Organizational Requirements

As regulatory thinking evolves, firms must ensure that any current or planned use of AI complies with regulatory expectations.

By Fiona M. Maclean, Becky Critchley, Gabriel Lakeman, Gary Whitehead, and Charlotte Collins

As financial services firms digest FS2/23, the joint Feedback Statement on Artificial Intelligence and Machine Learning issued by the FCA, Bank of England, and PRA (the regulators), and the UK government hosts the AI Safety Summit, we take stock of the government and the regulators’ thinking on AI to date, discuss what compliance considerations firms should be taking into account now, and look at what is coming next.

The FCA recently highlighted that we are reaching a tipping point whereby the UK government and sectoral regulators need to decide how to regulate and oversee the use of AI. Financial services firms will need to track developments closely to understand the impact they may have. However, the regulators have already set out how numerous areas of existing regulation are relevant to firms’ use of AI, so firms also need to ensure that any current use of AI is compliant with the existing regulatory framework.

A new publication from the UK’s financial regulator signals to firms that they should take steps to manage risks in the use of AI.

By Stuart Davis, Fiona M. Maclean, Gabriel Lakeman, and Imaan Nazir

The UK’s Financial Conduct Authority (FCA) has published its latest board minutes highlighting its increasing focus on artificial intelligence (AI), in which it “raised the question of how one could ‘foresee harm’ (under the new Consumer Duty), and also give customers appropriate disclosure, in the context of the operation of AI”. This publication indicates that AI continues to be a key area of attention within the FCA. It also demonstrates that the FCA believes its existing powers and rules already impose substantive requirements on regulated firms considering deploying AI in their services.

UK regulators are considering how they can strengthen the regime to enhance standards and reduce risk.

By Nicola Higgs and Charlotte Collins

On 3 December 2021, the FCA published a Consultation Paper (CP21/34) on changes to its rules regarding the Appointed Representatives (AR) regime. HM Treasury simultaneously published a Call for Evidence, seeking views on how market participants use the AR regime, how effectively the regime works in practice, potential challenges associated with the regime, and possible future legislative reforms.

The FCA’s proposed rule changes are wide-ranging and would significantly increase the compliance burden for firms that use ARs as part of their business model. Both papers will be of interest to businesses across all sectors that use, or may consider using, the AR framework.

An FCA report evaluates the chequered implementation of technology change and identifies risks and best practices to help firms better navigate this change.

By Andrew C. Moyle, Alain Traill, and Jagveen S. Tyndall

Of the nearly 1,000 “material incidents” reported to the UK’s Financial Conduct Authority (FCA) in 2019, 17% were caused by change-related activity. It was against this backdrop that, on 5 February 2021, the FCA set out the findings of its review entitled Implementing Technology Change regarding the execution of technology change within the financial services sector (the Report). While the Report focuses on the UK, its findings apply equally to financial services organisations implementing technology change across all geographies.

New resource developed following increased regulatory focus on outsourcing.

Latham & Watkins has partnered with the Association for Financial Markets in Europe (AFME) and law firms Matheson and BSP to develop: Outsourcing – Guidance on the Legal and Regulatory Framework, a pioneering resource examining the key European legislation, rules, and guidance for financial services firms to consider in relation to outsourcing.

In light of the plethora of legislative change and increasing regulatory focus on outsourcing in financial services, as well as the growing range of sources that need to be taken into account to ensure compliance in this area, the Paper is designed to provide compliance, legal, and risk teams within regulated firms with a single reference point of regulatory requirements. The resource also provides a number of practical tools to help firms effectively map out their processes and procedures for legal compliance.

Partners Nicola Higgs, Fiona Maclean, and Andrew Moyle and associates Anne Mainwaring, Jagveen Tyndall, Oscar Bjartell, Sean Wells, and Sidhartha Lal led a team of more than 25 lawyers from five Latham offices and local law firms Matheson (Ireland) and BSP (Luxembourg) to produce the Paper.

The new guidelines reflect the European Commission’s aim to provide additional certainty for regulated entities outsourcing to cloud services.

By Rob Moulton, Fiona M. Maclean, Becky Critchley and Anna Lewis-Martinez

On 3 June 2020, ESMA published a consultation paper on draft guidelines regarding outsourcing to cloud service providers.

The purpose of the proposed guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. The draft guidelines are intended to help firms identify, address, and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities, to providing for exit strategies).

ESMA, BaFin, and FCA have provided guidelines on firms’ obligation to record client telephone calls.

By Rob Moulton and Axel Schiemann

Remote working raises uncertainties in various regulated areas as it dramatically changes institutions’ day-to-day business. In particular, institutions are confronted with practical and technical difficulties regarding client-related requirements such as the obligation to tape telephone conversations with clients — which employees working remotely may not be able to do because they lack access to the necessary technical equipment. In order to address these practical difficulties, the European Securities and Markets Authority (ESMA), Germany’s Federal Financial Supervisory Authority (BaFin), and the UK’s Financial Conduct Authority (FCA) have published their regulatory approach with regard to the current situation.

UK Treasury Committee report warns that the current level and frequency of disruption and consumer harm is unacceptable.

By Carl Simon FernandesNicola Higgs, Fiona M. MacleanChristian F. McDermottRob Moulton, Andrew C. Moyle, Stuart Davis, and Charlotte Collins

On 28 October 2019, the Treasury Committee published a report on IT failures in the financial services sector. The report sets out the findings from the Treasury Committee’s inquiry, which was launched following a number of high-profile and significant IT incidents. (See Senior MP Calls for Regulatory Crackdown on Banks’ IT Systems: 3 Things You Can do to Prepare.) Rather than looking into specific failures, the inquiry looked more holistically at why such incidents are becoming more frequent, how firms should be guarding against and responding to these incidents, and the role of the regulators in preventing and mitigating the impact of these incidents through their rules.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services

Authors: Andrew Moyle, Nicola Higgs, Christian McDermott, and Kirsty Watkins.

The financial services industry is leading the way in outsourcing, with contract values in excess of US$10.7 billion in 2018, causing regulators to focus more than ever on the associated risks. Guidelines on outsourcing arrangements from the European Banking Authority (EBA), which came into effect on 30 September 2019, expand the requirements on institutions in this area, while both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are also increasing their outsourcing supervision and enforcement activity.

Latest FCA and PRA fines against a retail bank show little tolerance for poor outsourcing systems and controls.

By Fiona M. Maclean, Christian F. McDermott, Laura Holden, and Charlotte Collins

On 29 May 2019, the FCA and PRA announced that they had fined an independent UK bank for failing to manage its outsourcing arrangements properly between April 2014 and December 2016. The bank received separate fines of £775,100 from the FCA and £1,112,152 from the PRA (resulting in a combined fine of £1,887,252) for breaches of the regulators’ high-level principles for authorised firms, as well as their more detailed rules on outsourcing. Each fine includes a 30% early settlement discount.