Regulatory Round-Up | December 2018

  • |
  • 53 mins 12 secs


  • Marc McCarthy, Senior Business Consulting, AutoRek
  • Andrew Henderson, Financial Services Partner, Eversheds Sutherland

Learning outcomes:

  1. An overview of regulatory changes in 2018
  2. The role of technology in regulation and compliance
  3. What to expect and how to be best prepared for new regulation in 2019


London • Harpenden
Tel: +44 (0)1582 764000

New York
Tel: +1 212 661 4111

If you have found this report informative and would like further information please email at [email protected]
PRESENTER: 2018 has really been a year of regulatory changes. So, in this, the fifth of our Akademia Compliance Workshops, we’ll focus on what’s happened in the post MiFID II world, GDPR, CAS and what to expect in 2019. Joining me to discuss will be Mark McCarthy, Senior Vice President of International Sales at AutoRek, and Andrew Henderson, Senior Business Consultant, Eversheds Sunderland. There’ll be three key learning outcomes: an overview of regulatory changes in 2018; the role of technology in regulation and compliance; and what to expect and how to be best prepared for new regulation in 2019. But first we’ll start with an overview of 2018.

Well, Andrew, let’s start with an overview of 2018, what have been the main regulatory changes?

ANDREW HENDERSON: I think there’s been a continuing focus on individual accountability, particularly through the extension of the senior manager certification regime. I think there continues to be a focus on growing technologies, particularly in the context of crypto-assets and the like. And some of the continuing themes I think around retail protection. But of course looming large over all of this is the withdrawal from the EU. And so much of the legislative time, the rule making time that has been taken up by the FCA and the Treasury really has been to that end. And so I think that looms large. And the open question of course is the extent to which it’s diverted the FCA away from other initiatives.

So I think those are the ones. And in many respects they are, some of those themes are a continuation of last year. I think in addition to new initiatives, bedding down existing initiatives has also been important, and I think we’re going to come on to talk about MiFID II. But certainly when I look at questions that our clients are asking, a lot of those still arise around uncertainty with respect to MiFID II, how that impacts their business. And indirectly of course there’s been the general data protection regulation, not a dedicated piece of financial services law, but one that has occupied a lot of time. And I think the stress of the GDPR following so soon after MiFID II certainly has been felt by a lot of our clients.

PRESENTER: And, Mark, for you, what’s characterised 2018 in terms of the different regulations?

MARK MCCARTHY: Absolutely, so from our perspective, I’m very much from a technology background, for us the key essence of this year has been around remediating some of the issues that we’re seeing coming through MiFID II. Obviously everyone has worked very hard up to January 3rd 2018 to try and get everything in place; however, not everything bedded down as neatly or as nicely as we would like to have seen. Everyone’s grappled with MiFID II. Particularly in transactional reporting space, something that looks so benign really as a concept has ended up being incredibly difficult for everyone. If we look at the first six months of the year, we were looking at 3.5 billion transactions being reported in the UK alone. This put enormous strain onto the portal that the FCA has, and it’s been hard work for everyone involved. So what we see is a lot of reporting firms actually still struggling through that, still having teething issues today with getting everything truly bedded down.

PRESENTER: What I was going to say is from the start of this year, 2018, it did seem like there was this flurry of excitement when it came to MiFID II. But now it’s almost back to business as usual. So as we go into 2019, what’s fundamentally changed when it comes to MiFID II?

MARK MCCARTHY: So there’s still quite a few areas which have not been fully bedded down as I said before. So there are some parts of the regulation that still not really adhered to by many firms. So whereas the reporting has taken place of all of their transactions, there are still reconciliation requirements that they’ve not fully fulfilled yet. So at the moment I think there’s only like 15 or 16 firms actually take data from the FCA to perform their obligation under RTS22 Article 15, which is the form of reconciliation against their front office systems, and against their ARMs. And that’s not really taken hold yet, as I say only about 15/16 companies have really gone down the route of getting that data back and performing that action. And when we look at that, and we speak to these clients, even a lot of those have not fully automated this process yet.

So there’s still work to be done. I don’t think everyone’s fully over MiFID II yet. I think everyone’s done as much as they can. I think it’s stretched all the resources, and as you mentioned the challenging regulations that have come into place have just put an enormous strain on companies this year, and it’s just not allowed them to fulfil everything that they needed to under their obligations.

PRESENTER: And Andrew, you mentioned Brexit, and you mentioned MiFID II, so what are the territorial scope of MiFID II and the impact of Brexit?

ANDREW HENDERSON: No, that’s an excellent point. Because what we’ve found is that in all the noise around Brexit there are a number of fundamentals that have been overlooked. And one of the points that we make, both to our UK clients looking at doing business in the EU27, as it’ll now be known, and indeed to EU27 clients coming to the UK, is that the regime that they’re going to be relying on, the so-called third country regime, and I’ll need to explain a bit more about that. It’s a lot more clear-cut I think in the context of MiFID and the alternative investment fund managers directive, is essentially the same regime that for example US firms currently rely on. So a lot of people talking about the great uncertainty around Brexit, I think missed the point that actually the regime that they’re going to be complying with is one that is already in existence.

I think one of the important points too is you mentioned territorial scope of MiFID II, and it’s a lot clearer in the text of MiFID II, again following on from MiFID I, that the starting point is the provisions of the directive, and the rules, national member state rules that give effect to those, only apply to business that is carried out from an establishment in the EU. Now the marketing of investment services and financial instruments will be governed by individual member state laws, and again I come back to the example of having advised for example US clients. They’re always slightly bemused by the fact that notwithstanding that there purports to be a single financial market, I don’t think there yet is, they still have to go out and ask each individual member state, or professionals of those member states what the local rules are.

So those will still remain. But there’s a paradox, because a lot of current UK clients, EU27 clients, they’ll always mention the services passport under MiFID, and say we’re currently passporting, how does that continue? To which the answer is well actually technically speaking if you’re a third country you don’t have to rely on a services passport, or anything akin to that, because actually the rules will kick in if you are permanently established. If you go back and look at European Commission guidance given in 2007 about the territorial scope of then MiFID, they refer amongst other things to WTO rules, World Trade Organisation rules, and there’s a lot of talk about that amongst the politicians.

But the point that we make is that a lot of those standards are already hard wired into the directives and principles about non-discrimination and allowing any third country essentially to get the same deal as another third country, I think become very important. And I know one doesn’t want to get in and discuss the political issues, but at a very practical level the major disrupting force of course is the need to establish some type of presence to then rely on an EU27 member licence, or alternatively establish a business in the UK if you’re coming the other way. But once you get over that actually there are a lot of other aspects that should be quite familiar. So there’s not as much of a great unknown as a lot of people I think will make out.

Another feature, and I think this is important, is when you look at the political declaration and the withdrawal agreement, and the arrangements for financial services there, technically speaking there is no difference between those and the provisions that would apply in the event of a so-called hard Brexit. Essentially it will be third country status. This idea of equivalence, which again is a much abused term, because there isn’t a single idea of equivalent, but a number of different equivalences across the various directives. Now MiFID II is interesting, because it does introduce a third country regime. But again that’s much understood, because the third country provisions, certainly in the MiFID II directive, essentially say that if a member state wishes, that is chooses to impose a branch requirement on a third country member state, then it must do so in a particular way. And then there is a mechanism under the MiFID regulation, the fear, which allows the European Securities and Markets Authority to register third country firms. And again it’s not expressly articulated, but the reason for that we say is to override any local member state branch requirement where you’re offering services to so called per se professional clients or eligible counterparties.

So there’s been a lot of misunderstanding around how those third country provisions work, and I think we still come back to the position about saying actually the third country provisions are fairly well established. I think they arguably have been since the ISD back in the, I think the early ‘90s. So from that perspective while there is of course lots of organisational change; from the perspective of legal and regulatory certainty, there may not be that much. There’s some interesting issues around outsourcing, but we can perhaps talk about those in due course.

PRESENTER: Well before we get onto that, Mark, what are your thoughts on this, and so come March there’s nothing really we should be aware of, nothing’s going to change?

MARK MCCARTHY: I would agree with Andrew. I definitely don’t think there will be much that will change. Certainly for many of the firms out there, they already will be in Europe anyway, there’s not actually that many firms I don’t think with just UK branches. So they will fall into these categories that Andrew outlined.

PRESENTER: And cross border services, did you mentioned, I’ll put this to you Andrew, what changes are afoot, and how do you think people can best navigate this?

ANDREW HENDERSON: Well I think we’ve got to be very clear when we talk about cross border services. Because on the one hand there are the services directly to clients, and I think as I suggested earlier our view would be that the actual delivery of those services should be capable or possible on a cross border basis. The point at which they’re policed is at the point of marketing or sale. And in effect that will make it difficult for a UK firm to service retail clients in the EU27 and vice versa. But certainly when it comes to servicing professional clients and eligible counterparties, to use the MiFID classification, there ought not to be a big difference. But this brings me onto the second aspect, and that is that where you have an entity that is providing services to another regulated entity on an outsourced or delegated basis.

Now there are a detailed and developed set of principles that deal with that. They arose under MiFID I. They were dropped into the MiFID organisational regulation under MiFID II. And then some were developed specifically in the context of asset management or portfolio management really to align those provisions, so what’s already under the IFMD and the UCITS directive. But here while there are very clear principles set out in the directive, a point of interest, and this I think is relevant. It’s not so much that you’ll necessarily see a change, but it certainly is a way that UK firms in particular will need to think about things. But the issue that was raised first by the European Securities and Markets Authority, then the European Commission weighed in, and then I think the other European supervisory authorities followed suit, was in essence the idea of the UK firm establishing a limited presence in an EU27 member state, and then via a delegation or outsourcing essentially entering into an arrangement whereby the services are delivered say from London. And it’s here that there was a lot of scrutiny. ESMA issued a so-called opinion on this.

The essence of that was really to drive the point that they didn’t want, well first of all they didn’t want individual member states being able to roll out the proverbial red carpet to UK firms and say come to us we’ll make it a lot easier for you. They wanted a level playing field. So arguably this measure wasn’t directed so much at UK firms, but rather frankly at the likes of Luxemburg and Ireland who might have been a little more accommodating let’s say. But the essence of that opinion is firstly that there had to be sufficient mind and management on the ground. And that wasn’t simply a question of having numbers, but was also a question of having the knowledge and expertise to oversee the outsourced service. And there was some rather barbed aspects to that; for example a suggestion in a follow-up or specialist opinion that if you were delegating a service back to London, you almost had to take that service through an internal procurement process.

And again one might say commercially that’s somewhat bizarre, because if I approach a particular service provider say in Paris, I’m looking for the expertise that is offered out of London. And suggestion that that Paris branch say almost has to put the service out to tender amongst a number of firms is slightly odd. But that is an area that did attract a lot of focus. In practical terms what that will mean of course is that if you are establishing a branch in the EU27, you will need to ensure that you have appropriate staff, both in terms of numbers and in terms of competence. And in particular the oversight arrangements are very clear and well developed. And I think what we say is that doesn’t only operate one way. Actually even if you are looking at where the service is delivered from London, you would need to ensure that there were appropriate systems and controls, that great term always used, but that operated the other way, because there’s no doubt that the FCA or the PRA overseeing that business. So I think that is, when we talk about the cross border piece, I think firms mustn’t forget about the whole outsourced or delegated piece as well.

PRESENTER: So Mark, considering where we are when it comes to MiFID II and going into 2019, what tech solutions are out there to help?

MARK MCCARTHY: Well I think with all regulations that we’ve seen over the past few years, each regulation that’s come along has spawned a new industry for Fintech and Rectech, and we certainly have seen that coming up to MiFID II. There’s very interesting new technologies out there that can help with all of the aspects that firms will face whilst reporting on MiFID II. So I think this creates an interesting opportunity for startup companies who want to play in the niche markets. It’s also been quite interesting to see how banks and investment firms have responded to this emergence of firms. Older firms, legacy firms with legacy systems have had to upskill themselves, have had to build out their technology, their modules, to allow for the regulation to really be fulfilled through their systems.

Similarly the emergence of the ARMs, I mean obviously they were borne out of MiFID I but MiFID II is far more complex in its approach, has also meant that a lot of tech has had to come into place. And it’s been quite interesting to see how AI and robotics, and also to some degree block chain is starting to take hold in these sectors, and starting to assist with giving greater transparency for firms to report. And at the end of the day all of the regulations that we’ve seen throughout 2018 are all about ensuring that the consumer is protected, that there’s transparency in place for all of the transactions that firms are doing on behalf of their clients, that all of this is reported in a timely manner. And that is a large scale, large amount of data, as I mentioned earlier 3.5 billion transactions in the space of six months is an awful lot of data to be prepared, as well as consumed by the FCA.

So technology has played a bit part, but it’s not everything for all of the regulations. Even within MiFID II it plays a big role, it plays a predominant role, but there’s still a cultural aspect within firms to actually embrace these technologies, and also to embrace the regulations themselves, and effect those cultural changes that need to be put in place. At the end of the day it is company culture that has brought us to the global financial crisis in 2008 in the first place, and it’s that that we’re trying to remedy. And that cannot just be done through technology.

PRESENTER: And do you think firms are doing enough, do you think we’re headed in the right direction?

MARK MCCARTHY: I think firms are being pushed, and that’s what these regulations are about. Some of them seem a bit over the top, but at the end of the day they’re just about creating that transparency that any firm should have in place already. I’m amazed with the clients that, or the prospective clients that I go to that still rely very much on outdated technologies that look at using spreadsheets and tools like this to very complex tasks. To calculate complex calculations for their instruments, and that this is not actually put into a proper system where it’s fully automated, where there’s governance, where there’s audit and control around the data is mind boggling sometimes. But firms are getting there. They’re being pushed there, but some of the newer start-up firms, particularly in the Fintech space. So look at challenger banks for example, or the new fund platforms that are out there. They start on the premise of technology. They start very much with that in mind, with that being their end goal already from day one. And I think some of the older firms just need to catch up.

PRESENTER: Well other regulation that’s been ruffling feathers this year is SM&CR, so how do you think this has been received Mark, and also what sort of issues have arisen from it?

MARK MCCARTHY: Well SM&CR is a hugely complex piece of regulation, I think, and a lot of firms will struggle with fulfilling it. The impact of the regulation to staff is immense, to the number of firms is quite large as well. So I read recently that something like 47,000 firms will be affected by this piece of regulation. The very fact that senior managers will have to go through a preapproval process through the FCA will potentially also hinder companies from hiring key staff very quickly, replacing staff very quickly. I think the impact as well of the decision maker being at such a high level will also cause issues whereby decisions might need to be made by SMEs at a much lower level within an organisation. And suddenly here we’re saying that we don’t trust lower level staff. That in order to feel fully compliant that some senior managers might feel that they need to actually make the decisions on behalf of their staff, and maybe they’re not fully informed about what it is that they are entering into. I don’t know, Andrew, is that something that certified staff should allay, should that be?

ANDREW HENDERSON: I think when it comes to the senior manager certification regime, a point that we will always make in start of the technical one, which is simply to say that the senior manager regime is merely an evolution of the approved persons regime. And those of us who cast our mind back to the failure of Barings Bank will be reminded of the reason that the approved persons regime came into force, and then proved to be ineffective around the financial crisis. The focus we say with it really is on individual accountability. People say well we know that, what does that mean? Well it’s the idea that no individual can get away by saying that something wasn’t his or her responsibility when indeed it was. The idea of it was your watch and therefore you are presumed to be responsible, not in the old sense of a presumption of responsibility. But the reality now is that if something goes wrong. And we already see beginnings of this. The FCA or PRA, as the case may be, would come in and say right we’ve identified a breach by the firm. Now it must follow that there was a senior manager responsible for that breach, and we now need to look at his or her individual conduct.

And that conduct is really judged on a twofold test. The first is what we call a subjective test. But there the starting point will be the responsibility statement. And that is new and very practical. And we’ve already seen this in the work we’ve done with banks and building societies and insurance companies, where individuals actually have to commit to more than just job description, but actually being very clear about what it is that they are responsible for. I think to come to your point, that goes into the, will go into the FCA in terms of the extended regime. But that statement assumes a very important significance. Because if something does go wrong the first place that the enforcing agency, or the FCA in the case of a firm like that, will look at that responsibility statement. And then the second aspect will be even if we’re satisfied that this person discharged their responsibility under the statement, the subjective test, they will still ask a more objective test. Did they exercise due skill and care? And I think here there are overlaps then with the certification regime, with issues around standards of conduct.

So when we look at the entire regime, what it has really done is it’s focused minds, and will continue to focus minds. There are still existing principles of good governance. This doesn’t for example have an impact on what your board composition ought to be. But I think to our point about allocating decisions, it does become important. Because someone who might have not really thought of themselves as being the ultimate decision maker because they weren’t on the board, actually suddenly found themselves being signed onto one of the senior management functions. So it’s focusing the minds. And I think then rolling over into these more practical aspects about making sure things are properly written down and understood.

MARK MCCARTHY: I think the first instance that I’ve seen of this definitely has been within the CAS world with the emergence of the CF10A. One thing that I’ve always been concerned about when I go to some firms is I meet a CF10A, and quite frankly it’s the most junior person in the room. It’s kind of the fall person almost, or it feels that way sometimes. So definitely this regime is all about focusing that back into the senior managers themselves. It’s not just an individual; it’s a group of individuals who all have tasks and responsibilities within the organisation. And it’s about them taking that role very seriously. And it comes back to what I mentioned earlier under MiFID II, it’s all about the culture of a company. It has to come from the top down. If the top is held responsible, then the rest of the company will follow that lead as well.

ANDREW HENDERSON: There’s also another aspect to this regime, which is sometimes forgotten. And that is that currently it is the responsibility of the authorities to approve people. Under the new regime they will still have that responsibility, but for a narrower cohort of people, the senior managers. But essentially what the law makers have done is that they have shifted that responsibility back onto the firms themselves. Not just the certification regime, but now you’ve mentioned also about people being a lot clearer before they submit an application that somebody has been properly vetted. An interesting aside to this is we’re involved in a lot of financial services M&A, and very quickly people will want to say actually we need to acquire a business quickly, and then we want to put one of our own people onto the board. And suddenly they’ve realised that actually that process for putting someone onto the board can last up to six months – something that hadn’t really been thought about. So that doesn’t actually interfere too much with the M&A timetable, but it’s an added complexion.

But this aspect, and it’s almost picking up on the theme of if the FCA were to hold that there’d been a failure in a particular part of the business, then someone must be responsible, may also go to instances where you have an individual. Take the rogue trader for example. Once a rogue trader is detected and disciplined, it’s likely then that the FCA will turn around and say well when was this person certified? And on what basis was this person certified? And if you certified this person let’s say three months ago, how did you overlook this? So I think this is an aspect too that you move away from the individuals themselves, but actually look at this additional burden and risk that the firms have to assume, and that aspect around culture actually does become important. There’s a lot of people who might say look the way through all of this is we just make sure we hire and select the right people.

MARK MCCARTHY: Yes, it’s not just about the hiring process though. It’s also about monitoring the staff throughout their cycle. I know there’s annual reviews for everyone involved in SC&MR; however, what we see from a technology standpoint is obviously there is a lot of MI reporting that we can provide for this. But unlike all the other regulations that we’ve looked at, my gut feel is that this is more of a cultural shift within organisations. It’s more adherence to policies and procedures within organisations, rather than something that can be fixed through technology. Now obviously in the banking world, and particular in the finance world, it’s quite simple to have an account sign-off structure in place, these kind of processes which do allow for monitoring. But beyond that the individuals and their actions, it’s not that easy to monitor all of that at all of the time.

PRESENTER: So then, Andrew, is there a checklist on how people can prepare for the FCA’s senior management regime, and also issues with non-compliance?

ANDREW HENDERSON: Yes, I mean the key thing that we have found is that notwithstanding that this regime originates in a piece of financial services law, and notwithstanding it is the FCA that is charged with policing in the context of the types of firms we’re talking about, it is not necessarily going to be the compliance function that is going to lead on this, but very often the human resources and employment function. Because a lot of these issues that we’ve been discussing around quarterly reviews and the monitoring, actually will often go down to what the HR function does, working very closely with compliance. So in a very practical way when one comes to implement or design and implement an effective project, the need to involve HR, and I dare say even have them lead on this, not have this as being shoved to the compliant function as yet another piece of regulation, I think is a very important first starting point.

I think the second point is really being clear about how the governance or command structure within the business operates. And what we’ve found is that the regime has forced a lot of firms to actually really look again clearly at who is responsible for what. This can have a positive effect because they might say actually this feeds into more effective business processes. And I think there isn’t necessarily a misalignment between good compliance and good business. And so people have actually seen this as an opportunity. And then in terms of really drilling it down, I think it’s been absolutely clear that individual senior managers are identified and engaged, particularly with respect to the generation of responsibility statements, and those statements are agreed. Because what some individuals might find is actually they don’t want to take on as much responsibility as they would like because of the liability. And then I think a second point is making sure that it all knits together.

Now the need for example to have responsibility maps is not one that will apply to all firms, but we say in practice it’s going to be necessary to understand how everything knits together. But I think at the next level down around certified staff, it’s understanding how all of those functions will tie together. And again even if those individuals don’t have responsibility statements, it’s about being confident that they understand what is required for certification and that they can in fact be certified. And this is where the human resources piece takes on. And then really the final piece below that is the ongoing need to ensure that people understand conduct rules. And this then really throws the whole point around non-compliance, and there are two aspects.

I think there is the non-compliance for individuals, which in many respects if fairly clear. And what we’ve said is people have moaned about the fact that you have this plethora of conduct rules, which essentially have gone from just applying to approved persons, all of your staff practically other than the very minor staff. We simply say that those are merely a reflection of good principles of practice that would underpin the firm’s regulatory obligations generally. So, coming back to the example earlier, if there was a breach by the firm, that’s going to be at the hands of individuals, unless the robots are now running the shop. And so they will link back. So I think there’s that aspect of individual non-compliance, but we still come back to this point about non-compliance by firms. To actually adequately implement the SM&CR by having proper processes, ensuring those processes are regular, coming back to your point about monitoring. And certainly the failure, SM&CR related failure isn’t simply going to be something being visited on individual, but there’s also the broader risk to the firms about not implementing properly.

PRESENTER: Well, Mark, let’s look at the technology now, and governance. What sort of tech is out there to aid regulation and compliance?

MARK MCCARTHY: Well as I mentioned earlier there’s a whole plethora of new firms that have come up in the Fintech and Rectech industry that have taken on these crucial roles of trying to bridge gaps that currently exist. I think as we go through the next few years we’re going to see more and more technology rolled out to assist us with all of these areas of regulation, to bring up these levels of governance and transparency that are so badly needed. At the end of the day as I mentioned earlier, it really is about consumer protection, it’s about the consumer at the end of the day, and making sure that firms are compliant, and that the culture that they have is compliant with the laws.

So I think coming up we are definitely going to see more emergence of artificial intelligence that will help us identify key customers, will help us tailor solutions to them that we don’t miss-sell to consumers. I think robotics will play a huge part in ensuring that data is correct and is not misaligned. We see an awful lot of that. As I said before big data means an awful lot of errors in data. Now that might be a small fraction of that information set, but nonetheless no one really wants to be at the receiving end of incorrect information held by a firm. So these sort of areas will definitely, these sort of technologies will definitely assist companies to be more accurate and better going forward. And then we can’t ignore the disputed ledger transactions.

The DLT block chain is something that’s definitely on the horizon. We’ve seen companies like Ripple and Digital Assets try very hard to come up with workable solutions using this new technology. I personally think it’s an incredibly exciting new world. We still need to find the right use cases for it. I think some firms have hit the nail on the head, others have not. We’ve very much in a phase of trial and error, and we will see what the next few years bring. We did not actually get what was originally heralded as this new technology, and how it would replace interbank settlements for example. None of that has really occurred yet, but it certainly will come more and more to the fore. I know we’re going to be talking about crypto currencies in a few minutes. I definitely think that these are here to stay. I know that we’re seeing a huge amount of volatility in that market at the moment, but the key concept of tokens and the ability for people to have secure ledger transactions between one another I think it something that we definitely need to head towards.

PRESENTER: Well before we move onto cryptocurrencies, I just want to ask you, Andrew, about the role of the CTO. How do they fit into all of this?

ANDREW HENDERSON: Well I think there’s a vitally important point. That with the advent of technology is the advent of operational risk. A fear that has been voiced is that if there’s an over-reliance on technology, including the use of technology to avoid catastrophe, actually you then run the risk that technology may fail, and then you have a double issue. So the role of governance around that becomes very important. We’ve coined a term called KYT, know your tech, with the idea that when a financial services firm purchases a piece of kit, that there is someone who understands what they have purchased. I cast my mind back to Barings Bank, and there was a very, well attributed statement to a Barings Bank director along the lines of we don’t understand derivatives but they make us lots of money. Barings Bank fell because of a rogue trader.

Now similarly if a senior executive within a financial institution was to say we don’t understand financial technology but it saves us lots of money, and something was to go wrong, there’d be issues for them. When it comes to the chief technology officer there is a designated senior management function, the SMF24. It’s an unusual function in that actually it can be split amongst more than one individual according to their expertise. The degree of scrutiny that a CTO will receive will really be dependent on the degree of complexity of the business. We say that a key issue, and we say this to our technology clients, will be the ability of those at the front line of technology to explain concepts clearly to those in positions of management. We can’t expect our CEO of a general bank to understand how to code a machine. But they at least need to be put into a position whereby they can understand what they’re dealing with. The non-executive directors need to be put in a position that they can challenge this.

So that role of the chief technology officer isn’t just one of understanding the technology, the KYT, but being able to explain and communicate that understanding via efficient management information to the other members of the board. And we say that will become an increasing focus.

MARK MCCARTHY: I think that’s going to become harder and harder for CTOs to do to be totally honest, as we see more and more companies go towards cloud offering and hosted offerings, whereby the technology aspect is actually removed from the company altogether. It’s actually put in the cloud, someone else is managing the risk, it’s more or less outsourced.

ANDREW HENDERSON: But this also gives rise I think to a second important factor. During the financial crisis we all came to understand the concept of too big to fail. Our concern is that with the reliance on centralised cloud technologies and other centralised systems, you’re then thrown into looking at systems that are too important to fail. And one of the possible spurs for regulatory intervention in the likes of the cloud won’t be around the traditional concerns that there’s bad conduct or the like, but rather it will be that if a service like that fails there has to be a means for outside intervention. And if that service is so large or so important, too important to fail, there has to be a way of a governmental authority being able to step in outside say the normal insolvency rules. That was what was found wanting during the financial crisis.

So the more that technology becomes a part of the financial services sector, the more we see these new concepts like know your technology, the too important to fail coming in. We’re not convinced that a lot of lawmakers have yet grasped those, because they move so quickly. I think those are going to be become…

MARK MCCARTHY: I’ll add to that as well, I don’t think many companies have grasped that either. Because a very interesting point that you raised, in all of these years of working in the technology space, that question has only just come up once in the past three months, which is what if your cloud provider goes insolvent, what happens then, what’s the fall back? And no one’s got an answer for it to be totally honest.

ANDREW HENDERSON: And one piece of very practical advice is never ever say to a regulator it’ll never happen, they’re too big to fail. It’s the worst words. But agreed, and I think these are the issues. Technology is exciting, but over-reliance on technology can give rise to those risks.

PRESENTER: Well, Mark, we’ve talked about the CTO, but how much onus do you think is on the actual board to know the technology?

MARK MCCARTHY: I would certainly agree with Andrew that as a board member you should be aware of the technology that the company is using. And I think the more I look at the financial services industry, the more I see technology playing a bigger and bigger part, and personnel actually playing less and less of a part in the actual day-to-day processes. I mean we’ve already seen it with algorithmic trading. I see it very much in the space that I work in, which is around control mechanisms in operational space, and finance world as well where technology is starting to erode the human interaction really with the datasets that they’re working with. I mean key to this is obviously understanding what you’re presented with if you’re sitting on a board. I certainly would make sure that my board members are technologically savvy, because that is a key essence of being a board member today. Especially if you’re looking to a company that is so heavily built on technology, you certainly do have to have a bit of a better understanding than how to use Outlook.

But that said, obviously the board members are there to provide other inputs into an organisation, they shouldn’t be just technologists. I wouldn’t want to see Fintech people sitting on boards necessarily of big financial firms, but there needs to be that degree of knowledge. There needs to be that awareness of what’s coming next, because I think very much to Andrew’s point, how can you govern an organisation that’s running away with itself in terms of technology? And especially if you’re then responsible for that organisation, and things go wrong, then the fallout is on you.

PRESENTER: So let’s move onto crypto-assets now, and these have certainly been a big theme for 2018. So, in terms of regulation, how advanced is it when it comes to crypto-assets Andrew?

ANDREW HENDERSON: The crypto-assets task force, which was essentially a joint initiative between the Financial Conduct Authority, Bank of England and HMT, have taken good first steps. But a point that is important to grasp is really the understanding around what we mean when we talk about a crypto-asset or tokenisation. Simply put tokenisation is no more than an entry in a block chain of distributed ledger. And in the case of a so-called exchange token like Bitcoin, there is a single entry, and in a sense the value is captured within that entry. Similarly with some of the applications that support block chain, such as Ethereum, the so-called crypto-fuels, there is a single entry. However when you actually look at other types of crypto-assets, and the joint task force talked about security tokens and utility tokens. And indeed we say that is a useful starting point, but actually there’s a more fundamental classification around what we describe as a crypto voucher, which is essentially saying that what is shown on the block chain represents a real life asset. The integrity around that real life asset becomes very important, the safekeeping of that real life asset.

If you are tokenising the interests in a collective investment fund, you need to be clear that those interests are properly protected. If you are tokenising gold for example, far more straightforward example, and bearing in mind gold is unregulated in the financial services sense, you would still need to be able to say is there an appropriate arrangement for actually vaulting, keeping the gold physically safe by something called a bailment arrangement, old common law arrangement. And interestingly when you start talking about tokenised cash, and this is different say from a crypto exchange token, where somebody’s actually saying we’re going to lock up money in an account as the Winklevoss brothers have introduced a coin, a so-called stable coin a couple of months ago, what are the arrangements for actually ensuring that that cash is kept safe? And then the bigger question that really comes is that having identified what type of assets you may be dealing with.

Where you have a regulated asset, so a share, how should those that are either offering those tokens to the public be regulated? Ought there to be parity within the manner which say a share would be offered normally? We say yes there should be, because it’s the same economic risk. And then importantly when firms are carrying on regulated, regulated with respect to those offering custody for example, arranging deals, advising, how should they be regulated? So there are steps being taken towards classifying these assets, and then introducing the regulation. But it’s still early days. The best way that you can understand a crypto-asset is actually by seeing it in action, and there still aren’t that many user cases because this is still a new, it’s a new type of, it’s a new way of delivering financial services let’s say.

PRESENTER: So, Mark, this month as part of a Treasury-led crypto-asset task force the FCA published a report on the UK’s policy and regulatory approach to crypto-assets. What came out of this, what did you find interesting?

MARK MCCARTHY: Well as far as I can see it’s very much looking at crypto-assets in terms of which part of these are currently already regulated and which part of these might require regulation in 2019. Certainly I think the regulator will be taking more of an interest as we see more and more crypto-assets come into the market and the valuation very much of the underlying assets that they protect. One of the key factors I find quite interesting is that obviously there’s the fiscal asset itself, but then there’s also the key to that asset. That key also has to be safeguarded. I think there’s a lot of regulation round that lacking at the moment. I’ve heard some organisations are offering vaults for these keys now, so basically digital keys that are taken offline and put in an air gapped environment.

So all of that still begs the question who owns what in that whole arrangement? The question recently came up is actually CAS, does CAS actually apply to that key for example? So there’s still a lot of unanswered questions out there. I think the task force has still got a long way to go in terms of identifying what the regulation should look like, but I think it will evolve over time, just like any of the other regulations we’ve seen so far.

ANDREW HENDERSON: The difficulty with this is that there is a tendency to want to overcomplicate things, particularly when you don’t fully understand something. We’ve had to grasp with questions around the proprietary status for example. And I think we’ve been quite confident that actually our common law trusts works very well, and these ancient doctorates that you start deploying to explain these new technologies. You talk about the manner in which all aspects of crypto-assets have to be safeguarded. Should they be subject say to existing rules around client assets or client money? We say that even they don’t there’s still fiduciary duties around how they’re to be protected. But the danger, well, not danger, the difficulty is that the technology is complex. There’s a tendency amongst a lot of involved in the technology to say a lot and confuse things even more. Once this gets worked out, probably once there’s been a few things go wrong and the odd scandal, I think a lot of things will bed down. But there’s so much noise and confusion that seems to cloud what really should be pretty simple concepts in terms of identification and treatment.

PRESENTER: So let’s look towards the future now, and 2019 is just around the corner. So, Mark, what sort of new regulation do you think is afoot, what are you watching out for?

MARK MCCARTHY: Well what we’re very much looking into at the moment is SFTR and how that’s going to bed down next year. I think there’s a degree of fatigue at this point. We’ve seen [AMIR? 0:46:50] come in, we’ve seen MiFID II come in. I have got a lot of clients who do transactional reporting across the whole G20, and yet they’re seeing yet another piece of regulation coming out that they need to adhere to. I think for us next year is very much trying to find a better way to assist our clients with overcoming SFTR without too much hindrance to their businesses. As I said it’s quite time intensive to get these regulations in place, and I think what companies will want to do in the coming years is really look towards technology to fix these problems for them without them having to do too much.

PRESENTER: And, Andrew, what do you think people can learn from 2018, how can they best be prepared for 2019?

ANDREW HENDERSON: A lot of the themes are the same, a lot of the practices are the same. And really what we mean by that, we’ve spoken a lot about governance and individual accountability. We’ve been involved in the so called skilled persons reviews, and mainly looking into, really into failures of systems and controls. And there’s been what we’d say the usual focus from the regulator, which is we need you to look at the first line controls amongst the business people, the second line amongst compliance and the third line amongst audit. But always they have also asked us, and look at what the board was doing. So I think the role of governance, and again this term is banded about but it comes back to the ability of those in the business to communicate effectively with those on the board via management information, and importantly the board then to process that and make effective decisions. So the whole roles around governance and the continued focus on governance I think become very important.

I think the second point that is often overlooked is just dealing with this surfeit, this abundance of regulation. We have this interesting fact that we state, in that as financial regulatory professionals we have a textbook known as the pink book. It’s a compilation of all the relevant laws and regulations. And the interesting fact is that in 2008, sorry, [unclear 0:49:12] there are two of these books. 2008 there was a single one of these books, and the entire body of EU regulation was shorter than the EU credit requirements regulation, CRR, that governs regulatory capital. So dealing with the continuous flood of not just laws and regulations, those appear now to have slowed down, and in essence we’ve come out of the law making of the financial crisis.

But the guidance that’s issued, the speeches that are made, just finding a way to continue to collate that sensibly, and then to disseminate that information in an effective way to those who actually have to comply with it. I think that’s going to be the second thing that remains very important. And then the third thing, and sorry to repeat ourselves, comes back to ensuring that those standards aren’t just hard wired in the minds of the staff, but also find effective integration with the technology systems that are increasingly being put in place. To ensure that the technology, we talked about the operational risk, technology can actually deliver on those compliance solutions. So I think it’s those three things we’ve been talking about that will continue.

MARK MCCARTHY: And I would just add to that as well that I think 2019 will see audits of the technology that’s been put in place, of the procedures that have been put in place. I think that’s been a bit lacking in 2018. We expected it to happen; it didn’t come about, particularly not in the MiFID II space. And I think that’s largely due to Brexit and all the work that’s gone into that by the various staff of the FCA. But I think next year is very much going to be a focus on well have you really put the controls in place that you said you would? Have you put the procedures in place that we asked you to?

PRESENTER: Well unfortunately we are out of time, so I’m going to have to ask for your final thoughts, what you’d like the viewers to take away from this session. So why don’t you go first Mark?

MARK MCCARTHY: I think regulations are a good thing. I think that they’re here to remind us of the decency that we should apply when we do business with consumers and customers. I think because of the barrage of regulations that have come into place over the past few years there’s a bit of negativity around it; yet another piece of regulation coming down the pipe that I have to do something about. But they’re there for a good reason, they’re there for a good cause. Some of them are maybe a little bit overbearing, but I think the intention of the regulations is very much putting the customer at the forefront of corporate thinking today.

PRESENTER: And Andrew.

ANDREW HENDERSON: I think linked to that is really that when any regulatory professional in-house or external is confronted with regulatory questions, it’s about firstly taking a step back and saying why is this regulation in place? We always a purpose of approach. And then thinking very carefully what is the most appropriate way of addressing that? Addressing the concerns that the law makers have put in place, and the regulators. But at the same time not going further than we need to. And that may seem like an irresponsible observation to make, but certainly we say that regulation is necessary, but it mustn’t be so exorbitant that it’s going to kill business unnecessarily really through being over-defensive.

PRESENTER: Super, well Andrew and Mark, thank you.



PRESENTER: Well in order to consider the viewing of this video as structured learning, you must complete the reflective statement to demonstrate what you’ve learned and its relevance to you. By the end of this session you’ll be able to understand and describe an overview of regulatory changes in 2018, the role of technology in regulation and compliance, and what to expect and how to be best prepared for new regulation in 2019. Please complete the reflective statement to validate your CPD.