The AR regime has been in place for many decades and its use has evolved to cover activities and business models not initially envisaged.
Two FCA reviews of the general insurance and investment management sectors identified several AR regime compliance weaknesses. Additionally, the Greensill Capital report pointed out that the level of oversight by principals was sometimes insufficient and the activity carried out by Greensill did not match the types of limited activities that the AR regime was intended to cover. This has prompted the FCA to look closer and consider reforms to the regime, leading to the consultation paper that looks at two areas:
The FCA is looking to enhance the AR regime through new requirements and guidance. These changes are in line with regulatory focus on SM&CR, board responsibility, third-party oversight, Consumer Duty, and collecting additional information to support their data strategy.
A lot of the new requirements will apply to ARs and introducer appointed representatives (IARs), however the FCA has considered the risk associated to the IARs and carved out some requirements for IAR relationships.
Provision of additional data
Firms would be required to provide more information when notifying the FCA of a new appointment and for existing ARs. By collecting this data, the FCA is seeking to understand the firms’ business model and potential risk of customer harm and market integrity.
The data to be provided would include detailed information on the purpose of the AR relationship, the AR’s regulated and non-regulated business, revenue (annual reporting), the regulated activity they will carry out, the type of customers they will deal with, remuneration structure, complaints at an individual AR level (annual reporting). The information related to the regulated activity will be used to populate the Financial Services Register.
Firms would be required to check the accuracy of their AR details in the financial services register on an annual basis and attest the accuracy of the information.
Firms would also be required to submit regulatory return on AR’s revenues and complaints every year.
Firms are likely to have access to the information required by the regulator. However, it might not be in a format that allows for easy reporting, additional notification requirements, and short timeframes.
These changing obligations may raise challenges for principal and appointed representatives.
The firm would have to notify the FCA of any significant changes they are planning with the AR or within the AR before the change is effective. The proposed timeframe to notify some changes may be up to 10 days prior to the change being implemented. This could be challenging for larger organisations, where AR governance will be key to compliance and strong relationships with ARs.
Firms intending to begin carrying out regulatory hosting will have to notify the FCA at least 60 days prior to starting to provide such services. This area is subject to further discussion as mentioned below.
Enhanced due diligence and oversight requirements
Firms have to assess their ARs prior to entering a relationship (current requirement), and at least annually afterwards and where significant changes occur. Governing body review of the outcome of risk assessment is expected for new relationships and significant changes. The level of oversight is increasing with a focus on the AR senior management competency and expertise, AR’s span of controls, the principal’s controls and resources to appropriately oversee the AR, management of potential conflict of interest, and customer harm risk assessment. These elements will have to be covered in each AR annual review.
Firm would have to carry out an annual self-assessment of their compliance with the AR regime. The assessment will have to be reviewed and approved by the governing body. This approach is similar to the MLRO and PROD annual reports. The self-assessment will have to be made available to the FCA upon request.
The FCA is also proposing to enhance and include guidance on:
The FCA is opening a discussion on regulatory hosting. Regulatory hosting is where a firm, oversees the use of its permissions by ARs, instead of carrying on any substantive element of regulated activity itself.
The FCA has identified that firms providing such services have on average more complaints and supervisory cases, increasing the risk of customer harm. Some of these firms’ size is also disproportionately small compared to the size of ARs overseen, which raises questions over their capacity to appropriately manage their ARs and conflicts of interest.
The FCA wants to introduce a definition of regulatory hosting that would apply to all regulated firms and is seeking feedback on a few options on how to address the above. Three options have been put forward that will restrict the provision of regulatory hosting: prohibiting such practices, limiting the size of ARs or regulated activities to be undertaken by ARs.
While these options are likely to address the concerns, they could be very detrimental to competition, making entry to financial services more costly and complex, reduce innovation, and be damaging to customers by reducing product offerings. The FCA recognises that transition periods would be required if it were to retain any of these options. However, there's no clarity of such timeframe at this stage.
The FCA also proposes approval options focused on obtaining the FCA’s consent prior to providing regulatory hosting services, be a smaller principal with larger AR, or to comply with additional requirements. The FCA has already included a notification requirement in the change proposal above, however, it does not require to obtain consent at this stage.
Considering the new data requirements and the obligations to notify the intent to start providing regulatory hosting, the FCA should be able to identify high-risk potential, actual AR relationships and seek clarification from firms, where required. These more flexible options will avoid the risk associated to the restrictive options, whilst protecting customer and market integrity by enabling enhanced supervisory scrutiny on higher risk principals.
Firms and ARs should assess the level of impact of each option on their business model and their customers. Preparing for all scenarios will allow firms to make decisions sufficiently early to mitigate customer harm and market instability.
Firms should consider all potential scenarios. You must assess any gaps and think about how you will respond to new requirements. While the principal is accountable to the FCA, it will be important for firms to engage with ARs and vice versa to streamline compliance. Governance and policies will have to be updated and embedded into the organisation. Additionally, agreements with ARs will need to be amended.
Evaluating how firms will gather information from existing ARs will be key, looking at how they will move to an enhanced annual review of all ARs and IARs. This should include thinking about how to manage annual self-attestation processes that must be sufficiently detailed to enable the governing body to understand and assess if the firm complies with the new regime.
You should also consider how to integrate AR regulatory oversight into the existing governance framework and senior management accountabilities.
Sign up for our webinar on 23 February to provide you with additional insights on the AR regime changes and what you need to do to prepare.
If you want access to leading advice, consultancy and support, we offer a range of services across regulatory compliance for financial services. Contact Alex Ellerton or David Morrey for more information on our services.