The regulatory story of 2017 into 2018: To a trinity and beyond! | Wolters Kluwer
  • Insights

  • The regulatory story of 2017 into 2018: To a trinity and beyond!

    By Steve Blackbourn

    Published January 10, 2018

    2017 has been a year of much regulatory change as economic, political and social circumstances, with events at both the national and international levels shaping the focus or impetus towards certain risk issues and topical concerns. This has reflected the clear and perceived impact(s), potential harm(s) or vulnerabilities being posed to financial markets, systems and/or their users and participants. As 2018 is welcomed in, it is worth stepping back a little when gazing at probable future regulatory impacts and opportunities across what remains a dynamic and multi-faceted landscape. 

    Bringing together and highlighting some of the more notable changes and developments already apparent or visible during 2017 which are now likely to filter across into 2018 and beyond, gives an opportunity to take stock on recent, current and likely future issues and challenges. To do so in a logical and coherent manner, this extended article looks across the distinct but relevant dimensions and levels which most effectively and often practicably constitutes the necessary ‘big-picture’ for a lot (If not the majority) of financial regulated institutions.

    Hencethis consideration moves in-turn to the particular working ‘holy’ trinity of perspectives being: Global/International, European (E.U.) and the United Kingdom (U.K.), containing a quick-reference summary in respect of each specific dimension. 

    A. The Global/International regulatory dimension

    The founding basis of principles and standards behind many core aspects of financial regulation have stemmed from the outputs and requirements laid-down or expounded by certain agencies and bodies who have some global and or multi-jurisdictional mandate and reach. These have tended to be driven by political and/or economic mandates, with a focus on the stability, integrity and risks associated with international strategies, business organisations, financial systems and correlated considerations.

    This dimension incorporates such international bodies and forums as the groups of seven and twenty (G7/G20), International Monetary Fund (IMF) and the Financial Action Task Force (FATF) etc. Here the developments and focus are turned towards issues and emerging threats connected with (or compounded by) the multi-jurisdictional and systemic, potentially contagious and correlated nature of financial-services business and the participants and systems involved. This brings into focus the many fundamental issues concerning all elements of financial-crime from AML/CFT, to bribery and corruption as well as broader and systemically applied financial and trade monitoring and sanctions.

    Notable developments and subjects arising during 2017 and likely to flow-through into 2018 include:

    The Financial Action Task Force (FATF) 

    FATF (along with other FATF-style organisations) continues to be the dominant advocate and arbiter in the international evaluation of AM/CFT frameworks and standards.

    Key FATF outputs have covered and highlighted a variety of concerns and topical developments e.g. beneficial ownership, changing ‘terrorism’ dynamics, as well as the evolution of ‘cyber’ threats.

    There has also been the continued evolution and roll-out of its jurisdictional evaluation methodology to risk-assess member states on the adequacy/effectiveness of their AML/CFT frameworks, which has informed and enabled users to understand the various elements of a coherent risk assessment by accessing the related informative summary reports and comparison tables. In particular, a periodic updated and consolidated assessment summary of jurisdictional ratings conducted using the most recent standards and methodology (4th Round using the 2013 Assessment Methodology) was issued in mid-December.

    Also, the 2016/17 period has included outputs relating to a couple of key ‘local’ jurisdictions to the U.K., with namely reports for Isle of Man (IoM) issued in December 2016 (by Moneyval) and the report for Ireland issued in September 2017 (by FATF). An assessment covering Jersey (by Moneyval) was issued in May 2016, with the last assessment by FATF of the specific U.K. environment issued much further back in 2007 with a separate follow-up report issued in late 2009. However, the next FATF assessment visit covering the U.K. is currently expected to begin planning before the end of 2017 and to probably be conducted during 2018.

    FATF has also continued to champion and advocate clear and meaningful standards and practices whilst keeping a focus on specific concerns such as Corruption (ABC) and sanctions/PEP management etc. In early November, FATF issued its latest public statement concerning the status on action plans for various deficient jurisdictions, as well as highlighting other jurisdictions where specific counter-measures and/or enhanced levels of due diligence are deemed relevant. The latest statement now covers nine specific jurisdictions where there remain identified strategic deficiencies in AML/CFT arrangements and frameworks posing risks to the international financial system, with a further jurisdiction being removed from FATF's ongoing compliance process after making sufficient improvements. In addition, more jurisdictions are now being expected to have and apply consistent prudent controls and measures in identifying and handling domestic and non-domestic clients who might hold any active Politically Exposed Person (PEP) status.

    Global market innovations & dilemmas

    Global-wide developments in innovative technologies such as mobile solutions and platforms will continue raising regulatory attention and challenges ahead. For example, the creation and rise of new payment platforms (such as M-Pesa in parts of Africa) as a dominant and omnipresent P2P payments and transaction mechanism for mobile-based money, is developing and operating on the fringes (or in circumvention) of traditional and established banking and regulatory frameworks. This does arguably create certain opportunities and potential to push the boundaries of financial inclusion, innovation and competition, especially across developing jurisdictions and economies, creating new and faster borderless payment and transaction settlement solutions built around ‘new’ and/or ‘electronic’ money.

    But in a growing age of diverse ‘cashless’ and ‘contact-less’ mechanisms and digital eco-systems, this perhaps inevitably raises concerns over the real motivations, drivers and beneficiaries behind such a brave new world. In particular, any shift of responsibility, even through apparently innocent initiatives such as on-line banking, could see the onus placed in term of self administration, servicing and security effectively blurring the distinctions of role and accountability between providers and users. Regulators will hopefully continue to champion, protect and enforce the appropriate ‘benefits’ and ‘interests’ of all participants around areas such as access, security and reliability etc. So expect a continued focus ahead on such matters in 2018, as well as the obvious focus on ensuing cyber-related risks and exposures. There is also the nebulous question of how and why such innovations simply tend to drive-up transaction volumes and ultimately the income and profits of providers, as well as how provider institutions and platforms may go on to use, analyse and apply the information and records on behaviours captured by the personal and financial data held and processed.

    The implications of ‘Big Data’

    As a further extension of these views, then both now and looking ahead, dilemmas around the purposes, collusions and consequences involving ‘Big Data’ is also a pertinent subject for many consumer activities, and not least global financial-services. Here, the emerging and prospective risks of such technology services and data providers or controllers to effectively (or even deliberately) extrapolate, predict or even target, control or manipulate (or at least influence) user choice, behaviours and outcomes needs to be adequately scrutinised, properly understood and suitably guarded.

    New currency platforms and solutions

    The rise of alternative and other virtual transaction systems such as ‘Bitcoin’, to challenge and compete with traditional money and the banking platforms, are also adding another dimension to calls for more relevant and meaningful regulation and control of such evolving payment systems and markets. Though such crypto-currency solutions have continued to lack any real market traction or support, the recent pricing and volatility of Bitcoin continues to attract interest and speculation, as to its longer-term resilience and eventual sustainability.
    Bitcoin is not a recognised regulated product in the UK, nor is it seen to pose any immediate risk to financial stability or threaten the integrity of international financial systems. Nevertheless, in the U.K. the conduct regulator (FCA) does remain cautious and alert to emerging trends and vulnerabilities through initial coin offerings (ICO's), and the potential use of such higher risk and speculative investments with other complex products e.g. contracts for difference (CFD's).

    Global/International - Quick-reference summary


    Topic  Key deadline(s)  Scope & perspective 



    Continued focus on how existing and new solutions pose risk and harm to providers and users.     


    Politically Exposed Persons (PEP's) 


    Harmonisation of expected approaches and controls for all PEP status clients (including domestic).   


    Sanctions & deficient jurisdictions




    Periodic public statements on weak AML/CFT frameworks posing risk to global systems.   


    Big Data 


    Ongoing assessment of impacts and vulnerabilities on use and management of ‘Big Data’ to influence behaviours and outcomes.

    New financial and market systems and platforms  



     Continued review of new technologies and market innovations e.g. crypto-currencies and contactless solutions, and associated higher risks/vulnerabilities.  


    FATF assessment of U.K.



    Continued assessment of global AML/CFT frameworks under ‘4 th Round’ methodology.

    B. The European (EU) regulatory dimension

    The combined outputs and provisions of the European Parliament and European Council seeks to advocate and impose a range of harmonised requirements across member states to support the smooth and effective operation and conduct of business within and across the Europe Union (E.U.) and European Economic Areas (EEA). Individual member states are expected to internal implement E.U. Directives and Regulations within their own legal and regulatory frameworks, though the E.U. has an over-arching framework of specific regulatory bodies focussing on detailed technical direction, supervision and oversight regarding the financial-services industry. In terms of the industry-wide European system of regulatory financial supervision, the European Supervisory Authorities (ESA's) involved currently comprise the European Banking Authority (EBA), European Securities & Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).

    European-led regulatory obligations cover broad and diverse areas such as prudential and capital management, payment and investment services, consumer protections, trading disclosure and funding transparency etc. It has also established and set-up more tailored provisions and frameworks of rules and governance standards for specific sectors, products and financial activities and instruments e.g. MiFID and also various Directives concerning insurance, e-money, credit and investment services etc. to name but a few! In addition, membership and access to the single market, and the harmonisation of regulations (at least in theory, principle and intent) across Europe, introduced the capability to passport activities on a cross-border basis, which has facilitated and opened-up the growth and operational strategies of many financial institutions.

    Notable developments and subjects arising during 2017 and likely to flow-through into 2018 include:

    U.K. Brexit implications

    In mid-2016 the U.K. voted to end its membership of the European Union, beginning a process of separation and adjustment now likely to push well into the 2020's. However, since the U.K. first joined the European Communities (later to become the E.U.) back in 1973, its membership of the E.U. (through the E.U. outputs of the legislative and administrative processes of the E.U. Parliament and Commission) has meant that a significant proportion of domestic financial laws and regulations have directly emanated from the required internal adoption and implementation of E.U. Directives and ancillary Regulations along with inevitable period updates and reviews.

    The cross-border and market access ramifications and consequences of U.K. Brexit bring certain impacts and challenges, and especially where these involve closely intertwined jurisdictions e.g. Ireland, IoM and Jersey etc. This might see the regulatory environments and structures conceivably begin to practicably diverge (at least in the longer-term) without the common overarching and harmonising structures and operating standards being otherwise kept in place. And of course, this poses as many issues for E.U. firms relying on U.K.-based clients and business as it does for U.K. financial firms wanting to strategically retain any E.U. client-base.

    The European Financial Supervisory Authorities (ESA's)

    The key E.U. regulators (EBA, ESMA and EIOPA) come together to help oversee, monitor and consider certain systemic risks, but individually continue to play an important role in the outputs and focus for providing interpretative and practice guidance and technical standards (RTS/ITS) for domestic agencies and organisations involved in the implementation and monitoring adherence to specific Directive provisions e.g. expanding on Articles and working guidelines and Q&A's thereon etc.

    The ESMA body replaced the former CESR institution, and seeks to improve investor protection as well as stable and orderly financial markets. It is therefore playing a key role in the rollout of the revised MiFID II/MiFIR regime and structures across Europe. However, during the last few months of 2017 it produced various materials cutting across a range of other active requirements such as a new prospectus regulation, the sale of speculative products to retail investors (CFD's and binary options etc.) as well as consulting on the calculation of positions by trade repositories (TR's) in respect to post-trading and transaction reporting under EMIR. So expect through-out 2018 to see a lot of final guideline documentation across a range of topics to continue to be produced.

    In late 2017 the EBA indicated that the present capital regime (CRD/CRR) was no longer considered relevant for investment firms with a discussion paper on a new liquidity framework. In 2018 the authority is expected to further advance consultation on proposals for a new regime and methodology based around a basic capital requirement and driven by defined capital factors (K-factors). The initial consultation for feedback ends in February 2018, with the aim of establishing more proportionate and relevant requirements given the nature of investment business.

    With the new supervisory framework for insurance firms introduced in January 2016 (Solvency II) the EIOPA body has sought to achieve stability and protect consumers by introducing common standards and practice across both the insurance and occupational sectors. Accordingly, it issues and maintains guidelines on a variety of detailed subjects from complaint handling, recovery and resolution to matters of governance, as well as in respect to aspects of the Insurance Distribution Directive (IDD). Looking ahead, the Directive on Institutions for Occupational Retirement Provision (IORPS II) creating common and revised standards for firms affected was finalised in early 2017, with E.U. Member States now having until January 2019 to now locally implement it. 

    Data Security, Protection and Privacy

    The independent European Data Protection Supervisor has played a central and coordinating role in looking to further develop and harmonise standards across the E.U. Given this includes matters such as the transfer and processing of data on a cross-border basis then many firms, and especially those who delegate or rely on other parties (including on an intra-Group basis) for delivering or supporting their own technology and service administration infrastructures and platforms, need to be alert to developments directly or indirectly affecting any control, security, recordkeeping and privacy arrangements etc. Obviously, one such key E.U.-wide development should see the new General Data Protection Regulations (GDPR) establish a new and more harmonised legal framework within and across the E.U. during 2018. In addition, the correlated introduction of the Privacy & Electronic Communication Regulations (PECR) will see new and revised compliance standards in regard to how firms contact and communicate with new and existing customers in a more collected and collegiate manner.

    Looking ahead into 2018, expect the European Data Protection Supervisor (EDPS) authority to encourage and support domestic and national agencies to properly mitigate and respond to risks associated with cyber-security, digital technologies and innovation, and cross-border data flows etc. It is also likely to work to consolidate a reform process covering not just overall data security and protection but also extends to confidentiality and e-privacy around electronic communications. This will be key as the EDPS seeks to work with specific local agencies e.g. the U.K. ICO, in driving and managing organisational behaviours where it can protect and oversee the interests of the individual, and to ensure such local agencies are clearly committed to the notion of accountability for how personal data is kept and used is being maintained at the appropriate and highest level. And to support all this momentum a new European Data Protection Board (EDPB) is expected to become quickly established and functional from May 2018.

    European – Quick-reference summary




    Key deadlines(s)

    Scope & perspective

    U.K. Brexit

    March 2019

    End of 2-year Article 50 notice period but may be subject to further transitional period(s).



    May 2018

    New and revised regimes concerning both data protection and privacy relating to client contact and communications.



    May 2018

    New E.U. data protection body to co-ordinate and promote issues and collaboration with local agencies.




    Advancing a new prudential framework for investment firms. 




    Ongoing oversight and guidance regarding MiFID II/MiFIR roll-out issues.




    Support introduction of IORPS II regime for workplace pensions and occupational retirement saving schemes. 


    C. The United Kingdom (U.K.) regulatory dimension

    Over many decades the U.K.'s regulatory regime has been moved away from a world of largely self-regulating organisations to a more arguably specialist and sophisticated environment with regulatory bodies and agencies focussing on specific aspects of oversight and monitoring, from conduct (FCA) and financial prudence (PRA) as well as other agencies looking at certain key aspects like payment services (PSR), data protection (ICO) and financial accounting and governance (FRC) etc. Inevitably, this has created areas of overlap and duplicity in terms of concern and especially around matters of behaviour and culture etc.

    Some of the notable developments and subjects arising during 2017 and likely to flow-through into 2018 include:  

    U.K. exit from the E.U. (Brexit)

    When looking ahead to challenges for financial businesses and regulation in 2018 and beyond no-one can ignore the event that is ‘Brexit’. The ongoing political and economic negotiations keep this one necessary high on the public and media radar. And the impacts and consequences of leaving the European single market, the ramifications for future cross-border market access, and the potential for longer-term regulatory divergence or non-equivalence between the U.K. and other crucial business markets are all yet something which might demand firms amend business structures and strategies. Indeed, from the U.K. perspective, its impacts and challenges are significant to a U.K. financial services industry and related systems which has been a core and influential participant in many facets of global and cross-border markets e.g. systems, payments, settlement, custody and fiduciary etc. Some U.K.-based firms are of course already implementing legal and structural re-organisations to address specific and perceived Brexit scenarios, as well as other U.K. landscape reform processes e.g. ring-fencing certain vulnerabilities and obligations under continued Banking reform processes which is expected to be implemented from January 1, 2019.

    Clearly, the risks and uncertainties around the ability of U.K.-based entities to operate within and across the E.U. without the ‘passport’ facility available with E.U.-membership, or any suitable ‘equivalence’ recognition, will and is already leading to some multi-national financial entities having to anticipate, contemplate and even activate plans for restructuring their organisations and operations both legally and geographically. But until it becomes totally transparent how the U.K. will be able to access and conduct business internationally once it ceases to be an E.U. member state, then it seems both reasonable and inevitable that firms must carefully assess and balance the strategic, commercial and regulatory contingencies and viabilities involved.

    Though the U.K. is expected to renounce its formal and full E.U. membership status from early 2019 onwards the U.K. Government has committed nevertheless to pursuing and completing a range of known E.U. Directive developments that relate to financial-services into the U.K. legal and regulatory framework. This includes (but is certainly not limited to) matters concerning data protection (GDPR) and provisions affecting occupational retirement and workplace pensions provision (IORPS II) etc.

    And from a U.K. perspective, it is also worth considering often correlated developments in several closer and connected jurisdictions, which is kept here (for brevity) to three, namely: Ireland, Isle of Man and Jersey. For example, Ireland has been keen to proffer and position its suitability as a strong choice jurisdiction of location and operation, as firms and organisations implement plans not just for U.K. ‘Brexit’ impact, but other U.K. reforms processes rolling-out like those affecting banking and the ring-fencing and risk-based segregation of certain types of investment and business activities. Indeed 2018 will see a lot of expended effort on specific ring-fencing activity, with the U.K. PRA taking a lead in ensuring the segregation of financial servicing facilities in the U.K., which is also expected to be implemented from January 1, 2019.

    Information Commissioners Office (ICO)

    The roll-out of the GDPR will see reform of the U.K. data protection regime and is being implemented from May 2018 and ahead of Brexit. This new U.K. data protection legislation will effectively replace the current legislative arrangements under Data Protection Act 1998, and will result in a new fee system starting in April 2018 which could see an extended tiered-structure to reflect the circumstances and categories of different sizes and types of regulated organisation and differing volumes of personal data involved and being processed where they are engaged in activities as a data controller. In addition, the U.K. ICO has used its existing powers to sanction firms found to have breached acceptable standards. In particular, the ICO has placed a focus on unsolicited marketing and practices undertaken without appropriate consent and causing nuisance, with fines of >£2m imposed during 2017, and its overall capacity to fine and act against firms will only be further strengthened once the new GDPR regime is implemented alongside the new and separate privacy and communications related regime (PECR).

    Reporting Council (FRC)

    Proposals for a revision to the U.K. Corporate Governance Code were issued in early December 2017 with changes expected to be finalised around mid-2018 before an updated code takes effect from 1 January 2019. Though many established elements of approach will remain e.g. ‘comply of explain’, there will be a new focus on principles and requirements which support more effective engagement with wider stakeholders including investors/shareholders, and to raise the overall quality of governance and associated arrangements e.g. affecting Board and committee structures, roles and composition.

    The financial services regulators

    The FCA, PRA and PSR have all been very active during 2017 issuing many consultative and research outputs covering the wide range of major topics e.g. MiFID II, PSD2 and MLR 2017 implementation etc. FCA enforcement has remained focussed on supporting acceptable outcomes and behaviours of both firms and individuals where customer interests are not met or overlooked. In addition, sector-led initiatives in 2017 have covered diverse issues, from asset management, consumer-credit/pay-day loans etc. to pensions and insurance practices, as well as looking at specific themes such as the challenges and needs of serving an ageing consumer population.

    A number of continued working review themes are likely in progress into 2018 e.g. wholesale insurance broking, consumer-credit/payday credit risks and supporting the eventual PPI complaint and remediation deadline set of August 2019 etc. These will all then inform and drive ongoing regulatory business plans and priorities. In addition, regulators continue to cascade findings and observations around specific topics and concerns, such as the FCA's summary publication in November 2017 of its questionnaire-based analysis of and insight into the changes and challenges for Compliance functions which looked at wholesale banking.

    During the later part of 2017 the FCA also set-out the scope of a strategic review focusing across retail banking business and the context, processes and approach likely to be followed. This highlights the importance of business-model analysis in understanding the dependencies and exposures across often increasingly complex and multi-faceted regulated businesses. It also makes some more broadly relevant points on the challenges, risks and implications concerning consumers and healthy market competition, with issues such as technology, active cross-selling of products and services and the formation of multiple business relationships etc. all impacting aspects of sustainability, resilience and risk contagion of any regulated firm.

    The FCA has also started to produce papers and seek stakeholder feedback in expanding on its approach to key activities as part of its future purpose and defined ‘Mission’. During the later part of 2017 papers have been issued concerning consumers, authorisation and competition, as the FCA seeks to transparently define the manner and tools it will adopt in pursuit of its strategy and objectives.

    There have also been a few notable reporting obligations kicking-in during and beyond 2017 including the FCA's new annual ‘financial-crime’ return (REP-CRIM) first introduced at the end of 2016, but supported by revised guidance consulted on much more recently (see FCA CP17/39). This return is used to inform on status and risk criteria, with the FCA looking to expand and develop its own analytical and data aggregation capability to inform its decision-making and resource allocation and priorities ahead in this area. This should make the regulator more efficient in identifying and applying its resources and informing both its future supervisory and enforcement processes and decisions.

    ‘Treating Customers Fairly’ (TCF) remains a central mantra and initiative for the U.K. conduct regulator in driving behaviours, practices, standards, outcomes and experiences. So areas like complaint handling and recordkeeping, and the ability to show a firm is able and willing to listen & act (through learning and improvement) etc. are all seen as key in scrutinising and judging what firms do, how they do it and just as importantly why they do it! But also, a revised Financial Services Compensation Scheme (FSCS) will begin to roll-out from April 2018 (but with more substantive changes in 2019/20) designed to improve and strengthen consumer protections introducing possibly more risk-based levies and obligations. This will no doubt impact not just the scope of firms and funding classes covered, but ultimately the resulting levies and contributions involved for specific firms too.

    To strengthen levels of individual accountability on conduct and competence events and matters, a transition process expanding the scope and application of the Senior Managers & Certification Regime (SM&CR) will be a significant future regulatory development newly affecting all FCA solo-regulated firms at the least. The consultation on detailed proposals commenced in December 2017 with various publications (see FCA CP17/40 et al) which will see all FSMA regulated firms coming under potentially new and more onerous provisions from end-2018 onwards subject to the implementation date(s) finalised by HM Treasury. For many firms, this could well increase the scope of persons under the sphere of regulatory accountability and culpability to that formerly under the approved person (APER) regime, introducing a new duty of responsibility, and even requiring some firms and individuals to undergo a notification/updated documentation process before being able to transition under the new regime.

    The Prudential Regulation Authority (PRA) is itself advancing the introduction of a new capital framework (Pillar 2A) from the beginning of 2018 which will affect not just the Internal Capital Adequacy Assessment Process (ICAAP) of firms’ affected, but also the related PRA approach in terms of its own rolling Supervisory Review & Evaluation Process (SREP) too.  


    The requirements and expectations on firms to proportionally and proactively forestall being used for financial-crime purposes have continued to be a strong area of regulatory attention and action. As new technologies and product innovations have evolved the threats, challenges and opportunities there remains a core need to properly understand and assessing risks, with effective mitigation and plans for handling events, vulnerabilities and contingencies. To underline this, a notable U.K. FCA enforcement action around unacceptable or inadequate conduct during 2017 included a fine in January of over £160m on a global bank for having an inadequate control framework concerning handling client relationships and exposing the U.K. financial system to unacceptable risks.

    No sooner than the U.K. had implemented its own 4MLD provisions during 2017 (via the Money Laundering and Transfer of Funds (Information on the Payer) Regulations – MLR/FTR 2017) than the subject of a 5 th ML Directive was already on the proverbial table. This is likely to bring the prospect of further strengthening measures and standards around beneficial ownership and funding transparency in light of ongoing and emerging threats and vulnerabilities, so expect this to be an ongoing ‘watch’ issue for 2018.

    The latest suspicious activity reporting (SAR) levels and analysis for 2017 was published by the U.K. National Crime Agency (NCA) in mid-October, showing an increase in volumes. This has helped to drive ongoing reforms of the U.K. SAR regime, and in terms of 2017/18 a new strategy is emerging to support the U.K.'s aspiration for a world class financial intelligence unit (FIU) which will seek to consolidate the NCA's capabilities to respond to future challenges and build on its partnerships, intelligence and reputation to enable the NCA to play as leadership role in the prevention and disruption of AML/CFT activity in the U.K. But also, expect the resurgence in the visible planning and preparations for the next FATF risk assessment of U.K environment of its AML/CFT framework. This is due to probably at least commence during 2018 using latest (4 th Round) methodology and updating the previous (2007-9) U.K. assessment, and will be timely output given other wider changes and impact events e.g. the U.K.'s departure from E.U. membership.

    The Joint Money Laundering Steering Group (JMLSG) has also continued to consult and develop the UK's risk-based industry guidance, covering both generic and more specialist guidance on practical compliance, technical interpretive matters and topical studies and scenarios surrounding the U.K.'s AML/CFT arrangements and systems.


    Back in 2016 the U.K.'s new National Cyber Security Centre (NCSC) issued guidance to all firms on the essential step sand measures that could/should be taken as part of a prudent and proportionate risk-mitigation process. In October 2017, the NCSC passed its first operational anniversary, and there is now a very broad range of other specialist and ancillary guidance material available too. This all provides a useful high-level introduction to the many and inter-related issues, dynamics and vulnerabilities involved in cyber-security, and can help inform and educate senior-management as part of an organisations’ risk assessment and decision-making systems, emphasising Board-level accountability around this topic. This involves not just data and information, but also wider matters extending to strategy, policy, network infrastructures and realistic contingency, incident and/or recovery management etc. and of course crucially the all important staff co-operation, awareness and the overall underlying cultural and governance dimension(s) too.

    During 2017 and no doubt into 2018 and beyond, the subject of cyber-crime events, threats and awareness has continued to be a strong and wide profile subject. Firms need to ensure they continue to remain alert to outputs from relevant agencies and bodies, and to keep under close consideration their own ongoing incident-management and oversight of internal vulnerabilities.

    Other sector and service concerns

    A focus towards the year-end on the regulation of gambling and gaming and the responsibilities and practices across this diverse and specialist sector has looked at the consumer vulnerabilities associated with mobile and on-line platforms and technology. This relates to marketing, access and distribution of related products and services. As well as potential legislative changes and increased financial and conduct regulatory focus on rules and guidance expectations into 2018 and beyond might well extend to connected ‘electric-money’ type firms who directly support the underlying merchant business and facilitate and conduct related account funding activities and payments etc.  

    United Kingdom (U.K.) – Quick-reference summary

    Key deadline(s)   Scope & perspective  

    MIFID II (& MiFIR) implementation (Markets in Financial Instruments Directive)

    January 2018

    New framework concerning provision of services involving financial instruments replacing former MiFID.


    PSD2 (& PSR 2017) implementation(Payment Services Directive)

    January 2018

    New framework concerning businesses and consumers relating to the making and receipt of payments, replacing former PSD.


    IDD implementation

    February 2018

    New framework concerning insurance mediation and distribution replacing former Insurance Mediation Directive (IMD).


    GDPR/PECR implementation

    (Data Protection & Electronic Communications)

    May 2018


    New and revised regimes concerning data protection and privacy matters, replacing former U.K. DP Act legislation. Also, new fee structure to start April 1, 2018.


    IORPS II implementation (Pensions Directive)

    January 2019

    New framework concerning workplace pension schemes and occupational retirement savings.


    Financial Conduct Authority (FCA)


    Extension of SM&CR regime of culture, governance and accountability applying to all U.K. FSMA regulated firms.


    Financial Services Compensation Scheme (FSCS)

    April 2018+

    Scheme revised in both scope and protections with other substantive changes due in 2019/20.


    Prudential Regulation Authority (PRA)

    January 2018

    New Capital framework (Pillar2A).


    Ring-fencing related to U.K. Banking reforms

    January 2019

    Implementing ring-fencing regime concerning core U.K. financial services facilities e.g. banking and investments.


    Financial Reporting Council (FRC)

    January 2019

    New and revised U.K. Corporate Governance Code affecting all U.K. incorporated entities.



    March 2019+

    Consequences of leaving European single market and impacts on passport rights and longer-term regulatory divergence or non-equivalence.


    FATF Risk Assessment of U.K.


    Planning for an updated evaluation of U.K. AML/CFT framework against latest ‘4 th Round’ methodology.

    In conclusion - a busy year ahead on many diverse but also common fronts

    In taking a brief look at some of the notable regulatory events of 2017 and trying to predict the issues and factors driving forward into 2018 and beyond, then some notable topics and obviously common subjects can be identified. Many of these invariably have a degree of connectivity, overlap and possible risk contagion in terms of any overall probable or eventual harm, impact and priority going forward into 2018 and beyond.

    This article has simply attempted to look at each of the Global/International, European and U.K. dimensions in turn, to help inform those whom have some direct or vested interest in wanting to ponder on, contemplate and set their radars towards some of the regulatory matters and attentions ahead that might be of relevance to their own strategic plans, organisation and/or operating scope of business.

    It is for firms, and their regulatory functions, to ensure they suitably identify and proportionately plan for the developments and changes that will come to affect or influence their business strategy and risk profile, making sure that adequate resources are engaged and applied in meeting the respective judgements, actions, standards, obligations, practices and outcomes. Taking time to identify issues and plan ahead will hopefully give firms an advantage in not falling prey to reaction, and maintaining compliance in that dynamic and multi-faceted landscape.

    About the author: Over a 25-year career Steve Blackbourn has undertaken various operational and regulatory roles at senior-management level in a range of international financial services organisations before becoming established as a U.K.-based compliance and financial crime consultant in 2008. Steve has held key positions within a global bank assurance group, an Advanced Risk-Responsive Operating FrameWork (ARROW) supervisory inspection team at the U.K. FSA and an international life/pensions and investment organisation. Steve has worked and continues to work alongside Wolters Kluwer in delivering project-specific as well as rolling consultancy support services with mutual clients. He is also a regular monthly contributor to Wolters Kluwer Compliance Resource Network. In addition, he also works with a range of direct clients applying his broad scope regulatory-compliance and financial-crime background and skills to deliver a reliable and quality service with an emphasis on practical approach and commercial orientated solutions.  

    If this article was useful to you, we can assist with more in-depth analysis needed to understand the ever changing regulatory environment.  We’ve made OneSumX Compliance Resource Network an all-inclusive information solution. In a single, convenient location, you can quickly and accurately access all pertinent regulations, legislation and updated rulebooks. Sign up for yourfree trial today.

  • Please take a moment and tell us what you think of our content.