Purpose
1.This article rounds up some of the key recent developments in UK financial services that may be of interest to clients.
IOSCO Report on Market Outages
2. The International Organization of Securities Commissions (IOSCO) has published its final report on market outages. The report has involved two years of research. It is focussed on equity trading venues, but it makes recommendations which will be of relevance for other trading venues, such as derivatives trading venues. The key recommendations are that trading venues should:
a. Maintain and publish an outage plan. This might include the communication plan, reopening strategy, the arrangements for operating a closing auction and the methodology for providing the market with alternative closing prices;
b. Implement a communication plan, setting out how notices will be published and through which channels, and how updates will be made to all market participants;
c. Communicate information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading;
d. Ensure the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and
e. Conduct and share with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.
3. Although the IOSCO recommendations are not directly binding on trading venues, regulators will no doubt be keen for trading venues under their supervision to implement them in due course. The FCA has previously stated during its Wholesale Markets Review that it will publish guidance, or will encourage industry to develop guidance, on market outages but has been waiting for IOSCO to publish its report.
4. If you are a market participant looking to become a member of a trading venue, you may consider asking to see the trading venue’s outage plan as part of the onboarding process (if it is not already published).
DORA
5. The financial services industry appears to be waking up to DORA. There are only six months to go before the January 2025 implementation deadline, so there is much to be done in a very short timeframe. The following RTS / ITS / guidelines are due to be published on 17 July 2024:
a. RTS on sub-contracting ICT services supporting critical or important functions;
b. RTS on major ICT-related incidents and significant cyber threats reporting;
c. ITS on reporting details for major ICT-related incidents;
d. RTS specifying elements of threat-led penetration testing;
e. Guidelines on estimation of aggregated costs /losses caused by major ICT-related incidents;
f. Guidelines on cooperation of ESAs and competent authorities regarding DORA oversight;
g. RTS on harmonisation of oversight conditions; and
h. RTS on composition of joint examination team.
6. Some of the challenges we have seen for clients so far include:
a. Scope and impact: working out which financial entities within a group are in-scope, and also working out which are ICT services and which are ICT service providers. The broad definition of ICT services has been a major challenge for firms: it is not just traditional IT providers who are caught; data providers are included within scope, for example.
b. Gap analysis: this is an important part of the implementation process for DORA. Many financial entities will meet large parts of the DORA requirements already, but will still need to undertake a rigorous gap analysis to ensure that all applicable rules are captured, and the necessary changes implemented in time.
c. Repapering: once financial entities have defined the scope, undertaken a gap analysis, and identified the relevant ICT service providers, they will likely have a significant repapering exercise to meet all the DORA requirements. This will require extensive and time-consuming engagement with ICT service providers, including on sub-contracting.
d. Reporting: financial entities will need to make changes to their processes to notify regulators of major ICT incidents.
e. Critical and important functions: financial entities will need to determine which of their functions are critical and important (CIFs) and why. For CIFs, there are a number of obligations which need to be taken into account, including additional elements to include in contractual arrangements, a policy on contractual arrangements on ICT services supporting CIFs, monitoring the chain of subcontracting, recording subcontractors in DORA register, regular review of risks by the management body, appropriate annual testing, additional reporting to regulators, and additional scrutiny under the ICT risk management framework.
Consumer Duty
7. The deadline for implementation of the Consumer Duty for Closed Products is 31 July 2024. The FCA defines a closed product as one with existing contracts with retail customers that were entered into before 31 July 2023, and which is not marketed or distributed to retail customers (including through renewals) on or after that date.
8. The FCA have published various Dear CEO letters for different sectors, including asset management, consumer finance, consumer investments, life insurance, retail banking and all other firms, ahead of the deadline.
FCA Fines HSBC for Failures in Treatment of Customers
9. The FCA has fined HSBC UK Bank plc, HSBC Bank plc and Marks and Spencer Financial Services plc (HSBC) £6,280,100 for failures in its treatment of customers who were in arrears or experiencing financial difficulty.
10. Between June 2017 and October 2018, HSBC failed to properly consider people’s circumstances when they had missed payments. This meant it did not always do the right affordability assessments when entering arrangements with people to reduce or clear their arrears. Sometimes it took disproportionate action when people fell behind with payments, which risked people getting into greater financial difficulty.
11. The failings were caused by deficiencies in HSBC’s policies and procedures and the training of their staff, as well as inadequate measures to identify and address instances of unfair customer treatment.
12. In 2018, HSBC identified that there were issues with their handling of customers in financial difficulty and notified the FCA. HSBC invested £94 million in identifying the issues and putting them right. HSBC also issued redress payments totalling £185 million to over 1.5 million customers.
About Cambitas
13.Cambitas offers legal and consultancy services in the areas of financial markets regulation, enforcement and ESG.
14.For more information, see www.cambitas.com.
15.If you’d like to discuss any of the above, or need assistance on any of the areas we cover, please contact tom.hine@cambitas.com.
Opmerkingen