Operational Resilience, Cyber Security and Other Regulatory Focus Areas

INDOS has attended several compliance conferences and briefings over recent months. Common themes arising include the regulatory focus being applied to fund operational resilience, cyber security and manager and fund governance.

Operational resilience is currently being heavily tested by the extreme pressures on businesses resulting from the significant measures which have been implemented to tackle COVID-19.

Cyber security is becoming more challenging given the significant growth in cyber attacks and therefore the high level of disruption risk posed to markets and businesses.

Under the new Senior Managers Certification Regime (SMCR), which came into effect in December 2019, the FCA has delivered a clear message that senior management will be held accountable for weakness in procedures in these and other business areas.

It is important that firms document and stress test their contingency plans to deal with major events including assessment of operational risk and the firm’s ability to continue to operate effectively to serve and support their clients.

Away from the immediate operational challenges currently faced by firms, there are a wide range of other regulatory changes and areas of focus, including:

  • Product disclosure regulations come into force in March 2021, where there will be focus on sustainability and sustainability risk. Large firms will be expected to review the impact of their investments on the globe.
  • FCA review of implementation of research rules has shown most firms have a clean bill of health, however, FCA reviews are likely to continue into research and inducements.
  • Product and fund governance is another key area of focus as there are concerns that some products are not in the best interests of investors and also how product and fund governance and compliance responsibilities are being undertaken.
  • SMCR – the aim of which is to deliver a cultural transformation. The FCA can take action if they believe a firm has not taken reasonable steps to avoid a breach. The burden on a firm is greater now with the onus on certification staff to demonstrate their responsibilities through documentation and a proper audit trail. We are likely to see testing as the quality of firms’ statement of responsibilities varies across the industry. It is essential that there is a full firm buy-in to SMCR so that it is not just seen as a compliance project.
  • Compliance monitoring has moved away from being a tick box exercise, firms need to explain what effective controls they have in place for monitoring and documenting meaningful evidence to support the effectiveness of controls is key.

Good governance in firms is key in order to enable a firm to address these challenges.