Regulatory Update June 2021
PRA policy statement on Senior Management Function temporary absences
The PRA published a policy statement (PS11/21), together with updated Supervisory Statements SS28/15 and SS35/15, which confirm its final policy in relation to temporary absences by senior managers under the Senior Managers and Certification Regime (SMCR). This follows a joint PRA and FCA consultation, in Chapter 2 of the FCA consultation paper CP20/23 published in December 2020.
The regulators proposed, in CP20/23, that they would clarify their expectations on firms’ notification requirements when a person performing a Senior Management Function (SMF) takes ‘long-term leave’, namely temporary leave for more than 12 weeks.
The PRA’s final rules confirm that where a firm is keeping the SMF’s role open while they are on long-term leave:
- the PRA expects the firm to notify it that the SMF is on long-term leave (through Form D). The firm will also need to submit Form J as there will be a significant change in the SMF’s responsibilities and, therefore, their Statement of Responsibilities. The firm will then need to resubmit both forms on the SMF’s return;
- the PRA does not expect the firm to seek re-approval for the SMF to perform their role on their return, but the obligation on the firm to carry out a fitness and propriety assessment still applies; and
- another individual can perform the SMF’s role for the duration of their leave and this will be necessary where the SMF has been carrying out a PRA-required function (such as Chief Risk Officer, Head of Internal Audit, Senior Independent Director or committee chair). The interim SMF will need to be approved, which can be time-limited to cover only the period of absence.
Where the firm is not keeping the SMF’s role open, it will need to notify the PRA that the individual is no longer performing an SMF (using Form C). If the SMF returns to the role, they will need to be re-approved.
The PRA clarifies that it does not expect firms to notify it where the SMF is on leave of less than 12 weeks, on holiday or has a short illness.
The PRA rules took effect from 2 June 2021. The FCA confirmed its final rules and guidance in its Handbook Notice 88, published on 28 May 2021, which also came into force on 2 June 2021.
Counterparty credit exposure – PRA and FCA publish letter to chief risk officers
The PRA and FCA published a joint letter to chief risk officers (CROs) of regulated firms on counterparty exposure management and controls for ‘delivery versus payment’ (DvP) clients. The letter shares the regulators’ observations on good practices related to monitoring and mitigating pre-settlement counterparty credit risks in relation to DvP clients, which they encourage firms to incorporate within their control framework. Examples of good practices contained in the letter include:
- On-boarding of new accounts: a risk-based policy framework should be developed and overseen by a credit function independent of the front office and implemented to ensure that the basic credit profile of every client is within the firm’s risk appetite. More extensive credit analysis is required for higher risk accounts;
- Credit risk framework: every client account, regardless of whether it intends to transact on a DvP-only settlement basis, should be subject to a pre-settlement credit exposure limit;
- On-going oversight of clients: there should be clear internal ownership of the client account to enable consistent oversight, with on-going client monitoring covering financial crime and money-laundering risks;
- Client exposure monitoring: an automated monitoring system should be established to reconcile pre-settlement exposures to risk limits for each client account, with appropriate escalation procedures; and
- Escalation procedure: there should be a robust trade fail management process with systematic and pre-defined escalation trigger points for individual client accounts, ensuring the rapid escalation of trade fails to both the front office and independent control functions.
While implementing the measures above, the regulators also encourage firms to consider any associated conduct risk issues. They intend to request updates from firms by the end of 2021 on the steps they have taken to implement the measures. The regulators will continue to maintain a strong focus on significant loss events in the market and expect firms to conduct risk management reviews within their own organisations as such events occur.
The FCA has published issue 67 of Market Watch, its newsletter on market conduct and transaction reporting issues.
Issue 67 focuses on how the FCA uses orderbook data to conduct surveillance to identify suspected market manipulation covering the following:
- Identifying equity manipulation. The FCA uses suspicious transaction and order reports (STORs) and other notifications about suspected market abuse under article 16 of the UK Market Abuse Regulation (596/2014) (UK MAR). The FCA says it undertakes its own surveillance of market activity and uses orderbook data provided by UK trading venues to do so. Data is blended to provide a consolidated “helicopter” view to detect manipulative trading. Firms and trading venues are requested to maintain good records of their orderbook data. The FCA may make information requests for orderbook data in order to assess whether effective surveillance arrangements are in place.
- Algorithm design. The FCA’s surveillance algorithms identified trading by an algorithmic trading firm that raised potential concerns about the impact the algorithms responsible for executing the firm’s trading strategies were having on the market. As a result, the firm adjusted the relevant algorithm and its control framework to avoid having an undue influence on the market.
- Staff conduct. The FCA’s internal surveillance algorithms identified a small number of instances of potential spoofing by a trader at a firm. Following enquiries by the FCA, the firm introduced additional market abuse training for all trading staff and enhanced surveillance capabilities.
Data transfer to overseas countries
One of the issues caused by the UK leaving the EEA is how UK companies can send personal data to other countries for processing.
Bear in mind is that the concept of processing is far wider than many people properly appreciate. For example, sending names and email addresses to the USA by using an online tool that does mailshots is overseas processing of personal data and falls within the GDPR. In fact, a German data protection regulator recently threatened to fine a company for doing just this by using the US-based Mailchimp package to carry out a mailshot. In the end the company promised not to use Mailchimp in future and so the fine was not levied but it is worth noting as an example of how easy it can be to transfer personal data abroad without realising.
Also to consider is whether the country involved is already authorised, known as an adequacy decision under the GDPR. The UK allows free transfer of data to EEA countries and recognises them as approved. Currently the EEA also allows free transfer to the UK and this is likely to continue thanks to the adequacy decision process being conducted by the European Commission. Data transfers to the USA are not currently approved in any way so further consideration will be needed if data is being transferred to an organisation based there. If the country that the data is going to is on the approved list, then nothing further needs to be done.
If the data transfer is to be made outside an approved country, to the US for example, then a risk assessment will need to be done. A risk assessment will need to consider what data is being sent and its level of sensitivity, what data protection controls are in place in the country, and whether they are properly enforced. One of the big problems with the US is that its intelligence services have very wide powers to obtain data from private companies with limited oversight and appear to have used those powers liberally. A risk assessment may need to conclude that the risk of transferring the specific data to the country concerned is unjustifiable, but it may also allow for less risky forms of transfer such as allowing access to the data via an encrypted link to a server in the UK or may conclude that the objectives can be met with the transfer of less data and that this lesser transfer is an acceptable risk.
Once a risk assessment has been done then appropriate controls need to be put in place. Larger multi-national may put together binding corporate rules but the more usual way forward is to use Standard Contractual Clauses (SCCs). The European Commission had an approved set from before the UK’s departure from the EU. These are therefore acceptable for the use of UK companies. The ICO has a set of these adapted for UK use on its website. They are likely to need further adjustment to be used in practice, but they form a model which can be worked from. The EU has just approved a new set of SCCs. These are not suitable for UK use and can only be used by entities that are subject to the EU GDPR (some UK companies will be). The ICO is working on its own set of SCCs which it expects to produce at some point in 2021. Whether these will be better or worse then the EU version is open to argument.
Companies must remember that the use of online tools can easily involve data transfers to countries that are not subject to adequacy decisions. It is important to be careful when using new online processing tools and think about whether risk assessments and SCCs need to be used first.
The FCA recently held a webinar about firms’ treatment of consumers with vulnerable characteristics. The FCA published its final guidance in February, following on from its work that began in 2015 and, arguably, had its foundations in its 2006 Treating Customers Fairly (TCF) outcomes.
In this webinar, the FCA replayed much of the guidance, with key areas of focus include:
- The beginning-to-end customer journey
- Your service interactions
- How you monitor and evaluate
New Standard Contractual Clauses
The European Commission, by its decision 2021/914/EU of 4 June 2021, has adopted new standard contractual clauses (SCCs) for the purposes of article 46 of the European Union’s General Data Protection Regulation (the EU GDPR).
Organisations that are subject to the EU GDPR cannot transfer personal data to organisations located in countries or territories outside the EEA that do not ensure an adequate level of protection within the meaning of article 45 of the EU GDPR unless they implement “appropriate safeguards” within the meaning of article 46.
The SCCs are considered “appropriate safeguards” (making up for local laws viewed as inadequate by the European Commission) because
(i) they saddle non-EEA organisations with contractual data protection obligations and (ii) contain a third party benefit clause whereby data subjects can sue in Europe these non-EEA organisations in breach of contract when they fail to abide with such contractual data protection obligations.
The previous SCCs will be formally repealed on 27 September 2021. It will not be possible to include them in any new data transfer agreements after that date.
Data transfer agreements executed before 27 September 2021 will continue to provide appropriate safeguards until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards. They will have to be amended and replaced with the new SCCs by 27 December 2022.
UK data protection standards to be deemed adequate by the EU
In less than 2 weeks the expiry of the current grace period that allows personal data to continue to flow between the UK and the EEA will end. However the EU has now agreed that UK data protection standards are sufficiently high for the it to receive an adequacy decision in time to enable these data flows to continue after the end of the month.
This means that the UK will join a list of non-EEA ‘third countries’ to which EU-regulated personal data can continue to flow without further restrictions. Other countries on this list include Argentina, Israel, New Zealand, Switzerland, and Japan. In a reciprocal move, the UK has also confirmed that personal data can also continue to be transferred to the EEA as previously.
However, firms should be aware that the position is not the same as it had been when the UK was an EU member state. Adequacy decisions are not permanent and have to be renewed every four years. Any renewal of the UK’s adequacy status in 2025 will depend on whether the UK’s data protection regime aligns with the EU’s. If, for example the UK’s human rights regime is altered in such a way as not to be consistent with the EU’s, then there remains a risk that the UK will lose this newly gained adequacy status.