2018 has certainly started with a regulatory bang for financial services firms. The first month of the year has seen a “tsunami of regulation” for firms to get to grips with, by way of implementation on 1st January of the Packaged Retail and Insurance-based Investment Products Regulation (“PRIIPs”) and on January 3rd, the revised Markets in Financial Instruments Directive (“MiFID II”) and the Payment Services Directive (“PSD2”). The UK’s Open Banking Initiative completes the January quartet.
Designed to improve the functioning of financial markets and strengthen investor protection, including a new product governance regime, the obligations under MiFID II would be challenge enough. Together with new regulatory rules on investment disclosures, operation of payment systems and disclosure of account data, amongst others, there is no doubt that 2018 will present a number of compliance challenges.
Institutions have understandably spent a lot of time preparing for January – MiFID II, PRIIPs and PSD2 all come into force within weeks of each other. The scale feels unprecedented. Like with any big regulatory change, market practice will continue to evolve afterwards and there will be uncertainties in interpretation and whether practices that have been adopted are compliant or not.
The overarching theme of accountability continues – increased firm and personal accountability under the Senior Manager and Certification Regime, which has applied to larger financial institutions since March 2016, is set to be rolled out to insurers towards the end of 2018, with all other regulated firms coming within scope in 2019. UK regulators are still finalising the detail but it is clear that the extension of the new regime will necessitate major changes for affected firms, including the mapping of responsibilities at senior levels, assessments of fitness and propriety for employees who are deemed to be significant risk takers (or equivalent) and new rules on regulatory references.
Increased regulation is by no means all that 2018 is likely to bring by way of challenges for firms in the financial services sector. Overriding everything of course is Brexit and the UK’s departure from the EU in March 2019. This year will be a critical period for the Brexit negotiations and whilst the final deal is impossible to predict, the possibility of lower profitability, reorganisation, uncertainty and continuing risk are widely acknowledged as the key challenges most likely to impact financial institutions in the UK, EU and globally. Further, in May 2017 a Baker McKenzie survey of EU nationals working in the UK (educated to degree level or higher) found that 56% of those surveyed said that they were “likely” or “highly likely” to leave the UK before the outcome of the Brexit negotiations is known, with the financial services sector identified as one of those with the highest predicted rates of attrition.
May 2018 sees implementation of the EU General Data Protection Regulation which will require all organisations who process personal data to comply with new operational requirements, including the creation of data privacy notices and a data protection impact assessment, and will give enhanced rights to data subjects. Breaches of the new rules could result in significantly increased fines, up to 20 million euro or 4% of total global turnover for serious breaches, (whichever is the higher). The greater focus on accountability for protection of personal data means that there will be more pressure to have board room attention and strong privacy governance. Firms should be reviewing their existing data protection compliance policies, processes and infrastructure in preparation. And not just in relation to customer data – data privacy is becoming more important to employees as they increasingly take action to protect their privacy rights. “The concept of privacy by design will be fundamental to managing regulatory compliance risk and maintaining the trust of the workforce,” comments Employment and Data Protection Partner Julia Wilson.
The FCA and Information Commissioner’s Office have recently issued a joint update which states that both the FCA and ICO believe that the GDPR does not impose requirements which are incompatible with FCA Handbook rules and that a number of requirements are common to both. It also states that compliance with the GDPR is now a board level responsibility and that FS firms must be able to demonstrate the steps they have taken to comply.
The FCA and ICO say that they will “continue to collaborate in the coming months to address concerns firms raise and support firms’ preparations for the introduction of the GDPR in May 2018”.
And finally, of great interest to employees, but also investor groups and the media, UK financial services firms are gearing up to report their gender pay gap by the April 2018 deadline, and are widely expected to report some of the largest gaps. There will be keen interest amongst employees on what measures firms are taking to address the gap, and looking ahead, on what progress is being made. The expectation is that companies will get into a competitive situation in the war for talent — evidence suggests employees are less likely to join companies perceived as non inclusive and as not tackling the gender issues. While the gap is largely driven by the challenges of recruitment, retention and promotion, pay practices are also under scrutiny and this increased focus may lead to allegations of unequal pay, ie that women are being paid less than men for similar work. The UK legislation reflects a growing global trend: Australia has had similar gender pay reporting requirements for several years, Germany and Iceland recently adopted new legislation aimed at tackling equal pay, and Spain, Ireland, Russia and the UAE are also considering new measures.
Andrew Bailey said in a key speech last year:
“The FCA is an exciting place to be, the challenges come thick and fast”.
The same can certainly be said of the FS sector in 2018.