIIPs) and the Insurance Distribution Directive (IDD). In a number of areas there will be increased requirements for financial advisers. Firms need to ensure that they take note of the new requirements and make any changes necessary.
- The FCA intends to repeat its Suitability Review in 2019.
The European Securities and Markets Authority (ESMA) has issued an opinion setting out general principles aimed at fostering consistency in authorisation, supervision and enforcement relating to the relocation of entities, activities and functions from the United Kingdom following the Brexit vote.
ESMA is conscious that UK-based market participants may seek to relocate in the EU27 in order to maintain access to EU financial markets. ESMA considers it necessary to ensure that the conditions for authorisation as well as for outsourcing and delegation do not generate supervisory arbitrage risks.
The opinion sets out nine principles:
- No automatic recognition of existing authorisations;
- Authorisations granted by EU27 regulators should be rigorous and efficient;
- Regulators should be able to verify the objective reasons for relocation;
- Special attention should be granted to avoid letter-box entities in the EU27;
- Outsourcing and delegation to third countries is only possible under strict conditions;
- Regulators should ensure that substance requirements are met;
- Regulators should ensure sound governance of EU entities;
- Regulators must be in a position to effectively supervise and enforce EU law; and
- Coordination to ensure effective monitoring by ESMA
ESMA intends to develop further guidance in areas such as asset managers, investment firms and secondary markets to provide sector specific details on the aspects described in the opinion.
The European Securities and Markets Authority (ESMA) has published updated question and answer documents (“Q&As”) on the application of the Alternative Investment Fund Managers Directive (“AIFMD”) and the Undertakings for the Collective Investment in Transferable Securities Directive (“UCITS”).
Question: How should AIFMs report information on the breakdown between retail and professional investors (questions 119 and 120 of the reporting template for AIF-specific information) when this information is not available?
Answer: When the information is not available, AIFMs should report ‘0’ for questions 119 and 120 and use the assumption boxes to indicate that the information is not available.
Question: An AIFM wants to manage AIFs domiciled in another Member State by way of the AIF management passport (Article 33 of AIFMD). In the programme of operations, how does the AIFM have to provide information on the AIFs it intends to manage?
Answer: Where specific AIFs cannot be identified at the time of the notification, the AIFs to be managed may be identified by their investment strategy. Where an AIFM has only been authorised to manage certain types of AIFs, it could also refer to the scope of its authorisation to identify the funds to be managed.
All changes to the programme of operations must also be notified by the AIFM to the competent authorities in its home Member State.
Question: Where an AIF or a UCITS is subject to the clearing obligation of Article 4(1) of EMIR, can it make use of the exemption for intragroup transactions (Article 4(2) of EMIR)?
Answer: ESMA is of the view that in the case of AIFs / UCITSs the exemption for intragroup transactions should be construed narrowly, and that in most cases it will not be possible for the exemption to be used. An AIF or a UCITS can only make use of the exemption for intragroup transactions if it has been established to form part of the same group as the counterparty to the OTC derivative contract and if it fulfils all the criteria for intragroup transactions set out in Article 3(2)(a)(i)-(iv), (b), or (d) of EMIR. An exemption can only be granted after a thorough case-by-case assessment.
The European Securities and Markets Authority has published a consultation paper in which it sets out proposals in relation to the Money Market Funds (MMF) Regulation. The paper’s key focus is on asset liquidity and credit quality, stress testing and establishing a reporting template.
Proposals have been set out under the following headings:
- Technical advice - ESMA has published proposals in relation to the requirements for liquidity and credit quality for assets received in connection with reverse repurchase agreements. ESMA has also proposed criteria for validating credit quality assessment methodologies and credit risk and relative risk quantification, as well as criteria for ascertaining qualitative indicators on issuers of instruments.
- Implementing Technical Standards -
ESMA has discussed the development of a reporting template to gather information which managers of MMFs are required to send to competent authorities (this includes MMF characteristics, portfolio indicators, assets and liabilities). ESMA’s aim is that this information would be submitted to national competent authorities and transmitted to ESMA.
- Guidelines - The guidelines proposed by ESMA deal with the common reference parameters for scenarios to be included in the stress tests which MMF managers are required to conduct. ESMA’s proposals require that managers take into account factors including hypothetical variations in liquidity levels for assets in an MMF portfolio, interest rate movements, exchange rates and redemption levels.
The deadline for feedback to the consultation paper by stakeholders is 7 August 2017. ESMA plans to finalise its advice and technical standards and submit these to the European Commission by the end of 2017.