At our Q1 2024 Capital Markets Regulatory Outlook event, we heard from fscom’s CEO, Jamie Cooke, on the outlook for the industry and the challenges facing firms over the next 12 months. Key focus areas discussed on the evening included innovation and digital assets, sustainable finance, prudential regulation, wind–down planning and CASS, operational resilience, consumer duty and financial crime.
Innovation and Digital Assets
The regulatory space for digital currencies is set to intensify in 2024, with a keen focus from all the major regulators. Expectations for firms to adhere to new regulations, including licensing requirements and product obligations, are increasing.
In Q1 2024, we will see the launch of the UK’s tokenisation regulatory sandbox which marks the first stage towards a secondary market in tokenised financial instruments. For existing market participants or new market entrants, the sandbox will be helpful in establishing a market and trading settlement platform.
It will allow those in the sandbox to seek exemptions, like their EU counterparts, from securities frameworks such as MiFID and Central Securities Depository Regulation.
Despite the new EU Markets in Crypto-assets Regulation (MiCAR) going live in 2024, those firms operating in unbacked digital assets (such as Bitcoin) face a fragmented regulatory picture across the EU. Member states must declare their MiCAR compliance deadline by June 2024 but what is clear is that there is not a consistent date across all states for firms to be compliant. This uncertainty, aligned to a broad range of application assessment timeframes, means that firms must carefully consider their location strategy in the EU.
In the UK, towards the end of last year, we saw the financial promotion of cryptoassets come under regulatory scope. The FCA published their final rules and guidance on expectations relating to these promotions and we expect the regulator to remain focused on this area. The UK regulatory framework for unbacked digital assets remains uncertain and we do not expect final rules before the year end. We do expect the rules to be securities based and that current AML registrations will not automatically translate into digital asset licences meaning that regulatory scrutiny of those firms with an AML registration will continue to be high.
Prudential Regulation – ICARA & Wind Down Planning
Investment firms operating under the MiFID Prudential Regime (MiFIDPRU) will understand the critical importance of maintaining a robust ICARA process. With it being two years since the Investments Firms Prudential Regime (IFPR) came into force, there is significant work still to be done across the industry to get full value out of ICARAs. fscom has published a comprehensive paper titled ‘Foolproofing ICARAs for 2024’ which you can download here. It focuses on priority areas such as consolidation and group identification, risk of harms assessment, quantitative risk appetite, early warning indicators, liquidity risk assessment, operational risk assessment and recovery options, stress testing and wind-down planning.
Effective wind-down planning is essential for regulatory compliance. The FCA has laid down guidelines to follow, including having a proportionate plan that reflects each individual company and their risks, and carrying out ongoing monitoring of the key alerts which feed into the living document that is the wind-down plan. fscom has analysed the wind-down plans of numerous capital markets and payments firms and found that, in general, investment firms already had the right skillsets to stress test and forecast which led to better wind-down planning.
CASS and safeguarding
Our clients who also have a payments authorisation will know that the CASS regime is being held as the gold standard for protecting client funds and the long-anticipated consultation on moving the safeguarding regime to CASS standards is expected to be published over the summer.
Given the FCA’s high regard for the CASS regime, we don’t anticipate any material changes to the rules this year but, nonetheless, auditors continue to find deficiencies, which causes Boards and their accountable executives endless amounts of difficulty. We have advised many firms in the past year on the intricacies of the rules and their interpretation to either help counteract the auditors’ challenges or to address the valid concerns.
This is not the time to be complacent with CASS activities and consumer protection – the industry is dynamic and continues to evolve and with products and business models changing and this can impact the firm’s CASS operating model. There are numerous CASS touchpoints across a firm and potential impacts to a firm’s CASS compliance. Boards should require a report of compliance in good time ahead of the audit in order to pre-empt at least some of the issues that will dominate the audit report.
Operational resilience
The drive to full implementation of Operational Resilience gathers pace in 2024, ahead of the end of the transitional period in March 2025. By now, firms should be testing, through ‘severe but plausible’ scenarios, the important business services and impact tolerances they previously documented within their self assessments, finalising any lessons learned and planning for remediation of any vulnerabilities. Importantly boards should be aware of any investment decisions which will need to be made to allow firms’ important business services to remain within their impact tolerances during a disruption and any changes that will be needed in the critical processes which deliver them.
Additionally, the framework for Operational Resilience should be prepared to allow it to become embedded within the governance of a firm. In order to achieve the deadline of March 2025, we would advise that testing is completed, remediation plans in place and documentation fully complete by the end of 2024, in order for investment decisions and approvals to be made by boards well ahead of this.
As well as this, for those firms who trade in the EU, the Digital Operational Resilience Act (DORA) also comes into force in January 2025. Whilst linked to the overall resiliency framework, specific requirements for ICT related resilience are brought together. At a high level these cover five areas, or pillars :
- ICT Risk Management
- ICT Incident Management
- Digital Operational Resilience Testing
- ICT Third Party Risk
- Information Sharing
All of these pillars are subject to individual Regulatory Technical Standards contained within the act.
Resiliency and the ability of firms to recover from major disruption without harm to clients or market instability, will continue to be a major focus of regulators during 2024 and beyond.
Consumer Duty implementation
With firms having to implement the new Consumer Duty rules last summer for new and existing (open) products and for closed book products by July 2024, the regulator now expects that you can demonstrate customers’ interests are at the forefront of your activities.
The Duty sets higher expectations for firms with the standard of care they give to customers and expects them to act to provide good customer outcomes.
Boards and management teams are required to identify, monitor and confirm that they are satisfied that their customer outcomes are consistent with the FCA Consumer Duty and importantly that they can identify challenges, act and avoid foreseeable harm to consumers.
A critical requirement of the rules is being able to evidence compliance with the objectives of the Duty and practically firms need to capture and analyse significant volumes of data.
The next year will continue to add greater clarity for best practice and what the Duty means in practice for individual firms and in February 2024, the FCA published guidance for firms on examples of good practice and focus areas (Consumer Duty implementation: Good practice and areas for improvement | FCA) which should be used by firms to help them to address such challenges in their own business, keeping in mind that the FCA notes it will apply to firms in different ways and warns that, when the FCA asks a company about implementation, firms should be specific to their own customers, business and risks. This should be used to define what, for them, are good outcomes and potential harms, and how to mitigate these harms.
The FCA has been very clear that the Consumer Duty must be a top priority for Boards and that ultimate responsibility sits with the Board and senior management. The Board is expected to oversee and challenge the executive’s implementation and compliance with the Duty.
fscom has published guidance on the two reports due by the end of July to evidence firms’ compliance with the Consumer Duty and a template for each. You can download them from this article here.
Our expectation is that Consumer Duty will continue to dominate the regulatory supervision themes in 2024 and beyond and that the level of scrutiny, focus and engagement with the regulator will accelerate.
As the final deadline for closed products passes in July 2024, the time for planning is passing and action to prevent foreseeable harms is expected.
By April, firms should have completed an assessment for all closed products and identified the impacts and challenges and suggestions for how to ensure the firm can comply with the duty, including any remedial actions to be undertaken – this also needs to be presented to and supported by the Board – with remedies and actions agreed and a blueprint to ensure your firm can evidence and comply by July 2024.
Closed products are not as straightforward to address as open products – this aspect should not be underestimated.
The FCA timeline can be found here – Consumer Duty detailed timeline (fca.org.uk).
As the FCA’s flagship policy for the protection of consumers, we expect that scrutiny from the regulator will increase. While it is not a regulatory requirement to submit the annual assessment reports, it is very simple for the FCA to ask for them, particularly if the firm has come to the attention of the FCA’s supervision department for any other matter.
Financial crime
We strongly urge firms to regularly review their risk appetite, being cognisant that it aligns with that of their banking partner(s). It’s our experience over the past year that Boards haven’t kept pace with the concerns of both the banking partner and regulator. We have witnessed material gaps in firms’ ability to evidence that they have calibrated their controls with current trends and taken full grasp of the risks presented by their client base.
Firms must satisfy stakeholders, including the FCA, that they have robust governance, effective risk procedures and adequate control mechanisms to manage their financial crime risk. Firms should apply a risk based, proportionate approach to financial crime prevention taking into account such factors as the nature, size, delivery channels and complexity of the business.
Firms must ensure that systems and controls keep up with increasing sophistication of criminal groups and should use the advances in technologies to help prevent financial crime.
Spotlight on regulatory compliance
While regulatory frameworks may not have undergone wholesale changes, the dynamic nature of the capital markets industry necessitates continuous vigilance. Firms must reassess their compliance capabilities, emphasising governance, oversight, and adherence to regulatory standards.
This article offers a baseline for compliance review. Firms can leverage comprehensive assurance approaches for tailored assistance and support by reaching out to your fscom expert today.
If you would like to speak to Jamie Cooke, Julie Tuffrey or any of our Capital Markets experts, please get in touch.
This blog contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate
