The Model Office Blog

Remote working and managing compliance risk

[fa icon="calendar'] Aug 7, 2020 11:53:38 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience

[fa icon="comment"] 0 Comments

One of the biggest concerns the FCA are banging on about is business resilience through the pandemic we face. It is clear that the regulator expects firms to take full accountability for their own governance, risk and compliance (GRC) affairs and align this with building systems and controls that will identify monitor, manage operational and financial resilience.

 

The pandemic has now brought a new way of working and with it the application of existing and new technologies that can streamline business management practices. With remote working the new norm, we also have challenges in ensuring our staff are aligned, engaged and also are happy, mental health is also a concern when we have to isolate and remove ourselves from the social interaction a workplace brings.

 

Enforcing regulatory compliance can be challenging enough when your workforce is in the office, but when dispersed this is a huge challenge.

 

So what can we do to ensure we keep our finger on the GRC pulse, encourage a resilient and positive working practice and culture?

 

  1. Communicate, communicate, communicate: Employing clear processes, systems and controls that engages all stakeholders is essential. This means everyone knows the risks and challenges faced but most importantly, how they are managed and the part they and others play. The Senior Managers and Certification Regime (SM&CR) is a huge help here, firms should already have their roles, responsibilities and delegation strategy mapped so everyone knows who does what, when and how
  2. The art of collaboration: The has never been a more important time to ensure your C-suite, compliance, operations, teams are working together around GRC. By streamlining working practices around remote working challenges and opportunities, this can enable effective and efficient identification of risks that can impact business resilience. We can also reduce admin and duplication and get the messages we need across quicker to staff and clients alike.
  3. Be security minded: Cyber-risks are on the up during the pandemic, so we have to ensure that operational systems and controls are in place to protect our business practices across, client communications, asset and document management and data security. Remote workers could be the ‘weakest link’ here, as they are working with new systems and technologies, so mandating specific cyber-risk proofed platforms such as back office, e-mail encryption and document protection will be crucial.
  4. Get onboard the same train: All staff need to be of the same understanding when it comes to compliance, resilience and risk management. So ensure you’re up-to-date with your training and competence programme, again the SM&CR and conduct rules training will help here
  5. Automate and streamline: Technology isn’t magic, but built and implemented well it’s a great enabler platform for your business to work more effectively around GRC, keeping staff engaged and happy and your business resilient across constant operational and financial risks.
Read More [fa icon="long-arrow-right"]

The FCA and Your Financial Resilience

[fa icon="calendar'] Jul 31, 2020 10:30:17 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience

[fa icon="comment"] 0 Comments

The FCA’s Final Guidance assessing adequate financial resources places a specific spotlight on retail investment adviser firm’s (RIA’s) financial resilience. The minimum standards the regulator uses to protect consumers, reduce market disruption and minimise harm and assess firm’s sustainability are called threshold conditions.   

 

Threshold conditions and Financial resilience

The assessment of appropriate resources under threshold conditions considers:

  • the nature and scale of a firm’s business model
  • the risks to the continuity of the services provided
  • the impact of other members of the firm's group on the adequacy of its resources
  • To assess if a firm has adequate financial resources, we consider if a firm:
  • has the ability to meet its debts when they fall due
  • For firms, other than those with limited consumer credit permissions, we also consider if a firm has:
  • taken reasonable steps to identify and measure its risks
  • appropriate systems and controls and human resources to measure risks prudently at all times
  • access to adequate capital to support the business, and that client money and custody assets are
  • not placed at risk
  • resources which are commensurate with the likely risks it faces

With a pandemic to manage through, the FCA are obviously concerned at firm’s who sit outside formal prudential standards for adequate financial resources, for instance Internal Capital Adequacy Assessment Process (ICAAP) requires banks boards to regularly assess and mitigate risks and ensure adequate financial capital is retained to manage these risks.

 

So, we now have a framework that requires RIAs to implement and evidence Governance, Risk and Compliance (GRC) strategy to assess and manage across:

 

Systems, controls, governance and culture:  Here the FCA are interested in conduct i.e. behaviours that drive good outcomes across the firm’s purpose, competent leadership, staff competence and incentives. Plus, employ sound risk management across systems and controls such as whistle blowing or complaints handling. What drives all this is individuals accountability and responsibility, something RIAs should have addressed under the Senior Managers and Certification Regime (SM&CR)

 

RIAs are also now expected to employ a system to identify, monitor and manage risks and employ a quantified risk appetite strategy which is communicated, understood and followed across the firm. Policy and procedures are then required to ensure the risk function is resourced, has appropriate controls, manage conflict of interests and outsourcing risks.

 

Identify and assess the impact of harm: Here RIAs should place a specific focus on conduct and competence, ensuring the right people are in the right place with the right skills and responsibilities. Firm’s need to ensure they can compensate consumers for losses and thus the issue of the Financial Services Compensation Scheme (FSCS) and ability to fund applies here. It’s worth noting that the majority of payments made by the FSCS is against solo regulated firms are those firms not subject to detailed prudential standards discussed above.

 

Continuity of service is also a key area and thus RIAs need to evidence investment in people, processes, systems and controls. Advice suitability is front and centre here, particularly around pension transfers for example.

 

Monitor and manage the potential depletion of financial resources: As I have written extensively on the need for RIAs to balance their charging strategy and move away from the industry wide reliance on ad-valorem charging to client paid fees, the issues we have witnessed during adverse market conditions such as the financial crises and current Covid19 means that there is a risk of depletion of income that can adversely affect the firm’s financial stability. Firm’s need to keep clients close, box clever and shift a percentage of fees to direct charging. This can stabilise cashflow in the short and long term.

 

Business model strategy and sustainability: Whenever I speak at public events, I tend to ask the question how many firms have a bonafide 10-year busines plan. Very few put their hands up! Just as it is so important for clients to have a long-term financial plan, RIAs need to employ a strategic plan that can ensure strengths, weaknesses, opportunities and threats are covered, stress testing is in place and all staff are aligned to this company strategy. This will ensure the FCA have confidence is RIA ability to manage financial resilience across the business and their client needs.  

 

Wind down planning:  Preparing for worst case scenarios is crucial, after all, it is those adviser firms who ensure their clients have adequate life insurance who are providing a holistic service, so RIAs also need to ensure that their business strategy incorporates their own demise if this is an unavoidable outcome of the pandemic.

 

How can firms deal with all this?

 

We need to avoid overwhelm and ensure firms continue to conduct the good work they are doing, so here we would argue that risk diagnostic assessments can help to ensure GRC strategy incorporating operation and financial resilience activities.

 

So, employing technology is a good start, this can ensure RIA’s gain specific management information and data to ensure their business resilience strategies are aligned to their rules and also to their clients and stakeholder needs. At Model Office for example, we have made our Financial Resilience Diagnostic free of charge so firms gain heat mapped dashboards and assess the strengths of their firm’s financial ratios and cashflow. You can sign up and download it for free here.

 

We have also developed an Action Tracker, Compliance Diary system that allows firms to automate audit actions and provides alerts to ensure stuff gets done and identify, manage and monitor risks.

Read More [fa icon="long-arrow-right"]

The FCA, The SM&CR and COVID19

[fa icon="calendar'] Apr 23, 2020 2:21:26 PM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAMR, MiFIDII, SMCR, Data, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, HRD, PII, Pandemic, COVID19, resilience

[fa icon="comment"] 0 Comments

The FCA and Prudential Regulatory Authority (PRA) have released a joint statement for dual regulated firms outlining its expectation for firms during the COVID19 pandemic. The FCA have also released a statement on solo regulations showcasing a flexible approach.

Here we cover the FCA statement on expectations for solo-regulated firms:

  1. Senior Management Responsibilities: In relation to risk responsibilities, Senior Managers (SM’s) should now consider;
  • Where the current situation might lead to emerging risks
  • How it effects existing risks along with controls used to manage them
  1. Statements of Responsibilities and ‘significant changes’ to Senior Manager responsibilities: The FCA are concerned with SM absences or change in SM responsibilities due to the pandemic. The good news is the FCA are adopting a flexible approach here and does not intend to enforce the requirement to submit updated Statements of Responsibilities (SoRs) if the change:
  • Covers multiple sicknesses, temporary changes in responsibilities due to the pandemic
  • Is expected to revert to the firm’s previous arrangements and are temporary

What does not change is the requirement for documenting allocations of responsibility (including temporary) to ensure all are aware of everyone’s responsibilities. It is also deemed good practice for firms to keep a record (running commentary) of the SM roles and responsibilities something SYSC 2.1 requires already i.e. clear on where responsibilities lie and business affairs are monitored. Finally firms should update the FCA on any SMs who are furloughed through this pandemic.

  1. Temporary arrangements for Senior Manager Functions:
  • Firms can notify the FCA if they need to modify the 12 week rule (which allows an individual to cover a SM without being approved where the absence is temporary/reasonably unforeseen and the appointment is under 12 weeks) if temporary arrangements last longer than 12 weeks to a maximum of 36 weeks.
  • Temporary roles and responsibilities still need to be documented
  • Prescribed Responsibilities (PRs) can be allocated to the individual taking the temporary role (rather than only to another approved SM)
  • Firms should still allocate a role to the most senior individual available
  1. Furloughed staff: The FCA issues a key workers in financial services statement, which stated individuals captured by the Senior Mangers Regime (SMR) maybe considered key workers. It now recognises that some SM’s maybe furloughed if unable to fulfil responsibilities (due to illness, caring for others or no current practical responsibilities):
  • A furloughed SM will retain their approval (unless permanently exiting) and not require re-approval by the FCA upon return
  • The firm is still responsible for the SM fit and proper status
  • If SYSC 26 (overall responsibility rule) applies, the firm should re-allocate responsibilities to another SM.
  • PRs should be re-allocated to another SM
  • Required functions (SMF16 Compliance SMF17 Anti Money Laundering) should be furloughed as a ‘last resort’. If replaced and temporary the firm can use the 12-week rule to arrange cover. Firms should ensure that any allocation is appropriate and complies with FCA rules (e.g. an oversight role cannot be allocated to an executive)
  • It is important to note that other SMFs are not mandatory and thus firms have flexibility to furlough individuals performing them.

So, it is imperative firms keep their eye on the compliance ball during this pandemic and indeed know that the FCA are building in flexibility to ensure firms have the best opportunity to continue to comply and compete.

...Live Long and Prosper...Keep well and stay safe 

Read More [fa icon="long-arrow-right"]

The FCA and COVID19

[fa icon="calendar'] Apr 3, 2020 11:02:42 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAMR, MiFIDII, SMCR, Data, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, HRD, PII, Pandemic, COVID19, resilience

[fa icon="comment"] 0 Comments

With the on-going need for firms to continue to comply and compete, it’s worth focusing on the FCA measures and strategy taken to gain insight into what measures firms need to apply during these trying times:

Financial Resilience:

Operational resilience (we cover this in our next live webinar Thursday 9th April 14:00) is a key focus for the regulator and sits as one of the 8 main areas for regulation in its 19/20 business plan. Saying that it wants ‘firms to continue operating during this challenging  period’ the FCA confirmed it intends to ‘provide flexibility to regulated firms to ensure this’. Its expectations cover:

  • Firms that have been set capital and liquidity buffers should use them to support the continuation of the firm’s activities. 
  • Firms should plan ahead and ensure the sound management of their financial resources. This might include using government schemes designed to help firms through this period to meet debts as they fall due.
  • If a firm needs to exit the market, planning should consider how this can be done in an orderly way while taking steps to reduce the harm to consumers and the markets.

SM&CR Responsibilities:

The FCA do not require a single senior manager responsible for coronavirus response.

  • SMF24 operational resilience comes into focus
  • SMF1 or most relevant staff member need to take responsibilities for key workers

Dear CEO letter:

Oh yes we have another one, but a good one! Here the FCA want to address some long overdue issues some of which make complete sense for the retail investment advice sector;  

  • Flexibility across client identify verification;
    • Accept scanned documents (PDFs)
    • Accept client selfies or videos (Social media eat your heart out) We would add linked in profile to verify professional status
    • Due diligence on ‘other’s e.g. bank account provider, agreements to access data
    • Use commercial providers
    • Additional data to triangulate evidence such as IP addresses, phone numbers
    • Verification of email/ physical address via electron codes
    • Seek additional verification once self-isolation measures lifted
  • Flexibility over 10% depreciation notification (until end September) No action taken:
    • If firm has issues at least one notification within a current reporting period
    • If a firm provides general updates (which firms doesn’t?)
    • If a firm decides to stop reporting to professional clients only

So plenty of good stuff, firm’s will really benefit from such relaxation of measures but should ensure they’ve got their finger on the governance, risk and compliance pulse.

...Live Long and Prosper...Keep well and Healthy 

Read More [fa icon="long-arrow-right"]

Subscribe to Email Updates

Recent Posts