The Financial Conduct Authority (“FCA”) have stated that compliance with the EU General Data Protection Regulation (“GDPR”) is now a board level responsibility, and that firms must be able to produce evidence to demonstrate the steps that they have taken to comply.

The FCA requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework. When the FCA makes rules, it takes into account how such requirements will affect the privacy interests of individuals such as firms’ customers and employees.

The FCA recognises the need for discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.

Accordingly, the FCA and the Information Commissioner’s Office (“ICO”) are working closely together in preparation for the GDPR; one example being a recent jointly hosted GDPR Roundtable with firms and industry bodies to listen to industry concerns.

While the ICO will regulate compliance with the GDPR, this is also something the FCA will consider under its rules. For example, the requirements in the Senior Management Arrangements, Systems and Controls sourcebook lay down obligations for firms to establish, maintain and improve appropriate technology and cyber resilience systems and controls.

The FCA and ICO have stated that they will continue to collaborate in the coming months to address concerns firms raise and support firms’ preparations for the introduction of the GDPR in May 2018.

The post GDPR Compliance is now a board level responsibility first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

In October 2015 the FCA launched a joint Consultation Paper (CP15/31) with the PRA on “Strengthening accountability in banking and insurance: regulatory references” – see Regulatory Roundup 69.

The consultation proposed introducing a new chapter in SYSC on ‘Regulatory References’ which would be referenced in the Approved Persons chapter of SUP (SUP 10C for ‘relevant authorised persons’) and SUP 10A (for firms that are not ‘relevant authorised persons’).

In its simplest form a ‘relevant authorised person’ is either:

• A firm with permission to accept deposits; or
• An investment firm that has permission for dealing in investments as principal and when carried on by it that activity is a PRA-regulated activity.

For further information on the relevant authorised person regulatory framework please see the article on the Senior Managers Regime which is also in Regulatory Roundup 69.

The FCA has now released Policy Statement PS16/22 which contains the final rules on regulatory references (which will appear in SYSC 22).

Although the need for ‘regulatory references’ is specific to firms that are ‘relevant authorised persons’ (the new rules refer to a ‘full scope regulatory reference firm’ which also captures a Solvency II firm and a large non-directive insurer) it is important to appreciate that the amendments to SUP 10A means that all firms are impacted by the proposals to a greater or lesser extent.

SYSC 22 will apply to both PRA and to FCA firms in that the latter will be required to provide references to the former in line with SYSC 22 i.e. in the scenario where an employee/ex-employee is moving into a PRA-regime firm.

We would draw firms’ attention to the need to:

• Ensure that the HR functions are aware of the obligations arising in SYSC 22;
• Obtain/supply references for possibly up to six years (SYSC 22.2.1(1)(d) and SYSC 22.2.2(3)); and
• Refer to the template (SYSC 22 Annex 1R) to be used by the provider of the regulatory reference.

The table on page 26 of PS16/22 may be useful in that it reminds both relevant authorised persons and FCA only authorised firms of which aspects of the new framework applies to them.

The final rules in SYSC 22 can be found in Appendix 1 of PS16/22.

The rules, subject to the transitional provisions in TP 5, come into force on 7 March next year.

The post Regulatory References Update first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

CP15/31 proposes the introduction of new SYSC Chapter 22 ‘Regulatory References’ and which will be referenced in both SUP 10C (for ‘relevant authorised persons’)  and SUP 10A (for firms that are not ‘relevant authorised persons’).  Whilst largely addressed to relevant authorised persons, some elements will be applicable to all firms.  As such, firms should ensure that their HR functions are aware of the proposed changes.

For further information on the relevant authorised person regulatory framework please see the article ‘Extension of Senior Managers Regime and Certification Regime’ in this Regulatory Roundup although, in its simplest form, a relevant authorised person is either:

• a firm with permission to accept deposits or
• an investment firm that has permission for dealing in investments as principal and when carried on by it that activity is a PRA-regulated activity.

For the record, SUP 10A will cover approved persons in appointed representatives of relevant authorised persons.

SYSC 22 introduces the concept of a full scope regulatory reference firm, a term which not only captures the above mentioned ‘relevant authorised person’ but also a Solvency II firm and a large non-Directive insurer.

When such a firm is considering permitting or appointing someone to perform a controlled function it must ‘take reasonable steps’ to obtain appropriate references from that person’s current or previous employers covering the past six years (SYSC 22.2.1).

The corresponding obligation, on all firms, to provide references is in SYSC 22.2.2  – note that where the firm providing the reference is a full scope regulatory reference firm then the information disclosed must be in accord with SYSC 22.2.5, regardless of whether or not the firm requesting the reference is a full scope regulatory reference firm.  A template (see SYSC 22 Annex 1R) has been developed for use by a full scope regulatory reference firm (“should use”) even if the firm requesting the reference does not specifically ask it to use such a template.

The FCA provides guidance (SYSC 22.3.10 – 11) on some of the factors which the FCA considers full scope regulatory reference firms should take into account when determining whether older breaches may still be relevant; the section explains that other firms may find this useful as a guide.

Full scope reference firms should note that there is an obligation to revise references which have previously been given in certain circumstances (SYSC 22.2.6).

It is expressly prohibited for any firm to enter into any arrangements or agreements with any person that limit its liability to disclose information under SYSC 22 (SYSC 22.3.14).

Firms are reminded that any firm supplying a reference in accordance with SYSC 22 owes a duty under general law to its former employee and the recipient firm to exercise due skill and care in the preparation of the reference.

The consultation period ends 7 December 2015.

The post Regulatory References first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .