The UK’s risk-based approach to the “Politically Exposed Persons” regime – section 30 of the Bank of England and Financial Services Act 2016

The Bank of England and Financial Services Act 2016 (the "Act") paves the way for a more risk-based approach to the Politically Exposed Persons ("PEPs") regime in the UK, in response to what the House of Lords has identified as its disproportionate application in practice to medium-ranking and junior officials. Section 30 of the Act requires the Financial Conduct Authority ("FCA") to issue guidance on the definition of a PEP, which may require regulated entities to take a proportional, risk-based and differentiated approach to different categories of PEPs, and empowers the Secretary of State to regulate the FCA's handling of complaints about the way in which regulated firms have interpreted their obligations under the PEP regime. The move comes in the wake of the extension of the PEP regime under the Fourth EU Money Laundering Directive, which will see UK officials fall within the PEP definition. The FCA's PEP guidance is expected later this year.

In this briefing we examine the new provisions in more detail and explain that, whilst they have the potential to have a positive impact in terms of clarity around PEP obligations, equally they may leave firms exposed to action for over-, as well as under-complying with regulatory requirements.

Continue reading

Leave a Comment

Filed under Bank of England, FCA, Sanctions and Money Laundering, UK Regulations

HKMA’S Cybersecurity Fortification Initiative: what UK bankers need to know

The Hong Kong Monetary Authority (HKMA) has today issued a circular requiring Hong Kong-regulated institutions to implement the HKMA's "Cybersecurity Fortification Initiative" (the Initiative), which consists of three distinct pillars: (1) risk assessment, (2) training and (3) intelligence sharing.

The Initiative has an obvious, direct impact on institutions that are Hong Kong-regulated, as it is now a supervisory requirement for those banks to implement the Initiative. UK institutions that do not operate in Hong Kong will nevertheless wish to give careful consideration to the Initiative, which provides a valuable insight into the increasingly joined-up approach of financial regulators around the world to the issue of cybersecurity.

1. Risk assessment

The first "pillar" of the Initiative is to establish a Cyber Resilience Assessment Framework (the Assessment Framework).  Although still in consultation, HKMA has announced that the Assessment Framework will be a risk-based framework for banks to assess and benchmark their defences to and resilience against cyber-attacks.  The Assessment Framework will have three limbs:

  1. "Inherent risk assessment" will be a model of risk assessment looking at the organisational characteristics of different institutions to characterise them as "high", "medium" or "low" risk.  These inherent risk ratings will then be used to set a "required maturity level" of cyber resilience against which the institution's actual maturity can be benchmarked.
  2. "Maturity assessment" is a process to assess an institution's "actual maturity level" (which can then be compared to the institution's "required maturity level" to identify areas for improvement).
  3. "Intelligence-led Cyber Attack Simulation Testing" will involve a series of simulation tests scenarios being run in addition to traditional penetration testing.  These will replicate current real life cyber-attacks and can be used to assess further vulnerabilities which might need to be addressed to achieve a higher "actual maturity level".

Methodologies such as the Assessment Framework are likely to be of interest to UK banks, which will need to take account of cyber-risk in modelling their capital requirements.

Moreover, UK banks should expect an increased emphasis by UK financial regulators on cyber resilience assessment given the Financial Policy Committee's recommendations in July 2015 that UK financial regulators should:

  • establish arrangements to make vulnerability testing "one component of regular cyber resilience assessment within the UK financial system"; and
  • "consider how evolving capabilities in both defensive resilience and recovery would be best established across the financial system…."

2. Training

The second "pillar" of the Initiative is called the "Professional Development Programme", which will be a training and certification programme, developed and delivered in conjunction with the Hong Kong Institute of Bankers and the Kong Applied Science and Technology Research Institute, to increase the supply of qualified cybersecurity professionals in Hong Kong.

HMKA has already announced that it will work closely with CREST, a UK cybersecurity certification body, to benchmark the Professional Development Programme against latest international standards.

Training cyber-security professionals in the UK was also a key emphasis of the UK Government's "National Cyber Security Plan", unveiled in November 2015, which will involve establishing an "Institute for Coding" and rolling out a new cyber skills programme (including mentoring for young people and new higher and degree level cyber apprenticeships).

3. Intelligence sharing

Finally, the Cyber Intelligence Sharing Platform will provide a platform for the banking sector to share intelligence on cyber-attacks (including detailed cyber-threat analysis report advisories and recommendations).

This mirrors the Cyber-security Information Sharing Partnership which was established as part of CERT-UK as a joint industry government initiative to share cyber threat and vulnerability information. A Europe-wide "Co-operation Network" will also be a key development when the European Union's Network and Information Security Directive ultimately comes into force.





Ben Worrall  Associate                                    +442074662385

Karen Anderson        Partner                            +442074662404

Andrew Procter Partner                                 +442074667560


Leave a Comment

Filed under Asia, Banking, Hong Kong, UK

MiFID II: Where do asset managers go from here?

The one year delay to the implementation of MiFID II provided the industry with some welcome respite from the seemingly unrelenting waves of regulatory reform. European regulatory implementation timetables are always tight but the original MiFID II timetable was proving to be unrealistic for both the regulators and the regulated. But time is quickly passing and the recent publication of all three Level 2 delegated legislation served as a sharp reminder that the asset management industry, along with others, is reaching a critical time on the road to the new effective date of MiFID II.

Continue reading

Leave a Comment

Filed under Asset management, Europe, European Regulation, Funds

The future face of UK cyber security – the National Cyber Security Centre

The authoritative voice on UK cyber security

The UK government has recently confirmed that its National Cyber Security Centre ("NCSC") will begin operations in October 2016. This newest body to be established as part of the UK's continuing fight against Cybercrime will be headquartered in London and is to be "the authoritative voice on information security in the UK".

Continue reading

Leave a Comment

Filed under UK, Uncategorized

David Cameron announces potential new corporate offences of “failure to prevent” economic crime

Writing in the Guardian ahead of the anti-corruption summit of world leaders on 12 May, David Cameron announced the government's intention to create new corporate offences as part of the fight against corruption, stating that "… in addition to prosecuting companies that fail to prevent bribery and tax evasion, we will consult on extending the criminal offence of 'failure to prevent' to other economic crimes such as fraud and money laundering so that firms are properly held to account for criminal activity that takes place within them".  As discussed below, this is a potentially extremely significant development, both from the perspective of the criminal exposure of corporate entities and from the perspective of the scale and coverage of the compliance programmes which they must implement.

Continue reading

Leave a Comment

Filed under Bribery and Corruption, Corporate Crime, Sanctions and Money Laundering

UK: A guide to the PRA’s proposals on the Solvency II remuneration rules

The PRA has issued a draft Supervisory Statement, containing guidance on how Solvency II remuneration rules are to be applied (Draft Guidance).  The Draft Guidance is, in certain respects, materially more onerous than may have been expected.  In particular, it provides that firms must ensure that at least 40% of the variable remuneration of senior staff and other "risk takers" is deferred for at least 3 years, allowing all or part of the deferred element to be withheld.

Continue reading

Leave a Comment

Filed under European Guidance, Insurance, PRA, Remuneration

Corporate Crime Monthly Update May 2016

Welcome to the May 2016 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions. For the full update on each jurisdiction, please click on the name of the jurisdiction below. Below we provide a brief overview of what is covered in each update.

Continue reading

Leave a Comment

Filed under Bribery and Corruption, Corporate Crime, Investigations

Judicial Interpretation provides guidance on China’s bribery offences


The Supreme People’s Court and the Supreme People’s Procuratorate in China recently issued a binding judicial interpretation on China’s Criminal Law bribery offences (Interpretation).

Continue reading

Leave a Comment

Filed under Asia, Bribery and Corruption

Market abuse update – April 2016

This will be our last quarterly Market Abuse update before 3 July 2016, the date when both the new Market Abuse Regulation and the Criminal Sanctions (Market Abuse) Directive come into application across Europe. Some significant pieces of the regulatory jigsaw have yet to be slotted into place, so we have set out the current state of play in a little more detail. Both pieces of legislation have significant extra-territorial implications: in this briefing we highlight some quirks in the potential application of the criminal regime.

The advent of new regulation has not led to any significant let-up of regulators' enforcement efforts, and this briefing also reviews some recent cases in the UK, the US and Australia. 

Our full e-bulletin is available here

Leave a Comment

Filed under Americas, Asset management, Australia, Banking, Estonia, EU, Europe, European Regulation, France, Germany, Insurance, Investment banking, Investment Funds, Italy, Liechtenstein, Spain, Ukraine, Uncategorized, US

The SFC’s asset management strategy for Hong Kong

In a speech last Friday to the Hong Kong investment Funds Association, Ashley Alder, CEO of the Hong Kong Securities And Futures Commission (SFC) described the SFC's ambitious asset management strategy. 

The SFC's strategy for Hong Kong, which aims to enable Hong Kong to become a global, full-service asset management center, includes:

Continue reading

Leave a Comment

Filed under Asia, Asset management, Hong Kong, Investment Funds