Guidelines on financial crime reporting for regulated institutions covered by the money laundering rules in the U.K. were recently unveiled by the UK Financial Conduct Authority (FCA). Firms will now be required to submit a report on financial crimes faced in the prior year – whether the company was a victim, targeted or worse, a channel for misconduct.  In addition, the FCA issued guidance on outsourcing to the “cloud,” setting an interesting standard for all financial markets participants and their third-party suppliers.  These new guidelines will illuminate for the FCA how regulated companies recognize, manage, record and analyze financial crime incidences, and the controls in place for those using third parties.

Retail Banking Ahead of Investment Banks on Tracking Financial Crimes

While firms should be able to account for financial crimes encountered, with more onerous MiFID II requirements coming into effect in 2018, recording and compiling these data sets may be more challenging than anticipated.  Brand reputation and internal controls alone may not shield companies the way they surmise, and when violations do occur, few regulated firms are waving that flag proudly, though some are better prepared than others to meet regulators’ requirements.

Retail banks have for years been chronicling the type of crimes being committed to their customers and implementing ways to reduce such activity in order to minimize the costs to their business and create a better banking experience.  For them, much of the data the FCA requires will already be accessible.

But because these intrusions often start with a phone call or other electronic communication, corporate investment banks, which may not have been consistently tracking their interactions until now, will need to start recording, categorizing and analyzing events.

Phishing attempts by email, for example, will need to be identified and collated by firms as they start to provide data to the FCA starting in the new year. The transitional rules will help some firms to be able to get their systems in place until the full requirements take effect in January of 2018.  With MiFID II record-keeping changes happening at the same time, firms need to act quickly to get budgets and processes in place well in advance.

Migrating to the Cloud Under Today’s Regulatory Rules

While emails have for years been archived in the cloud, we are now at a time when many other means of communication and trading – ultimately all services – are considered for storage in the cloud to minimize risk, improve flexibility and lower infrastructure costs due to the storage scalability cloud offers.  With continued pressure on budgets and a focus on core businesses, many regulated firms have sought and outsourced cloud services.  While beneficial to evolving the financial markets, under the FCA guidelines, regulated firms cannot pass off their regulator responsibilities to these third-party providers.  In addition, the FCA unveiled three definitions for the types of outsourcing:

Critical and Important – where a system failure would compromise a firm’s obligations under the regulatory system;

• Material Outsourcing – where a system failure would cast serious doubt on the firm’s continuing satisfaction of the compliance threshold;
• Important Operational Functions – relating to the Electronic Money Regulations 1022

and the Payment Services Regulations 2009.¹

The FCA has also mentioned several international standards that should be applied to outsourcing. Although the guidelines have been in development for many months, it is notable that the U.K. regulator is taking a very global approach. Where a global standard is available, the regulator suggests that the standard should be applied to the service being outsourced. We will likely see more of this view in many of the post-Brexit UK government institutions.

The FCA advice given is extensive, with more than 60 specific recommendations for how regulated firms should handle the outsourcing of different functions.  Any outsourcing is change and both the change and the outsourcing should “avoid undue operational risk.” The risks are typically highest at the start and end of engaging solutions. The guidance also lays out how firms and vendors should approach the qualification of each of the services and gives clear definitions of critical or important, material outsourcing and important operational functions. The latter being specific for electronic money institutions.

The early days of guidance from the FCA could be described as terse. The authority offered a guide to the principles being applied, rather than detailed discussions of the issues being tackled and the problems that might be encountered and solved. This was to be expected in the heavily principles-based approach taken in those days.

In contrast, the FCA’s latest guidance gives very detailed advice about what to look out for when deploying these kinds of services, which has the potential to become a reference for much of the outsourcing that takes place in the financial markets, regardless of the service that is being outsourced.

Financial companies must continue to be vigilant, ensuring the systems, processes and services they put in place protect their firms from fraud, enhance compliance but also allow it to progress business.  The FCA seems to have recognized these challenges with its financial crimes reporting and outsourcing guidelines, and put forth in realistic terms a way forward.

¹ Definitions are paraphrased from the Financial Conduct Authority’s Finalized Guidance of July 2016.

Robert Powell is IPC Systems’ Global Head of Compliance. Powell has worked in and around the financial markets for nearly 30 years.  Initially at banks and financial institutions, in the last decade he’s focused on the records retention space working at Bloomberg and Global Relay. His involvement with communication monitoring, surveillance and some of the highest profile cases in recent history, such as LIBOR and the foreign exchange markets investigations, has allowed him a unique insight into records retention, monitoring, surveillance and behavioral analysis. Powell is credited with being one of the few people to make financial markets compliance “interesting”.