Welcome to the Spring 2019 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions.
In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for July 2019.
Authors: Hannah Cassidy, Clive Cunningham, Natalie Curtis, Javier de Carlos, Katherine Dillon, Matthias Gippert, Leopoldo Gonzalez Echenique, Vincent Hatton, Patricia Horton, Pierre Le Ninivin, Kai Liebrich, Natasha Mir, Stuart Paterson, Fiona Smedley, Jenny Stainsby, Jennifer Xue
Many regulators view their ability to intervene as one of their key supervisory tools to reduce harm in cases where there is a risk of significant consumer detriment or threat to financial markets.
At the same time, many jurisdictions have put in place product governance regimes for financial services firms which aim to avoid, or at least mitigate from an early stage, any potential risks of failure to comply with investor protection rules. In particular, the design and distribution obligations under these product governance regimes aim to overcome the limitations of disclosure and ensure that firms which manufacture and distribute financial products take some responsibility and adopt a more targeted customer-centric approach.
The stages of development, level of detail, scope and coverage of regulators’ product intervention powers, and the product design and distribution obligations under product governance regimes, vary across jurisdictions.
Our guide (which can be found here) summarises the frameworks in selected jurisdictions, allowing a high-level comparison of the different regimes and offering a glimpse of the direction of travel.
Authors: Susannah Cogman, Daniel Hudson and Hannah Lau
On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.
In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.
Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.
The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.
Cyber-attacks constituting an external threat include those which:
- originate, or are carried out, from outside the EU;
- use infrastructure outside the EU;
- are carried out by any person or entity established or operating outside the EU; or
- are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.
“Threat to member states or the EU”
Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.
Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.
Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.
Who can be penalised
There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:
- carry out (attempted) cyber-attacks;
- provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
- are associated with those in (a) or (b) above.
The type of sanctions imposed
The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.
The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.
It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.
In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for June 2019.
|By 30 Jun|
Welcome to the Winter 2019 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions.
For the full update on each jurisdiction, please click on the name of the jurisdiction below. Below we provide a brief overview of what is covered in each update.
Authors: Mark Ife and Paul Ellerman
After over two years of debate, agreement has finally been reached on the proposed directive amending the Capital Requirements Directive (which is generally being titled CRD5), and the European Council has published its final text.
As detailed in our previous briefing, however, the proposed new prudential regime for investment firms, will remove most investment firms from the scope of CRD5 and subject them to the specific remuneration rules in the new Investment Firms Directive (IFD) and Investment Firms Regulation (IFR). Consequently, the revised CRD5 is likely only to apply to banks and “bank-like” investment firms.
- New remuneration rules for banks and reclassified CRD investment firms
- The proportionality principle – bonus cap and deferral
- Changes to the de minimis principle
- Minimum deferral periods
- Share-linked instruments
- Application on a group level
- Gender neutral remuneration policies
- Impact of BREXIT on CRD5
- Next steps for CRD5
Authors: Mark Ife and Paul Ellerman
Agreement has now been reached between the European Parliament, the Commission and the Council on the final texts of two Directives which will impact on the remuneration provisions which apply to banks and investment firms. The first is the Investment Firms Directive (IFD), which will introduce a new prudential regime for investment firms. The second is the Directive which contains the fourth set of amendments to the Capital Requirements Directive (which is generally being titled CRD5). The European Parliament will consider both Directives in its plenary sessions between 15 and 19 April 2019.
This briefing sets out details of the remuneration provisions contained in the IFD and the related Investment Firms Regulation (IFR). A subsequent briefing will cover the revised provisions contained in CRD5.
- New remuneration rules for investment firms
- Ability to apply proportionality?
- Impact of BREXIT on the IFD/IFR
- Next steps for the IFD
The UK FCA and PRA propose to implement the TPR if the UK leaves the European Union on 29 March 2019 without an implementation (or transitional) period, to ensure that EEA firms currently operating under an incoming passport (either from a UK branch or on a cross-border services basis into the UK) can continue to carry out regulated activities in the UK until they receive new direct authorisation by the UK regulators. For more information, please see our HSF briefing – UK Temporary Permissions Regime placemat
On financial services, the final political declaration contains essentially the same three points as in last week’s outline political declaration (the implications of which were discussed in our blog post of 15 November, available here), although there is some limited further clarification. The three points on financial services are copied below with new substantive additions underlined: Continue reading