On 31 May 2022, the FCA issued its first portfolio letter to entities providing data reporting services of approved reporting mechanisms (ARMs). In the letter, the FCA refers to these entities as data reporting services providers (DRSPs).
In the letter, the FCA outlines what it views as the key risks of harm in the DRSP portfolio and communicates what it expects DRSPs to do to minimise potential risks to consumers and market integrity from failures to meet regulatory requirements. The regulator also sets out the key elements of what it will be doing to supervise DRSPs in the portfolio. The FCA expects DRSPs to take the necessary action to ensure that these risks are appropriately mitigated.
In summary, the FCA views the following as the key risks of harm in the DRSP sector:
- The market is concentrated among a small number of DRSPs. This could limit clients’ opportunity to switch provider and may lead to lower incentives to provide high quality services. The FCA expects DRSPs to review the services they provide to clients to ensure they are of a high quality, to enable their clients to meet their regulatory reporting obligations. The FCA also expects DRSPs to review their fees to ensure that clients are getting good value for money, in line with the regulator’s expectations that firms should compete for customers on the basis of service, quality, price and innovation.
- DRSPs may have inadequate systems and controls to identify incomplete and potentially erroneous trade or transaction reporting data which undermines their core function of promoting market transparency and integrity. The FCA reminds DRSPs that, as a priority, they should be reviewing their data quality systems and controls and addressing any weaknesses. The regulator expects DRSPs to monitor the information that has been published or submitted to it and ensure that it is complete, accurate and in accordance with the applicable reporting deadline. As required under Articles 10 and 11 of MiFID RTS 13, DRSPs should ensure that they have appropriate systems and controls to manage incomplete or potentially erroneous information caused either by their clients or the DRSP itself. This should include, for example, reconciliations between the data clients submit to the DRSP and the data the DRSP publishes or submits to the FCA, as applicable. The frequency and extent of such reconciliations should be proportionate to the volume of data the DRSP processes.
- Insufficient operational resilience may lead to disruption for market participants, consumers and regulators, or the loss, compromise, or lack of availability of data. The FCA expects DRSPs to be operationally resilient against different forms of disruption and to address the root cause to avoid repeated incidents. Where disruption does occur, the DRSP should notify the FCA promptly and the regulator expects the DRSP to have robust and quick-to-implement alternative arrangements to mitigate adverse consequences. The FCA expects the DRSP’s insourcing and outsourcing arrangements to consist of robust monitoring and oversight, systems and processes, and knowledgeable and experienced people. The FCA also expects DRSPs to review their reliance on the services of data vendors and to assess how critical the service is to the operations of their data reporting service. DRSPs should be able to demonstrate sufficient oversight and control over services data vendors provide, regardless of whether the use of data vendors is deemed to be a critical function.
Other risks the FCA picks up on in the letter include, communication with the FCA (the FCA has noted that the frequency of DRSP notifications varies across the portfolio) and conflicts of interest (the FCA has noted several instances where DRSPs do not have tailored policies and procedures around the identification, management and disclosure of conflicts of interest).