Online Platforms: “Walking” the line between legal and financial services compliance (Part 4 of 5)

Systems and Control

FCA-authorised firms must have appropriate systems and controls in place taking into account the nature, scale, and complexity of the business. This creates numerous obligations, primarily relating to:

• senior management arrangements;
• policies and procedures;
• record keeping; and
• regulatory reporting.

FCA-authorised firms must have in position at least two senior managers, a compliance officer and a money laundering reporting officer (although one person may hold multiple positions).

Any person carrying on a “controlled function” (such as those functions mentioned in the above paragraph) currently fall within the “approved persons” regime and so need the FCA to approve that they are “fit and proper” to carry out their roles. The FCA’s “fit and proper” test considers a candidate’s honesty, competence and capability and financial soundness. The approved persons regime also establishes duties for approved persons, such as ongoing training obligations.

The FCA is implementing the new “senior managers and certification regime” (“SMCR”) to replace the “approved persons” regime. SMCR requires certain senior managers to be approved by the FCA and other members of staff in significant harm functions to be “certified” by firms as having all adequate skills to fulfil their roles. The SMCR is already in force for banks and insurers, and will be extended to all other solo-regulated (i.e. not also PRA-regulated) firms as of 9 December 2019.

FCA-authorised firms are also required to have certain policies and procedures in place to govern the business of the firm. These will vary depending on the nature of the business carried out at that firm but will include:

• a compliance manual – setting out the measures, policies and procedures in place and operated by the firm to achieve compliance with financial services laws (e.g. anti-money laundering legislation) and FCA rules;
• a compliance monitoring programme – setting out the tests a firm will use to establish if it is compliant with its compliance manual; and
• a business continuity plan – setting out how the firm will continue to provide services to its customers should it face a “disaster” scenario (e.g. cyber-attack or insolvency).

Firms are obliged to keep records of their matters and dealings with customers and other information, such as suitability assessments, conflicts of interest, and outsourcing arrangements. Obligations vary depending on the type of business carried out by the firm, for instance, firms executing transactions on behalf of clients must keep records of execution orders. There are also time limits setting out the length of time for which each type of record must be held at a minimum.

Firms are obliged to inform the FCA of both:

• certain events on an event-driven basis; and
• general details of their business on an annual basis.

The event-driven obligations require the FCA be notified when a firm discovers an issue relating to its activities or personnel that the FCA ought reasonably to be informed about, such as an event which would significantly adversely affect the reputation of a firm. The FCA has additional specific rules relating to certain events, such as the hiring of a new “approved person” or a change to a person who “controls” the firm.

The FCA’s reporting system, “GABRIEL”, requires firms to update the FCA about their business by providing information including (but not limited to) product sales data, capital adequacy, and other financial information.

As published in Butterworths Journal of International Banking & Financial Law, June 2019.

Part 1 │ Part 2 │ Part 3 │ Part 4 │ Part 5