operational resilience

Fighting financial crime, protecting consumers’ needs, and bolstering wholesale markets are the regulator’s key priorities for the year ahead.

By Rob Moulton, Nicola Higgs, Becky Critchley, and Charlotte Collins

On 19 March 2024, the FCA published its Business Plan for 2024/25, setting out its priorities for the year ahead. While the Business Plan now takes on less significance than it did historically given other publications in circulation such as the FCA’s 3-year Strategy and the Regulatory

Critical Third Parties serving the UK financial sector must ready themselves for compliance with the newly proposed operational resilience requirements.

By Rob Moulton, Fiona Maclean, and Charlotte Collins

On 7 December 2023, the PRA, FCA, and BoE jointly published a Consultation Paper (PRA CP26/23 and FCA CP23/30) which proposes a set of regulatory requirements and expectations for critical third parties (CTPs) that provide services to authorised persons, relevant service providers, and financial market infrastructure entities (FMIs). The key aim of the proposals is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to such entities.

The Future Regulatory Framework and Consumer Duty will be key areas of focus for the coming year.

By Rob Moulton, Nicola Higgs, David Berman, Becky Critchley, and Charlotte Collins

On 5 April 2023, the FCA published its Business Plan for 2023/24. The Business Plan sets out a number of priority areas for the regulator, tied into its three main areas of focus: reducing and preventing serious harm, setting and testing higher standards, and promoting competition and positive change.

The FCA highlights four of these priority areas that will receive additional emphasis over the coming year. These priority areas indicate a strong focus on developing the Future Regulatory Framework, including consulting on Handbook Rules to replace elements of onshored EU legislation as well as progressing the Edinburgh Reforms; and on consumer protection, including effectively implementing the new Consumer Duty.

Monitoring the progress of the Financial Services and Markets Bill and regulatory divergence between the UK and the EU will continue as a key theme in 2023. 

The Financial Services and Markets Bill leaves a significant amount of the essential regulatory detail to be developed later by HM Treasury (through regulations), followed by development of the specific rules by the regulators. Therefore, firms operating in the financial services sector will face legal and regulatory uncertainty as to the UK’s regime

As the FCA’s remit continues to grow, the regulator pledges flexibility in the face of global financial and geopolitical headwinds.

By Rob Moulton, Anne Mainwaring, Jaime O’Connell, and Dianne Bell

On 7 April 2022, the FCA released its new Business Plan as part of a package including  a three-year strategy document setting out the outcomes it expects all firms to deliver across UK markets. In his introductory message, FCA Chief Executive Nikhil Rathi noted that the regulator’s broad and growing remit means “prioritisation is inevitable”. The FCA’s more outcomes-based approach means its commitments for the next three years fall into three stated areas of focus:

  1. Reducing and preventing serious harm: for example, protecting consumers from harm caused by authorised firms, including tackling fraud and poor treatment. The FCA expects to “harness data to assess problems more quickly”, with the aim of preventing harm from happening in the first place.
  2. Setting and testing higher standards: for example, focusing on the impact authorised firms’ actions have on consumers and markets. The FCA expects the new Consumer Duty to give firms greater certainty about how they should treat consumers as well as flexibility on how they deliver good outcomes.
  3. Promoting competition and positive change: greater regulatory open-mindedness, for example, by building on the globally copied “sandbox” and introducing a “scalebox”.

This annual publication outlines some of the primary focus areas in 2022 for UK-regulated financial services firms. There has been a marked shift away from dealing with immediate post-Brexit priorities to more fundamental consideration of the direction of travel of UK financial services regulation, and this is borne out across many of the topics covered in this year’s publication.

While monitoring regulatory divergence between the UK and the EU will be a key theme for 2022, other familiar topics will

An FCA report evaluates the chequered implementation of technology change and identifies risks and best practices to help firms better navigate this change.

By Andrew C. Moyle, Alain Traill, and Jagveen S. Tyndall

Of the nearly 1,000 “material incidents” reported to the UK’s Financial Conduct Authority (FCA) in 2019, 17% were caused by change-related activity. It was against this backdrop that, on 5 February 2021, the FCA set out the findings of its review entitled Implementing Technology Change regarding the execution of technology change within the financial services sector (the Report). While the Report focuses on the UK, its findings apply equally to financial services organisations implementing technology change across all geographies.

The guidelines aim to promote the adoption of robust practices for managing technology risks in the financial sector.

By Farhana Sharmeen and Marc Jia Renn Tan

On 18 January 2021, the Monetary Authority of Singapore (the MAS) issued revised guidelines (the Guidelines) to take into account the fast-changing cyber threat landscape and financial institutions’ increased reliance on cloud technologies, application programming interfaces (APIs), and rapid software development. The Guidelines apply to all banks, payment services firms, and brokerage and insurance firms.

The Guidelines, which became effective immediately on the date of issue, aim to support financial institutions by providing them a framework of best practices for overseeing technology risk governance, practices, and controls to address technology and cyber risks. The Guidelines are not meant to be exhaustive or prescriptive, and have incorporated feedback received from the public consultation conducted in 2019.

New resource developed following increased regulatory focus on outsourcing.

Latham & Watkins has partnered with the Association for Financial Markets in Europe (AFME) and law firms Matheson and BSP to develop: Outsourcing – Guidance on the Legal and Regulatory Framework, a pioneering resource examining the key European legislation, rules, and guidance for financial services firms to consider in relation to outsourcing.

In light of the plethora of legislative change and increasing regulatory focus on outsourcing in financial services, as well as the growing range of sources that need to be taken into account to ensure compliance in this area, the Paper is designed to provide compliance, legal, and risk teams within regulated firms with a single reference point of regulatory requirements. The resource also provides a number of practical tools to help firms effectively map out their processes and procedures for legal compliance.

Partners Nicola Higgs, Fiona Maclean, and Andrew Moyle and associates Anne Mainwaring, Jagveen Tyndall, Oscar Bjartell, Sean Wells, and Sidhartha Lal led a team of more than 25 lawyers from five Latham offices and local law firms Matheson (Ireland) and BSP (Luxembourg) to produce the Paper.

The new guidelines reflect the European Commission’s aim to provide additional certainty for regulated entities outsourcing to cloud services.

By Rob Moulton, Fiona M. Maclean, Becky Critchley and Anna Lewis-Martinez

On 3 June 2020, ESMA published a consultation paper on draft guidelines regarding outsourcing to cloud service providers.

The purpose of the proposed guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. The draft guidelines are intended to help firms identify, address, and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities, to providing for exit strategies).