On 26 November 2024, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published a joint consultation paper (PRA CP16/24 / FCA CP24/23) on proposed reforms to the dual-regulated firms’ remuneration regime.

Background

In 2023, the PRA and FCA introduced changes to the remuneration regime to enhance proportionality for small dual-regulated firms and to remove the bonus cap. The proposals set out in this consultation paper are intended to complement those changes by reducing the restrictions on bonuses of senior bankers.

The proposed reforms

The reforms proposed in the consultation paper aim to maintain the remuneration regime’s overall structure and objectives while simplifying the regime and tailoring it more to the UK market, by:

  • Reducing the number of individuals that are subject to the remuneration rules (known as Material Risk Takers (MRTs)).
  • Simplifying the approach for identifying MRTs, placing more emphasis on firms to own and safeguard the process.
  • Bringing rules on deferral of variable remuneration (such as bonuses) more in line with international practice.
  • Ensuring that variable remuneration better reflects risk-taking outcomes and individual responsibilities.
  • Aligning the regulators’ rules on buy-outs in relation to small firms.

The FCA is also proposing to change the structure of its rules in SYSC 19D, and related guidance, by cross-referring to the Remuneration Part of the PRA Rulebook. This is intended to avoid unnecessary duplication and to ensure greater consistency and alignment of the regulators’ remuneration rules.

Next steps

The consultation closes on 13 March 2025.

The proposed changes would come into force the day after publication of the final policy (planned for H2 2025) and would apply to firms’ performance years starting after that date.

On 12 November 2024, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint policy statement (PRA PS16/24 / FCA PS24/16) on Operational resilience: Critical third parties to the UK financial sector (the PS). The PS sets out feedback to responses the regulators received to their consultation paper on the topic, CP26/23, as well as their final policy.

Background

The Government gave regulators new powers in 2023 to oversee the resilience of the services that certain third parties, known as critical third parties (CTPs), provide to the financial services sector. These were intended to address concerns that financial firms and financial market infrastructures (FMIs), such as payment systems, have become increasingly reliant on the services of a small number of third party providers, the disruption or failure of which could affect large numbers of consumers and firms and threaten the stability of the UK financial system.

The Financial Services and Markets Act 2023 (FSMA 2023) amended the Financial Services and Markets Act 2000 (FSMA 2000) to give HM Treasury the power to designate certain third parties as critical third parties (CTPs) to the financial services sector, and to give the regulators powers to make rules imposing duties on CTPs in connection with the services they provide to firms (i.e. rulemaking powers); to direct a CTP to do or refrain from doing certain things (i.e. powers of direction); information-gathering and investigatory powers; and disciplinary powers.

The BoE, PRA and FCA consulted from December 2023 to March 2024 on a range of proposed requirements and expectations for CTPs, which would apply to all CTPs that are designated by HM Treasury regardless of the specific firms and FMIs to which each CTP provides services.

The final rules

The documents published alongside the PS, which are collectively referred to as the ‘CTP Oversight Regime’, comprise:

  • Three separate rule instruments (one issued by each of the BoE, PRA and FCA) – these are identical in effect and substance and should be interpreted accordingly.
  • Supervisory Statement (SS) 6/24 – this has been issued jointly by the regulators and should be the main source of guidance for CTPs on how the regulators expect them to interpret and comply with the requirements in their rules.
  • BoE and PRA’s final SS7/24, Reports by skilled persons: Critical third parties and the FCA’s equivalent guidance on skilled persons reviews which is set out in the FCA Handbook: Critical third parties Instrument 2024.
  • The regulators’ approach to the oversight of CTPs.
  • BoE’s approach to enforcement: proposed changes to statements of policy and procedure following FSMA 2023 and the FCA’s equivalent and substantively identical approach to enforcement in respect of CTPs which is set out in The FCA’s Critical Third Parties Statement of Policy relating to Disciplinary Measures Instrument 2024.

The CTP Oversight Regime is not intended to impose additional, explicit requirements or expectations on firms, but to complement their existing requirements and expectations relating to operational resilience and third party risk management.

The regulators emphasise that once HM Treasury designates a third party as a CTP, firms and (where applicable) their groups will remain accountable and responsible for managing the risks in any outsourcing or third party arrangements they have, or may enter into, with that CTP, although some features of the CTP regime (such as the information-sharing requirements on CTPs) may assist firms in managing these risks.

Next steps

The final rules for CTPs will take effect from 1 January 2025.

However:

  • A CTP’s statutory obligations under FSMA 2000, the requirements in the regulators’ rules and the expectations in SS6/24 and other documents listed in the PS will only apply to a CTP on the date the designation order made by HM Treasury comes into force.
  • There will also be a transitional period for compliance with certain requirements in the regulators’ rules, which will also start from the date specified by HM Treasury in the designation order. Chapter 2 of the PS and section 12 of SS6/24 list the requirements that are subject to a transitional period and the applicable transitional periods.

A statement on the PS, published on the FCA website, notes that the regulators welcome engagement from industry over the coming months as the regime is implemented.

Memorandum of Understanding

HM Treasury has also published a Memorandum of Understanding between the BoE, PRA and FCA, outlining how the regulators will coordinate with respect to the exercise of their CTP functions through a joint CTP Consultation and Coordination Forum.

On 11 November 2024, the Financial Conduct Authority (FCA) published a webpage setting out the outcome of its enforcement regulatory disclosure review. The review was carried out following a recommendation from the Upper Tribunal.

The FCA confirms that it has completed the review and made a number of changes to its disclosure processes in regulatory enforcement cases, which aim to improve the quality of disclosure by providing greater support for case teams. In particular, the FCA highlights that it is:

  • Taking a broader approach to disclosure, which will mean its review of documents is not focused only on identifying potentially undermining material.
  • Enhancing its existing training on disclosure to include additional specialist training for those managing and overseeing disclosure exercises.
  • Providing additional training for staff and more detailed guidance on quality assurance.
  • Clarifying the roles and responsibilities of staff and managers involved in disclosure.
  • Giving greater emphasis to the importance of disclosure in measuring and rewarding staff performance.

The webpage flags that the FCA is required to disclose all documents on which it relies to build regulatory enforcement cases, as well as any other material that might, in its opinion, undermine its decision to take action. Under the new broader approach, the FCA confirms that:

  • It will disclose all material that is relevant to the facts of the matter, save where it is disproportionate, not in the public interest, or otherwise inappropriate to do so. This will include all material that is potentially undermining as well as supportive material.
  • Disclosure reviews will be aimed at identifying all the relevant material and will not be focused on only looking for potentially undermining material, with the aim of reducing the risk that the FCA mistakenly fails to disclose a document.

The FCA intends to monitor closely the effectiveness of the changes it is making, and to conduct a further review in approximately 12 months’ time to assess whether it should take further steps to improve its processes.

On 7 November 2024, the Financial Conduct Authority (FCA) published a policy statement, PS24/15, setting out the regulatory framework for firms that operate pensions dashboard services.

Key takeaways

The FCA has published its final rules and guidance for firms operating a pensions dashboard service (or ‘PDS’) in the future. Presently, MaPS operates the public (non-commercial) Pensions Dashboards Service, but changes to the regulatory perimeter earlier this year mean that private sector firms wishing to provide private sector PDS will need to have a specific FCA regulatory permission to do so (under A.89BA, RAO).

There is significant potential for private sector PDS’ to change the landscape of consumer financial services in relation to pensions and retirement saving. To get there, there will need to be further work by the Pensions Dashboard Programme to connect commercial dashboards to the MaPS dashboards digital infrastructure; and in the meantime the legal and regulatory landscape is likely to evolve further with the development and delivery of Open Finance and other initiatives.

The FCA’s paper explains how it sees private sector PDS’ operating in the wider pensions and data ecosystem, and sets out the rules and guidance to which firms will be subject when operating a PDS.

Whilst the delivery of private sector PDS’ may be some time away, the impact will be significant. Easier digital connectivity with pensions could radically change the overall landscape of provision; and has the potential to reconnect savers with an estimate £31.1bn in lost pension pots.

Firms contemplating a role in this future environment should take a close look at PS 24/15 to help plan for these new opportunities. It contains important feedback on consultation, including critical questions around interaction with the Design Standards; conduct of business rules and associated questions including the extent of permissible marketing within a PDS.

Background

The FCA first consulted on its proposed requirements for firms operating a pensions dashboard service in December 2022 (in CP22/25). After Parliament approved the legislation to introduce the new regulated activity of operating a pensions dashboard service, the FCA then published a further consultation (CP24/4) in March 2024, setting out further and revised proposals prompted by the drafting of the regulated activity and feedback to CP22/25.

The new framework

Under the new framework set out in PS24/15, the FCA will regulate firms that operate pensions dashboard services (i.e. secure digital interfaces that allow consumers to find their pensions and to view basic information about them). The regulatory framework is intended to enable consumers to confidently engage with pensions dashboards by making sure firms undertaking this new activity do not introduce or amplify the potential for consumer harm.

Next steps

The gateway is not yet open for firms to apply for authorisation or variation of permission to undertake the new activity of operating a pensions dashboard service. The FCA explains that it will not open the gateway until the Government and the Pensions Dashboard Programme have produced all the information necessary for a firm to design and build a pensions dashboard service. It confirms that it will give the industry adequate advance notice of the gateway opening, accompanied by the finalised application forms.

The rules are being published now to allow firms to start considering and preparing their prospective business models, service design, research and testing well in advance of the gateway opening to accept applications for the new permission. 

On 6 November 2024 the UK government published its long-awaited guidance (the Guidance)  on the new offence of failure to prevent fraud (here) and confirmed the offence will be in force from 1 September 2025.

Under the new offence an organisation (whether or not it is a UK organisation) may be criminally liable where an employee, agent, subsidiary, or other “associated person” commits a fraud intending to benefit the organisation, where that fraud has a UK nexus, and the organisation did not have reasonable fraud prevention procedures in place. More detail on the new offence is set out (here).

This new offence is a hugely significant development and is intended to have a similar impact to the UK Bribery Act 2010, both in terms of driving changes in compliance and culture and in leading to deferred prosecution agreements and prosecutions.

The Guidance covers both the elements of the offence itself and importantly advice on what constitutes reasonable fraud prevention procedures.

The Guidance broadly follows the format of the UK Bribery Act adequate procedures guidance, but there are some important differences and changes of emphasis. These include more detailed guidance on the role of senior management, more detailed consideration of the types of risks that should be assessed (including risks relating to rationalisation, culture and incentives) and an emphasis on compliance resourcing/budgeting and reporting lines.

The Guidance provides a helpful starting point, but it is designed to be outcomes-focused: organisations need to consider their own fraud risks and how best to mitigate them. Notably, the Guidance refers to the US guidance on corporate compliance programmes (here), which provides much more detailed expectations (and in practice informs many compliance officers and lawyers when designing or reviewing financial crime compliance programmes).

In this blog we summarise some of the key points we identified during our initial review of the Guidance. We will be discussing the Guidance on a live webinar on Thursday 14 November 2024. Please click (here) to register.

  1. Interaction with existing procedures: the Guidance acknowledges that in some cases existing procedures may be able to be adapted or extended to avoid duplication, but warns that “merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud”. This is an important point: while some processes can be adapted (e.g. third-party due diligence), many organisations do not currently have effective policies and procedures to prevent fraud for their benefit (outward fraud); existing policies and procedures are usually designed to prevent the company being a victim of fraud (inward fraud).
  2. Risk assessments: the Guidance emphasises the importance of a comprehensive risk assessment and suggests the following:
    • considering the type of associated persons and employees which present the highest risks of fraud. Notably, the guidance refers to “nominated risk owners” developing typologies of risks. It is not clear who would be considered a “nominated risk owner”, but in our experience it is helpful to have representatives of different functions in the organisation considering the offences and discussing scenarios within a working group;
    • assessing risks related to cultural and organisational factors, including financial or operating pressures on the company, time pressures, whether the organisation’s culture is “quietly tolerant of fraud” and stress, targets and workload; and
    • procedures may not be considered reasonable if a risk assessment is not reviewed periodically (it is suggested this should be at least annually).
  3. Senior management/board responsibility and resourcing: there is a real emphasis on senior management and board responsibility, reporting lines, and resourcing of the fraud prevention procedures. It is suggested organisations consider:
    • designated responsibility for “horizon-scanning for new fraud risks”, approving the risk assessment, overseeing investigations and “monitoring and review of the framework”;
    • ensuring that the Head of Ethics and Compliance (or similar person) has direct access to the board or CEO as they think necessary. This reflects one of the enhancements noted in recent DPAs;
    • committing “a reasonable and proportionate budget specifically for the leadership, staffing and implementation of the fraud prevention plan…over the long term”; and
    • how fraud investigation findings are reported to the board.
  4. Due diligence: the Guidance emphasises the importance of due diligence on associated persons and during M&A, but this section is fairly high level and needs to be read in conjunction with the risk assessment section – which refers to more substantive analysis of the risks posed by particular third parties. It is also worth considering here recent US guidance on compliance programmes, which provides more detail on due diligence, including on the need for a risk-based and integrated process, appropriate controls, management of relationships and real actions and consequences.
  5. Training and communication: the Guidance suggests:
    • consideration should be given to the specific training needs of those in the highest risk posts”. This is likely to require more than online all-employee training;
    • monitoring the effectiveness of training programmes (as well as completion rates). This is crucial to avoid training being a tick-box exercise (particularly given the risk that employees click through online training);
    • training should cover the nature of the offences as well as the procedures to address it”. In practice, this is likely to mean that training will need to be fairly detailed given the breadth of the offences and the controls needed to prevent them;
    • it may be helpful to integrate fraud messaging into existing policies and procedures (e.g. it suggests that policies related to sales targets or customer interactions could include a brief statement addressing fraud rationalisation and the potential consequences of committing fraud). This is a really important point: taking steps like this helps to bring the key points of fraud policies to the attention of those at higher risk of committing offences; and
    • organisations consider publicising internally the outcomes of investigations. This needs to be handled sensitively given the risks involved (including their duties to their employees).
  6. Whistleblowing: the Guidance suggests that those organisations not required by regulators (e.g. the FCA) to have whistleblowing programmes should consider the following. In effect, this is setting new expectations for whistleblowing programmes for fraud outside the regulated sector:
    • board level accountability to oversee whistleblowing;
    • ensuring that reporting channels are independent;
    • training managers on how to respond to whistleblowing concerns;
    • learning from the issues raised by whistleblowers; and
    • ensuring internal and external whistleblowing mechanisms are signposted.
  7. Monitoring: the Guidance suggests conducting formal and documented periodic review, including considering:
    • what data analytics or AI tools are used;
    • a nominated member of staff with responsibility for collating and verifying management information on suspected fraud/effectiveness of fraud prevention procedures and raising this to the board;
    • internal investigations, including: what measures are put in place to ensure independence; who authorises investigations; in what circumstances external investigators are appointed; and ensuring investigations are appropriately scoped and resourced. These pick up on some of the points in the SRA’s recent draft guidance on conducting internal investigations (here);
    • whether reviews/testing are conducted internally or externally (noting that best practice is for the procedures not to be tested by those that design them); and
    • potential crossover with the UK Corporate Governance code monitoring requirements for premium listed companies.

On 5 November 2024, the Financial Conduct Authority (FCA) published a consultation paper, CP24/21, on investment research payment optionality for fund managers.

CP24/21 sets out proposals to take forward the recommendations of the Investment Research Review and feedback to the FCA’s previous consultation (CP24/7) on payment optionality for investment research. The FCA finalised rules in July 2024 allowing institutional investors more flexibility in paying for investment research, and following feedback from industry, it is now proposing to extend the new payment optionality to pooled funds, to make it operationally more efficient for asset managers of different business models and sizes to take up the new payment option to pay for investment research.

The proposals will apply to UCITS management companies, full scope UK alternative investment fund managers (AIFMs), small authorised UK AIFMs and residual collective investment scheme operators, and an investment platform provider.

Next steps

The deadline for responses to CP24/21 is 16 December 2024.

The FCA says it will consider all feedback and, if it chooses to proceed, it will aim to publish any rules or guidance in a policy statement in H1 2025.

On 5 November 2024, the Financial Conduct Authority (FCA) opened its AI Input Zone, through which it is inviting stakeholders to provide their views on  current and future uses of artificial intelligence (AI) in UK financial services, as well as the financial services regulatory framework.

As one component of the FCA’s AI Lab, launched in October 2024, the AI Input Zone is intended to help the FCA to support safe and responsible innovation, promote growth and competitiveness of the sector, and gain a practical understanding of AI usage in financial services. The FCA is seeking a wide range of views from different market participants to understand what transformative use cases may develop, and what it can do to support opportunities for beneficial innovation.

The AI Input Zone is part of wider evidence gathering aimed at helping shape the FCA’s future regulatory approach. Stakeholders are reminded that they can apply to participate in other elements of the AI Lab that may be of interest, such as the AI Sprint.

The questions on which the FCA is inviting views within the AI Input Zone relate to:

  • What AI use cases stakeholders are considering or exploring in their firm or organisation, and what transformative AI use cases look like in the next 5-10 years.
  • Whether there are any barriers to adopting these use cases currently or in the future.
  • Whether current financial services regulation is sufficient to support firms to embrace the benefits of AI in a safe and responsible way, or whether it needs to evolve.
  • What specific changes or additions to the current regulatory regime, or areas of further clarification or guidance, are needed.

Next steps

Responses to the questions set out in the AI Input Zone are requested by 31 January 2025.

Introduction

On 1 November 2024, the Financial Conduct Authority (FCA) issued Finalised Guidance 24/5 ‘Prudential Assessment of Acquisitions and Increases in Control’ (FG24/5). On the same date the FCA and the Prudential Regulation Authority (PRA) issued a joint Policy Statement providing feedback to the responses received to Consultation Paper 25/23 on prudential assessment of acquisitions and increases in control. The Policy Statement also contains:

  • PRA Supervisory Statement 10/24 – Prudential assessment of acquisitions and increases in control (SS10/24) (Appendix 2).
  • FG24/5 (Appendix 3).
  • Updated PRA Statement of Policy – Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU (Appendix 4).

Changes

The PRA and FCA have made changes to both SS10/24 and the FCA guidance following comments received at the consultation stage and minor changes to the language used in these documents to further enhance the clarity and readability of the documents. However, other than the differences between the two documents noted in the consultation, no material differences arise between the documents as a result of the consultation responses.

The PRA and FCA have:

  • Added new paragraphs on limited partnership structures to help with the identification of controllers within such structures and to address the responses received to the consultation around controller identification within limited partnerships that are typically used by private equity firms and hedge funds.
  • Clarified what constitutes ‘significant influence’ to make it clearer that, when determining if there is significant influence, it is not just a case of being on the board of an authorised firm or its parent, but the ability to direct or influence decisions made by the authorised firm’s board. That direction or influence could be through a shareholder board appointment (to the UK authorised person or its parent) or other arrangement.
  • Added a new paragraph in SS10/24 and FCA guidance explaining that as part of the PRA’s and FCA’s assessment/due diligence process they may contact relevant UK authorities and non-UK regulators to understand the timelines of their process and request any information relevant to the assessment against the section 186 Financial Services and Markets Act 2000 (FSMA) criteria.

Next steps

SS10/24 takes effect on 1 November 2024.

When considering a UK change in control transaction, FCA authorised firms, and those persons to whom Part XII of FSMA applies, should follow FG24/5 from 1 November 2024 instead of the EU guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector (known as the 3L3 Guidelines).

The FCA has published the results of its survey on non-financial misconduct. Set out below are (1) key findings; (2) next steps for the FCA; and (3) seven suggested action points for firms in light of the survey.

(1) Key findings

The key findings from the survey are that:

  • Most frequent concerns: the number of allegations of non-financial misconduct reported increased between 2021 and 2023. In the 3 years covered by the survey, bullying and harassment (26%) and discrimination (23%) were the most recorded concerns.
  • Outcomes: disciplinary or ‘other’ actions were taken in 43% of cases and some types of reported non-financial misconduct, such as violence, intimidation and sexual harassment, more often resulted in disciplinary actions compared to other types, such as discrimination. In addition, 62% of reported discrimination incidents and 47% of reported bullying and harassment incidents between 2021 and 2023 were not upheld. The FCA has suggested that the industry should reflect on these differing rates and whether they are explainable.
  • Remuneration impact: action taken following non-financial misconduct rarely resulted in remuneration adjustment. When remuneration was adjusted it was mostly against unvested variable pay rather than other forms of remuneration adjustments such as fixed salary adjustment or clawback.
  • Management information: 38% of respondents to the survey also stated that boards and board level committees did not receive management information about non-financial misconduct, and the FCA considers that the responses to questions about board MI and governance structures suggest that large firms’ governance and oversight of non-financial misconduct could be falling short of the FCA’s expectations.

(2) Next steps for the FCA

The FCA has confirmed that it will now:

  • Engage with firms to understand their results and how they have used the data to reflect on their own culture, focusing on the firms that are outliers from their peer groups.
  • Support trade associations to lead industry efforts to improve standards using the survey data.
  • Continue to communicate with firms and set out its regulatory expectations through portfolio letters.
  • Act where it considers that firms have failed to adhere to the FCA’s rules and principles.

(3) Next steps for firms 

Firms may wish to consider the following seven questions for the purpose of assessing next steps in light of the survey:

  • Does your employee handbook or equivalent guidance adequately cover types of non-financial misconduct? 
  • The specific types included in the survey were sexual harassment, bullying and harassment, discrimination, possession or use of illegal drugs, violence or intimidation. However, 41% of incidents fell into the non-specific ‘other’ category. Firms should consider whether to feed any ‘other’ experience into their employee guidance.
  • Is adequate support provided to internal-decision makers on conduct boundaries? 
  • Discrimination had the lowest proportion of upheld complaints with action taken which may reflect the fact that discrimination is sometimes harder to judge than other types of misconduct. Providing guidance to decision-makers may assist in achieving appropriate outcomes.   
  • Are you using settlement agreements and confidentiality agreements correctly?
  • The report serves as a reminder that NDAs / confidentiality agreements should not be used to prevent individuals from whistleblowing to the FCA. Confidentiality agreements were most used for discrimination, bullying and harassment and the FCA is carrying out some follow up to understand the reasons for this. 
  • Do you have an appropriate level of reported incidents, an appropriate whistleblowing policy and a healthy speak up culture? 
  • The survey indicates a variety of detection methods including grievances and whistleblowing.
  • It is helpful and a potential silver lining for firms with high levels of complaints that the FCA recognises that this may indicate a healthy speak-up culture. However, not all respondents had a whistleblowing policy and low levels of complaints may not reflect positively on the firm.   
  • Should you have a remuneration policy?
  • It may be understandable that where remuneration was impacted, the use of retrospective clawback or salary adjustment was less common than making forward looking variations to bonuses or other pay which had not yet vested. However, the FCA has flagged that not all firms had remuneration policies and for some firms this may itself not be in keeping with its requirements.
  • Does your board or a board level committee receive adequate management information about non-financial misconduct? 
  • Over a third of respondents stated that boards or a board level committee did not receive MI about non-financial misconduct and a third had no formal governance structure or committee to determine outcomes. The FCA suspects that governance and oversight at large firms could be falling short of expectations. The Board should also consider whether to adopt the new Code of Conduct for Directors structured around six key “Principles of Director Conduct” which was published by the IoD this week.
  • Do you provide adequate references, keep them updated and take account of adverse references received? 
  • Although 92% of respondents said they would include non-financial misconduct in a regulatory reference, only 87% said they would update a reference following an incident. Firms should check they have an adequate process for providing and updating references. The FCA flags that it expects firm to consider their regulatory obligations with regards to hiring of employees with adverse references and ensure individuals remain fit and proper. 
  • The recently updated Regulatory Initiatives Grid confirmed that the FCA’s policy statement on ‘Tackling Non-Financial Misconduct in the Financial Sector’ will be published “around year-end”. Watch this space.