Financial services, regulation and ethics

In the last chapter we examined...

Shortened demo course. See details at foot of page.

...or complaints and compensation.

It is against the law under s.19 of the FSMA 2000 to carry out a regulated activity unless the person is authorised or exempt. This rule is referred to as the ‘ general prohibition ’. Authorised persons can only undertake the activities for which they have specific permissions.

Firms require authorisation if they undertake regulated business in the UK. If they had been authorised under former Acts, prior to FSMA 2000, the authorisation continued for the same activities. However, firms that were authorised under the Financial Services Act 1986 by a recognised professional body had to reapply for authorisation. Approved persons performing a controlled function in the business must also gain authorisation.

Any new firm wishing to carry out regulated activities or any firm which wishes to undertake a new regulated activity must apply for authorisation.  No business can be transacted until the authorisation has been received and the FCA has the power to refuse the application.  Where an application is refused, an appeal can be made to the Upper Tribunal (Tax and Chancery Chamber).

A breach of s.19 may be a criminal offence and punishable by a maximum of two years' imprisonment and/or a fine.

Regulated activities

Regulated activities can vary depending on the type of organisation and the business activities they carry out. The activities and specified investments are listed in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). The regulated activities are detailed in Part II of the RAO and are:

Banking

Accepting deposits

Issuing e-money

Insurer

Effecting or carrying out contracts of insurance as principal

Assisting in the administration and performance of a contract of insurance

Insurance intermediary

...

Shortened demo course. See details at foot of page.

... the regulator will write to the firm confirming their authorisation and will enclose the Scope of Permission Notice detailing the authorisation limits.

Change of legal status

Where a firm is already authorised but wishes to change their legal status, e.g. from a partnership to a limited company, they must reapply for authorisation as a new entity.

Responsibilities of regulated firms

Authorised firms are responsible for the conduct of all their employees, agents and ARs. The firm must ensure that all those for whom it is responsible comply with the requirements of the FSMA 2000 and the rules made under it.

All firms must have systems in place to manage the risks they are subject to, which will vary depending on the type of business they conduct and include the ‘capital adequacy rules’. 

All individuals carrying out senior management functions (or controlled functions in non-SM&CR firms) must be approved by the regulator. However, the rules do permit temporary performance of these functions for up to 12 weeks in a year without approval, to cover for illness and holidays.

An authorised firm is responsible for the advice given by its representatives, and if such advice is in breach of any of the rules, the firm must provide the client with compensation for any loss they sustained as a result.

All firms must also have systems in place to manage the risks they are exposed to, which will vary depending on the types of business they carry out.

Most authorised firms, and especially investment firms have a compliance officer , normally assisted by a compliance department, to ensure that the extensive rules are continually complied with.

Explain what is meant by the ‘general prohibition’ rule.

Answer : Purchase course for answer

Following recommendations from the Parliamentary Commission on Banking Standards, the Financial Services (Banking Reform) Act 2013 was passed, which introduced new rules on individual accountability.

Prior to the introduction of this regime, it was easy for individuals to ‘pass the buck’ when something went wrong, as there was no clear accountability. The new rules make it easier for firms and regulators to know who is responsible for what. Crucially, if things go wrong under SM&CR, senior managers are held accountable if they are at fault for misconduct that falls within their area of responsibility, not just their own personal misconduct.

SM&CR is intended to improve corporate governance, demonstrate clearer accountability for decision making, and ensure firms cannot rely on collective board responsibility. It aims to encourage a culture of staff at all levels taking personal responsibility for their actions and makes sure that firms and staff clearly understand and can demonstrate where responsibility lies.

It helps to identify the key figures running the firm and gives the FCA a basis upon which to take enforcement action against the appropriate individuals when problems occur.

One very important change is that SM&CR places the responsibility of authorising those who occupy significant harm functions (e.g. investment advisers) on the firm rather than the FCA. This is the ‘certification’ part of the regime.

SM&CR applied to banks and insurers from March 2016 and to FCA solo-regulated firms (adviser firms) from December 2019, and consist of three parts:

The Senior Managers Regime (SMR)

The Certification Regime (CR)

The Code of Conduct contained within the FCA Handbook (COCON)

Application of SM&CR - fi...

Shortened demo course. See details at foot of page.

...ould be ‘grandfathered’ into SM&CR by firms submitting a notice to the FCA.

The list of Certification functions can be found in the Senior Management Arrangements, Systems and Controls part of the FCA Handbook at this link .

Paraplanners

FCA rules provide firms with flexibility to exercise their own judgement as to whether a particular paraplanner requires certification, depending upon their rules and duties.

The Directory

Firms are required to report the names of individuals performing Certification Functions to the FCA for publication in The Directory, including all directors and senior managers, all fit and proper individuals, and other people who undertake business with clients for which a qualification is required.

The Directory includes the certified individual’s name, employer, permitted regulated activities, individual reference number, start (and end) date, sanctions, locations and memberships of accredited bodies.

Certificates

Part of the Certification Regime is the issuing of certificates to certified individuals by their employer.

The Conduct Rules (COCON)

These rules apply to all staff - senior managers, risk-takers, supervisors of risk-takers and back-office staff, with a few exceptions (cleaners, caterers, etc), and all of these people must be aware of their responsibilities in this regard. They are basic standards of good conduct, breaches of which could result in a formal written warning, suspension, reduction in salary or even dismissal and recovery of salary.

All breaches must be reported to the FCA within 7 days of disciplinary action being decided. Furthermore, firms are required to submit an annual report to the FCA of breaches, which is still required even if there are no breaches to report.

We have already established that an appointed representative (AR) is exempt from authorisation if it has a contract with a principal. Where the principal is a MiFID scope firm, the principal is known as a tied agent.

Appointed representatives are only permitted to carry out the following:

Advising on investments and arranging deals in investments

Where an AR is an introducer-appointed representative (IAR), they are only permitted to make introductions and distribute advertisements on behalf of the principal

ARs are not permitted to hold client asset...

Shortened demo course. See details at foot of page.

...ed representatives

New rules introduced in 2022 are intended to prevent the conduct of appointed representatives undermining safe market operations. Principals must assess the competence of individuals who with AR status, and ensure ARs have adequate systems, controls and resources. They must monitor the risks that any ARs pose to customers in the same way as they exercise oversight over their own activities, reviewing their activities and their senior management annually, and making it clear under what circumstances the AR relationship would be terminated.

This regime - the Approved Persons Regime - no longer applies to banks, building societies, insurers or financial adviser firms. They are all now subject to the Senior Managers and Certification Regime (SM&CR) discussed above. The Approved Persons Regime continues to apply to non-SM&CR firms and to appointed representatives so, for now at least, the Approved Persons Regime runs alongside SM&CR.

It is important to be aware of the difference between an authorised person and an approved person. An authorised person is the business that carri...

Shortened demo course. See details at foot of page.

...nder the Approved Person’s Regime, directors, heads of compliance, heads of internal audit, other senior managers, partners, etc (significant influence functions), and those dealing with customers in the above roles (customer functions) must all be individually registered with and authorised by the appropriate regulator, giving it the powers over the firm as a whole as well as certain individuals who work within it.

What are the two types of significant influence functions under the Approved Persons Regime?

Answer : Purchase course for answer

Under the Conduct of Business Rules, the timescales are defined for record-keeping for different types of firm.

Indefinitely -  for pension transfers, pension opt-outs and Free Standing Additional Voluntary Contributions (FSAVCs).

Five years -  for life policies and pension contracts. Note that records of financial promotions for these products must be kept for six years .

Five years – in most other cases, although non-MiFID firms are only subject to a three-year requirement in some circumstances, for example, suitability reports for products not mentioned above.

Reporting and notifications

Firms are required to keep the FCA up to date with developments. Regular returns must be made showing:

Details of shareholdings and the control of limited companies

Information about people and organisations with which the business has cl...

Shortened demo course. See details at foot of page.

...

Changes to core information should normally be provided with reasonable notice, such as changes of name, address or legal status

If a firm finds that it has mistakenly given incorrect information to the FCA, the regulator should be notified immediately

The FCA is required under legislation to notify a person who is the subject of an investigation by its officers. The notification must advise the person of the reason for the investigations and the provisions under which the investigator has been appointed.

Exceptions to this requirement apply where the investigation is in connection with insider dealing, market abuse or misleading statements as well as breaches of the restriction of financial promotion or promoting collective investment schemes.

For how long must a firm retain records of non-MiFID-related complaints?

Answer : Purchase course for answer

The training and competence rules apply only to retail business, both MiFID and non-MiFID, but are recommended as good practice for non-retail business. The rules are designed to ensure that employees of firms are competent for the work they do and continue to remain so, with regular reviews of competency being carried out.

Recruitment

The firm must consider the knowledge and skills of new staff relative to their roles within the organisation. Specifically, it must find out about the recruit’s past roles and experience. This is likely to include:

Matching the recruit’s knowledge and skills to the job description of the role

Assessing the knowledge and skills abilities of the new member of staff

Checking and verifying references and qualifications

When recruiting for certified or senior management role, a firm must follow the rules and guidance in SYSC 22 and SYSC 22 Annex 1.

Attaining competence

Firms must not let employees carry out an activity or oversee it u...

Shortened demo course. See details at foot of page.

... be kept for:

At least three years for non-MiFID and five years for MiFID firms from the end of the employee’s appointment

Indefinitely for all pension transfer business

In this context, an employee includes self-employed representatives and appointed representatives and their employees.

T&C reporting

A firm must notify the FCA if an adviser is no longer considered competent or has failed to pass the appropriate examination within the prescribed time limit. It must also tell the FCA if an individual has failed to comply with COCON (or observe the Statements of Principle for Approved Persons in the case of non-SM&CR firms and Ars) or has carried on a regulated activity for which he or she has not demonstrated competence.

Under SM&CR, reporting is required annually, but the regulator would expect to be informed immediately of serious breaches.

What can a trainee adviser do if they have not yet been deemed fully competent?

Answer : Purchase course for answer

It is often hard for criminals to use funds gained from criminal activities openly, especially if they are carrying out monetary transactions where they can be questioned as to where the money came from. To enable them to use the proceeds of illegal activities without their original source being detected, they will resort to money laundering. The process will also attempt to make the funds appear perfectly 'clean', with an apparently legitimate reason for their existence.

One definition of money laundering is “the process by which criminals convert the proceeds of illegal activities into legitimate funds”. Examples of crimes heavily associated with money laundering include drug trafficking and terrorism; however, the illegal proceeds could be from virtually any other activity.

There are several forms of money laundering and it is an international problem, which can affect all industries. Nobody can accurately identify the financial scale of the problem of money laundering in the UK economy, but estimates suggest it could run into billions.

Key stages of money laundering process

Money laundering is usually a three-stage process:

1. Placement

Illegal funds are paid into legitimate financial arrangements with reputable institutions such as life assurance policies or building society accounts.

2. Layering

This involves making several transactions to hide the original source of the criminal funds. The number of transactions is unlimited depending upon how far the criminal wants to go in hiding the source of funds. Often large sums of money from criminal activities are broken up into smaller denominations before the laundering process takes place.

3. Integration

This is the process by which the criminal funds finally look clean in that they appear to be fully integrated into the economy, having gone through several transactions to hide their origins.

Financial services organisations are most frequently involved at the placement and layering stages. For example, a bank account is opened in a false name, the proceeds are then withdrawn and placed into a life assurance bond, the bond is surrendered early, and the ‘clean’ proceeds transferred to an individual’s account overseas.

The UK is a member of the Financial Action Task Force (FATF), which is committed to legislation to combat money laundering.

Proceeds of Crime Act (POCA) 2002

The Proceeds of Crime Act 2002 (POCA) became law in January 2003. The legal position for money laundering activities is now primarily governed by this Act, recently amended by the Criminal Finances Act 2017.

The main types of offence under the legislation are:

Laundering or assisting someone else in laundering the proceeds of crime

Failing to report knowledge or suspicion of money laundering

Tipping off, or giving somebody warning that their activity might come under scrutiny by the authorities

Under the first category above, all of the following are considered offences:

Concealing, disguising, converting or transferring criminal property

Assisting somebody else to acquire, retain, use or control criminal property

Personally acquiring, using or having possession of criminal property

The term...

Shortened demo course. See details at foot of page.

...istencies in information given.

Where an identity cannot be verified, the Money Laundering Reporting Officer should be informed.

Records

Keeping appropriate records is extremely important for potential investigations. It also provides satisfactory evidence in relation to any allegation of failing to identify suspicious activities or breaching industry guidelines.

Part 3 of the Money Laundering Regulations 2007 lays down rules for internal record- keeping. It requires customer records, including identification documents, verification correspondence and account opening mandates, to be kept for five years after the relationship with the customer has ended.

The date when the relationship with the customer has ended can be the date of:

The closing of the account

The carrying out of a one-off transaction or the completion of several transactions

The commencement of proceedings to recover debts payable on insolvency

All other records of activity on an account should also be kept for the same five-year period.

Documents must be originals, photocopies or in electronic form, which can ease the burden of retaining records for five years. Each company tends to have its own procedures for record-keeping. Regardless of the recommended retention period for records, all records of any customer, where a suspicious transaction has been reported, or where they are known to be under investigation, must be kept until the case is closed.

Firms must conduct an annual review of their anti-money laundering systems after obtaining a report from the MLRO.

Training

The Money Laundering Regulations stipulate that registered organisations should take appropriate measures to ensure that all relevant employees are:

(a) Made aware of the law relating to money laundering and terrorist financing;

and

(b) Regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.

No mention is made in the regulations of the frequency of training. In the past, it was stipulated that such training should take place at least every two years. It is now up to relevant organisations to decide when training should take place in accordance with their own risk strategy.

Suspicious Activity Reporting (SAR)

A firm’s MLRO is required to report to the National Crime Agency (NCA) where they know or suspect that an individual is involved in laundering money or in financing terrorism. Individual staff members report their suspicions to the MRLO in confidence, nor directly to the NCA.

Civil recovery

The Assets Recovery Agency was established to disrupt organised criminal enterprises through the recovery of criminal assets and aimed to promote the use of financial investigation as an integral part of criminal investigation. It could obtain information about life policies and investments and use the tax system to tax profits or gains from criminal activity, The ARA is now part of the NCA.

Reporting

The MRLO provides a report to the firm annually so that it may undertake an annual review of all anti-money laundering systems and processes.

List the three stages of money laundering.

Answer : Purchase course for answer

Data protection legislation applies to some manual data and paper records as well as electronic data and can also cover telephone and CCTV recordings and photographs

Firms need to appoint a Data Protection Compliance Officer with sufficient authority to ensure that the Act is adhered to. The Government body overseeing the enforcement of the Act is the Information Commissioner .

Data protection act terminology

There are several terms defined in the legislation that you need to be aware of:

Personal data - Information in respect of a living individual who can be identified from the information held by the data controller, e.g. the person’s name and address

Sensitive personal data – this term is used in respect of a person’s racial or ethnic origin, religious political or other beliefs, mental or physical health, sex life or criminal record

Processing – deals with the day-to-day activities that affect personal data, including disclosure to a third party

A data subject – the individual whose personal data is held

A data controller - decides the circumstances in which personal data should be processed

A data processor is a body (usually an organisation) that processes the data on behalf of the data controller

The General Data Protection Regulations (GDPR)

The latest and most significant data protection laws came into force in all EU member states from 25 May 2018, and as it is a regulation rather than a directive, it is directly applicable without the need to pass internal legislation, giving uniformity of data protection laws across all EU States.

The UK’s decision to leave the EU does not affect the application of the GDPR - it is retained in the UK as UK GDPR, applying to con...

Shortened demo course. See details at foot of page.

...ssioners Office (ICO).

The Data Protection Act 2018

This Act coincided with the implementation of the UK GDPR and the Law Enforcement Directive (LED), the main elements being:

To implement GDPR (as UK GDPR)

To provide clarity on definitions used, in UK context

To ensure health, social care and education data is treated confidentially

To provide appropriate restrictions to rights to access and delete data to allow certain processing (public interest/public security)

Set the age from which parental consent is not needed to process online data at 13

Data security

Firms should consider the following points when reviewing their security:

What is client data?

This is any personal data held in any format,

What are the main risks?

This is not purely an IT issue.

Are visitors to the premises supervised?

Are administration staff vetted at recruitment?

What are the risks from third party suppliers?

Are third party suppliers – for example, contract cleaners - vetted?

Is confidential information left on desks?

Penalties

There are several criminal offences under the Act including:

Failure to make a proper notification of processing to the Information Commissioner

Failure to comply with an information notice or an enforcement notice

Processing data without the data controller’s authorisation – an offence that could be committed by a firm’s data processors or other individual employees

The penalties for non-compliance with the Act could result in unlimited fines or the instigation of court proceedings.

Within what timescale must a data controller comply with a request by an individual to have access to the records held on them?

Answer : Purchase course for answer

The FCA requires every authorised firm to have a written complaints procedure and to publicise it. The FSMA established the Financial Ombudsman Service (FOS) for all complaints against authorised persons about regulated activities.

Procedures

A person who wants to complain to an authorised firm should firstly make their complaint to the firm that provided the product or service; if it is not resolved to their satisfaction, they can then take the case to the Ombudsman.  Complaints about the sale of contracts arranged by an intermediary should be made to the relevant intermediary rather than the product provider. Complaints about a sale made by an employee or representative of a provider should be made to the provider.

A complaint is ‘any oral or written expression of dissatisfaction, whether justified or not, from or on behalf of a person about the provision of, or failure to provide, a financial service, where the complainant has suffered or may suffer financial loss, material distress or material inconvenience, and relates to an activity which comes under the jurisdiction of the Financial Ombudsman Service'.

The firm must publicise its complaints procedure to customers and all relevant employees must be aware of it. The firm must refer in writing to the availability of its complaints procedure at, or straight after, the point of sale. It must publish details of its procedures and supply a copy on request. Firms must include details of the procedure in their terms of business or client agreements.

Handling complaints

Authorised firms must handle complaints fairly, consistently and promptly. The procedure must ensure that a competent - and, where possible, independent - employee investigates the complaint....

Shortened demo course. See details at foot of page.

... on what is fair and reasonable in the circumstances, taking into account the law, the FCA rules and guidance and statements of good industry practice

Notify its decision to the complainant and the respondent in writing and give reasons for the decision. The claimant must then accept or reject the FOS’s decision within the time limit that the FOS specifies

Money awards

If the claimant accepts the FOS decision, it is binding on the respondent up to:

£415,000 plus interest and costs (and interest on costs) for complaints received on or after 1 April 2023, about acts or omissions by firms on or after 1 April 2019

£190,000 plus interest and costs (and interest on costs) for complaints received on or after 1 April 2023 about acts or omissions by firms before 1 April 2019

The FOS can award compensation for any loss and/or order the respondent to take remedial action. The respondent must comply with the award.

The FOS can recommend to firms that they pay higher amounts, but these recommendations are not binding on the respondent. The Ombudsman also has the power to order firms to take steps such as transfer a pension, offer life cover, etc.

The FOS cannot award the respondent costs against the complainant. Firms must not seek to charge their customers for the cost of bringing a complaint to themselves or the FOS.

Directions award

The FOS can also make a directions award, telling a firm what actions it needs to take to put things right for its customer, which could include paying an insurance claim that has been rejected, or apologise to the customer.

Explain the types of complaints which are NOT subject to the stated time limits or record-keeping requirements.

Answer : Purchase course for answer

Financial Services Compensation Scheme (FSCS)

The Financial Services Compensation Scheme (FSCS) was established under the FSMA to provide compensation to claimants where authorised firms cannot meet claims against them relating to their authorised activities.

There are various organisations and persons who are not eligible for compensation, such as large companies, local authorities, governments and most pension funds.

The claim must be made by an eligible complainant for:

A protected deposit – deposits at UK branches

A protected insurance contract – contracts issued through an office in the UK, an EEA state, the Channel Islands or the Isle of Man. For life and pension policies the risk is situated where the policyholder is habitually resident at the date...

Shortened demo course. See details at foot of page.

...usiness to another insurer.

The FSCS is funded by a levy on authorised firms. The latest model introduced five broad classes based on industry sectors: deposits, investment, life and pension, general insurance and home finance. There are two sub-classes in each broad class divided along provider and distributor lines, except for deposits. Each sub-class will have a limit on what it could be required to contribute to compensation claims each year. If it reaches its annual threshold, the other sub-classes in that broad class would be required to contribute to any further compensation, up to a stated limit.

State the limits of compensation available from the FSCS for (a) Deposits, (b) Long-term insurance and (c) General compulsory insurance.

Answer : Purchase course for answer

The Pensions Ombudsman (TPO)

TPO has an understanding with the FOS, whereby the FOS will deal with complaints regarding the sale of personal pensions and small occupational schemes, and the Pensions Ombudsman will handle problems associated with the management or administration of sch...

Shortened demo course. See details at foot of page.

.... The PPF is also responsible for the Fraud Compensation Scheme, which provides compensation to members of pension schemes that suffer losses that can be attributable to dishonesty.

What complaints are dealt with by the and the Pensions Ombudsman?

Answer : Purchase course for answer

This revision test (opens in a new window) has 15 questions and tests yo...

Shortened demo course. See details at foot of page.

...rd multiple choice questions and 5 multiple response questions in the R01 exam.