The Model Office Blog

More Compliance Chat

[fa icon="calendar'] Sep 18, 2020 10:24:23 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

Dear CEO, there you go that made you tremble didn't it? Well the FCA have been as active as ever this week and produced directives that are indicative of the direction in which UK regulation is likely to move forward over the next few years. (Your compliance joke's at the bottom of this blog)

Firstly we have the latest instalment in The FCA's gripping '5 Conduct Risks'series. seriously this is really good stuff and although focused on the banks, applies to all retail investment firms too. This is very important considering the need to ensure your Senior Managers and Certification Regime (SM&CR) certification process and staff conduct training is on track. 

The key messages are:

  • Despite significant improvement, there remains a lack of awareness, in-depth understanding and the ability to identify day-to-day conduct risks
  • Some firms have taken insufficient steps in ensuring the contribution of personal conduct and behaviour to achieve conduct objectives
  • Although most firms have clear escalation and whistleblowing channels, in practice they are largely unused and followed in only the most serious cases
  • Participants were often unclear on their firm's corporate purpose statements and how their role and responsibilities contribute

The Second issue is symbolic of the work done by regulators around digitisation, in both FinTech and RegTech. This will become even more of a priority for them in the changed world created by COVID-19, remote audits spring to mind.

The FCA's digital sandbox for example, goes form strength to strength and the latest pilotwill enable innovative firms to test and develop proofs of concept in a digital testing environment around three use cases related to coronavirus, including:

  • detecting and preventing fraud and scams
  • supporting the financial resilience of vulnerable consumers
  • improving access to finance for small and medium-sized enterprises.

The FCA Dear CEO letter to professional Insurance Intermediaries shows the FCA believes the general insurance sector carries significant risks of potential customer harm, with the most significant risk within the intermediary portfolio being that of customers purchasing unsuitable or poor-value products. This is attributed to inappropriate sales tactics and insufficient or unclear information at the point of sale.

The letter highlights the importance of robust governance and controls, and the need to embed healthy cultures and behaviours within firms. The FCA will focus on these themes and the letter sets out some of the key related issues, such as bonus and incentive arrangements.

Finally, but not least, the FCA are sending out yet another Financial resilience questionnaire to advice firms (they're clearly concerned) at Model Office-MO® we have made our Financial Resilience Diagnostic free of charge so firms gain heat mapped dashboards and assess the strengths of their firm’s financial ratios and cashflow. You can sign up and download it for free here.

Your compliance Joke:

“How many compliance officers does it take to change a light bulb?”

“Three. One to change it, one to check it and one to check it again and file a report.”

If you're interested in finding out more you can book a demo of our software please click below to see MO® in action. 

Read More [fa icon="long-arrow-right"]

Cyber-crime: an IT or Regulatory Challenge?

[fa icon="calendar'] Aug 13, 2020 3:27:34 PM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

As we have seen with the COVID-19 pandemic, resilience is a key strategy and concern for the FCA. There are two key areas here: financial and operational resilience. What is often overlooked where operational resilience is concerned is Cyber-crime.


In their recent paper Cyber-security – industry insights, The FCA are clearly keen to ensure retail investment advice firms (RIAs) engage in good governance practice in this area.

The paper covers some important strategy that can easily be employed across:


  • Governance and risk management: Taking a top-down approach and using enterprise risk management approach to assess and monitor cyber-risks across the business operations, technologies, client service strategy
  • Keeping it simple: Move away from management speak and keep language and communications clear and concise
  • Cyber culture champions: appoint influential and experience staff members to take responsibility for addressing cyber-risk
  • Think strategically: Identify who can attack the business, where and how. Identify vulnerable data management practice and understand the extent of cyber-crime networks across the UK and internationally
  • Link risk and controls: Creating metrics and indicators for critical controls is imperative
  • Use existing standards. Standards provide valuable frameworks devised from good practice; consider the NIST Cybersecurity Framework, ISO27001/2, SANS CIS, NCSC’s 10 Steps to Cyber Security or NCSC’s NIS Directive Cyber Assessment Framework, Cyber Essentials


It is important to identify what you need to protect so here the FCA provide some simple yet effective techniques that can easily be applied:


  • Consider what you know: The GDPR provides great guidance on data security, so leverage this and re-assess your systems and controls plus identify what you don’t know and find solutions fast
  • Take a holistic approach: Too many businesses employ checklist and tick-box strategy which can create a silo approach, firms now need to think vertically and horizontally across all business activities this can then aid change management records, vulnerability scans, anti-virus management and other sources
  • Know who does what: Identifying roles and responsibilities is a key requirement of the Senior Managers and Certification Regime (SM&CR) so here we need to ensure that we know what staff are responsible for, map it out and also re-assess how personal data for staff and client’s alike is processed in line with the SM&CR and the ICO’s GDPR.
  • Watch out for outsourcing: Identifying and managing stakeholders can be difficult so again along with the SM&CR and GDPR, any outsourced suppliers need to be managed carefully particularly when it comes to processing personal data and related cyber-risks


So what can be done to ensure data is protected?


Effective cyber-risk strategy requires careful planning and use of the right tools and techniques:

  1. Invest in training: Ensure all staff are aware of cyber-risk on an ongoing basis. We conduct plenty of Anti-Money Laundering training, but as some of this activity has shifted online, there are no excuses as to ensuring cyber-crime is not a mandatory annual training standard within your business
  2. Be aware of vulnerabilities: knowing weaknesses and your digital footprint is essential to good research and due diligence in your cyber-risk strategy. Also understanding the digital reach of your business is essential
  3. Cyber-security integrated with change management strategies: Resilience is an essential compliance and business strategy, this can be undermined very quickly via a cyber-attack, so including cyber-security within change management strategy can build a resilient structure
  4. Employ detection tools: As with the GDPR, run a systems check and keep a register so you are able to detect any attempted attacks on systems and business services. This involves:
    1. Mapping roles and responsibilities (similar to SM&CR) and identifying those with privileged access to data e.g. data controllers plus monitor systems behaviour and apply the SM&CR Conduct rules to user behaviour
    2. Design logs to assess your firms data and generate relevant alert systems
    3. Apply string access controls to audit database logs to prevent cybercriminals removing any traces
  5. Respond and Recover: Be aware of emerging threats by participate in industry conferences, forums and learn from others. As with any resilience focus firms will need to:
    1. Test and retest scenarios and your defences
    2. Define business tolerance for recovery of systems
    3. Learn lessons from any failures
  6. Use Technology: identifying and applying technology can aid thwarting and a swift response to any cyber-attacks.
    1. Use encryption, this could involve e-mail encryption services such as Origo’s Unipass Mailock
    2. Back up regularly
    3. Update your services
    4. Create strong passwords
    5. Audit using RegTech systems so you are aware of where all the issues may lie prior to your manual audit process

With Cyber-crime on the up in this pandemic, if you apply strategy, tools and techniques we have discussed then you will ensure your business is cyber-resilient.  

Read More [fa icon="long-arrow-right"]

Subscribe to Email Updates

Recent Posts