In this article - our last for 2017 - the compliance guru at the UK's largest retail financial advice and investment management trade body sums up the tumultuous year of financial regulation through which we have just lived and looks forward to the year ahead. His prevailing tone is one of guarded optimism.

After the unprecedented deluge of new or updated regulation in 2017, during which firms were faced with detailed problems that they had to solve at speed while still keeping up with the “business as usual” of everyday compliance work, we will shortly be faced with the task of implementation.

In some cases, particularly with the European Union's second Markets in Financial Instruments Directive or MiFID II, some of the essential official guidelines are still to come, making the clear understanding needed for a seamless transfer from old to new difficult. Other new rules or pieces of legislation are easier to grasp, but the sheer volume of new requirements is still going to cause concern from a compliance point of view and firms may, in some instances, find compliance with them more expensive than they originally thought.

The MiFID II monster

MiFID II comes into effect in just a few days' time on 3rd January. Its demands - aimed at protecting investors from sharp practice and allowing regulators and customers alike to see more processes happening - are onerous. Firms will be required to produce and report more data, disclose more to clients and provide them with more comprehensive 'protection,' especially if they are professional clients. Because of the cross-border nature of today’s investment environment, MiFID II's implementation will affect firms all over the world that do financial business in Europe either directly or indirectly to varying degrees.

MiFID II is, in short, a monster. It has been the main cause of the ‘regulatory overload’ reported by firms during 2017 and is likely to remain so in the year ahead as it is much wider in scope than its predecessor and the costs of implementation are on a completely different scale. Many areas of the new law and its accompanying regulations remain opaque and firms will have to understand them better before they and their compliance officers can get to grips with the task ahead.

Even the UK's Financial Conduct Authority is unable to provide guidance in many areas because it is perplexed by the absence of precedent and the novelty of many parts of the legislation.  It has made it clear that it will expect firms to demonstrate the serious nature of their interpretations of the new texts and make realistic efforts to make them work, but it has also said that it realises that firms cannot put everything into place at once and promises to be flexible in its approach to supervision in this regard. In particular, in areas of known uncertainty it will be looking for feedback from the market to provide it with information it can use in future to categorise the best practices that are emerging. The one exception will be in transaction reporting, where the new régime (including, when necessary, the legal entity identifiers or LEIs for non-natural persons) must be up and running by 3rd January; without that, there can be no dealing for clients. Obviously no business wants this and supervision in this area will be tight from the outset.

Very recently, the FCA has updated position limits for commodity derivative contracts and information that pertains to 'passporting' in line with the EU's second Payment Services Directive (PSD2). It has also set up a telephone helpline for anyone who is worried about transaction reporting.

In the UK, firms that do a mixture of MiFID and non-MiFID business may well consider it more practical to take a single approach to compliance despite different sets of rules applying to different aspects their operations. Under article 3 of MiFID, EU countries have discretion to exempt some firms from authorisation as MiFID investment firms. Firms that are exempted from MiFID in this way may nonetheless find that substantial parts of the new law will affect them, especially in the area of 'investor protection,' and they should be ready for this. In all cases, firms ought to make clear plans and allocate their available resources carefully.
 
MiFID II will probably take a year to 18 months to fully 'bed down.' A "MiFID Bible," which so far contains 19 separate sections that attempt to explain the ways in which MiFID should work, is available on the Personal Investment Management and Financial Advice Association's website to help members find their way through the fog.

Benchmarks ahoy!

On the same day as MiFID - 3rd January - the new Benchmarks Regulation (BMR) also lands. This is designed to rectify certain problems that came to light during the interest-rate-rigging scandals regarding the London Interbank Offered Rate (LIBOR) manipulation scandals a few years ago. It became EU law in June 2016.

What is a 'benchmark' according to this regulation? The answer hinges less on the things to which a benchmark refers than it does on the uses to which that benchmark is put. The regulation 'captures' those indices (or 'benchmarks') that are referred to in financial instruments dealt on trading venues, or in mortgage and consumer credit contracts. It also deals with indices that firms use to measure the performance of investment funds. It will cover UK-specific benchmarks but will also include, among other things, the FTSE 100 (which is not UK-specific), the DAX 30, The CAC 40, the Baltic Dry indices, catastrophe and weather benchmarks and commodities benchmarks that focus on materials ranging from precious metals to foodstuffs.

The regulation will be administered by the European Securities and Markets Authority (ESMA) and applied throughout the EU. ESMA’s 'action instructions' will be targeted at national competent authorities – in the UK’s case, the FCA. As part of the implementation process, ESMA has drafted up guidelines, yet to be finalised, to govern the handling of 'non-significant' benchmarks. These guidelines will be of particular significance to any portfolio or asset manager who may combine parts of existing indices together to form a new index or benchmark solely for internal purposes. This activity will be considered as the 'use' of benchmarks already available rather than the 'administration' of a new one. Firms have to look carefully at their in-house indices in light of the new regulation and then decide whether they are indeed 'benchmarks' according to the broad definition of that word. Many of them are likely to be.

PRIIPS (Packaged Retail & Insurance-based Investment Products)

This is number three of the 'Big Three.' The EU's PRIIPs regulation applies only in the case of retail financial services and is designed to complement, for non-UCITS packaged products, the EU law that underpins distribution in the UCITS business. It therefore requires each firm to provide the retail investor who wants to invest in PRIIPS with a Key Information Document, or KID.
 
These include a wide range of non-UCITS listed and non-listed funds and structured products, but exclude plain equity (shares that are not for listed funds) and listed vanilla bonds. The KID is intended to be similar in form and comparable to the existing Key Investor Information Document, or KIID, for UCITS, and originated from a need for retail investors to be able to have the same information base about, and make meaningful comparisons between, different retail products in a fair and even-handed manner. In reality, the KID has diverged from the KIID in content (and, to a degree, in form) so that its original purpose has to an extent been obscured. However, from 3rd January onwards it will have to be distributed to retail investors as required by law. Many commentators think that the PRIIPS requirements are complementary to MiFID II's distribution rules, but there are differences, not least in the greater range of MiFID and its more extensive influence over the behaviour of the professional firm in relation to the retail client.
 
However, from 3rd January 2018 onwards, firms that provide financial advisory and execution-only broking services (in which it is the retail client who makes the decision whether or not to invest in a particular product covered by the PRIIPS rules) will, where appropriate, have to make sure that the KID in question is delivered as required. Discretionary Investment Managers (DIMs) who act for retail investors in the market are, of course, eligible counterparties under the law and therefore not retail, so to the extent that they, and not the end-client, provide the counterparty to a fund manager or are the investor in shares in a listed fund on behalf of the client under a mandate, they will not need the KID at all. It remains to be seen how this differential requirement in the retail marketplace pans out in practice and whether the lower regulatory burden will be of advantage to the DIM sector.

The GDPR (the General Data Protection Regulation)

This is the instrument through which the EU wants to protect personal data in the 21st century. It came into force on the 25th May 2016 and will apply with direct effect to all countries in the European Economic Area on 25th May next year. It will replace the Data Protection Act 1998 in the UK and is expected to continue to apply to the UK after it leaves the EU through a combination of the new Data Protection Bill and the so-called 'Great Repeal Bill' or EU Withdrawal Bill.

The regulation, which takes direct effect in every EU country's laws without the need for national legislation, aims to standardise the countries' attempts to protect data. It contains privacy and security procedures and will introduce stricter rules to govern cyber-security and the handling of personal data. There are to be fines of up to €20 million (£17 million) or 4% of annual global turnover (whichever is greater) for certain breaches. These dwarf the current top penalty of £500,000.

Some of the press coverage of the penalties has bordered on scare-mongering; the Information Commissioner's Office will take a 'proportionate' approach to enforcement, with sanctions ranging from warnings and reprimands all the way up to a “temporary or definitive limitation including a ban on processing” – which, in some hopefully rare cases, could mean putting a firm out of business altogether. Firms ought to study articles 58 & 83 of the regulation to know more.

Firms must also consider their obligations to protect personal data in accordance with other regulations such as MiFID II, which requires them to store recordings of pertinent telephone conversations and electronic communications for five years, or seven years if their regulators so dictate.

It is important to note that the GDPR will also affect any and every firm from outside Euroland which holds data that affects EU business in any way. It is also important for firms to bear in mind the regulation's insistence on proportionality (regulators must strike a balance between the means they use and the intended aim), necessity (the limiting of anyone's fundamental right to the protection of personal data must be strictly necessary) and limited data retention (personal information should not be retained for longer than necessary according to the purpose for which it was collected).

The SM&CR (Senior Manager’ & Certification Regime)

Essentially, this regime concerns individual accountability in the context of the culture at financial firms in the UK. The regulator, at the insistence of HM Treasury which owns it, wants this régime to be a living, breathing entity that helps corporate culture and governance to progress and improve. The FCA's consultative document CP17/25 (entitled “Individual Accountability: Extending the Senior Managers & Certification Regime”) proposes to change the way in which the FCA regulates people who work in financial services, making senior people more responsible and accountable for their actions and thereby reducing the risk of harm to customers.

For senior managers at FCA-regulated businesses, the proposed SMCR extension to the whole of financial services in 2018 (it already applies to banks) means that it will become crucial for senior managers to know what is going on in the areas of business for which they are responsible. They must also know how it feels to be one of their customers, with an audit trail to prove that they do.

Almost all employees will be affected in some way by the regime, which is designed to make them to pay due regard to the interests of customers and treat them fairly. Senior managers will be subject to four additional 'conduct' rules, obliging them to ensure that the business areas for which they they are responsible are controlled effectively and to comply with the relevant requirements and standards of the regulatory system. Senior managers will all have to be approved by the FCA and put on a Register of Certified Persons alongside clear statements of their responsibilities.

PIMFA has already put in a request for an overhaul of the FCA register, the better to take account of the new SM&CR. PIMFA believes that the register is in essence a good idea but is “not fit for purpose.” It has warned the regulators that some effects of the new rules that will force senior managers to become more accountable for what happens at their firms could be 'retrograde.' It is possible, however, that these changes may not be as much of a 'done deal' as was first thought, so members have been told to watch out for more comments from PIMFA.

It was earlier this year when the FCA published plans to extend the régime to the whole financial services sector, including advisors, in 2018. It has just published three consultative papers about the technicalities. We should not expect anything final before the autumn and the FCA may decide to make things simpler during the intervening period.

There is an active PIMFA Working Party on the Senior Managers Certificate Regime which will continue to work throughout the regime's implementation. It will provide updates for PIMFA members as the situation progresses but it is already saying that the first thing for companies to do is (a) to think clearly about how they will meet their new obligations and (b) to make sure that they are compliant with the 'training and competence' rules.

Europe

It’s all about Brexit, or so some say, but is it? The subject dominates the headlines of course, but underneath the political hype is a great deal of business as usual. It must not be forgotten that the UK is still a full member of the EU, with all the rights and responsibilities that the EU treaties bestow on it. It still has members in the European Parliament, a seat at the European Council, officials working at the European Commission, and the right to negotiate on level terms with other member states about the shape of future EU law. Firms in the UK still have full cross-border market access, including 'passporting' rights, to other EU countries, and the citizens of other EU states remain free to move, live and work wherever in the EU they choose.   

This state of affairs will continue throughout 2018. One consequence is that financial service firms and their representative associations are still making the regular pilgrimage to Brussels to put their views to the various authorities there and to ask for the things they want to see in new laws and regulations. PIMFA is no exception to this. In recent months we have talked to relevant EU institutions about issues as diverse as the possible new prudential régime for investment firms, the effect of 'fintech' on retail financial businesses and clients, the concerns of retail financial intermediaries, the market in distribution and advice for retail financial products, and regulatory issues surrounding long-term investments and pensions.  This will influence legislation downstream and ultimately the regulations and rules with which UK firms will have to comply.

We shall continue with this work throughout 2018.

Other things in the pipeline

Apart from the issues we have mentioned, many other demands will be made on firms’ resources next year. These include the Market Abuse Directive/Regulation, the fourth Anti-Money Laundering Directive (AMLD/R) and the Financial Advice Market Review. All these things combined will call for dedicated attention, clear understanding and well-planned action.

There will no doubt be hiccups along the way but the retail financial services profession is, on the whole, moving in the right direction and managing to shoulder its heavy regulatory load. At some point in the future, perhaps in 2018, there will be a sigh of relief audible on a planetary level when firms feel that the load has been distributed and deposited where it belongs.  We leave our readers to decide where that should be. Happy New Year!

* Ian Cornwall can be reached on +44 7448 7100 or at ianc@pimfa.co.uk